Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.msi

Overview

General Information

Sample name:setup.msi
Analysis ID:1579288
MD5:2a680c15a6a3d07a5e4dce69c190f91c
SHA1:73e7ac9d834f35c38712256f744c03471da90b68
SHA256:38072285421b1dda58ca4d8f722346d3cdf32b43203ae6ec5254dcdc24546b65
Tags:msiuser-aachum
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
Query firmware table information (likely to detect VMs)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6188 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 6380 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 5808 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding CFC4A735AC50180D686C8F7014EE44E3 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 1576 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 5404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIADAP.exe (PID: 1576 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)
    • cmd.exe (PID: 1020 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ImporterREDServer.exe (PID: 5960 cmdline: "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" MD5: F67792E08586EA936EBCAE43AAB0388D)
        • conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • createdump.exe (PID: 5896 cmdline: "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)
      • conhost.exe (PID: 2148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding CFC4A735AC50180D686C8F7014EE44E3, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 5808, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 1576, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding CFC4A735AC50180D686C8F7014EE44E3, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 5808, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 1576, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding CFC4A735AC50180D686C8F7014EE44E3, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 5808, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 1576, ProcessName: powershell.exe
Sigma detected: Msiexec Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.67.164.25, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 5808, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
Sigma detected: Suspicious MsiExec Embedding Parent
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding CFC4A735AC50180D686C8F7014EE44E3, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 5808, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 1576, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding CFC4A735AC50180D686C8F7014EE44E3, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 5808, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 1576, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-21T13:04:20.960775+010028292021A Network Trojan was detected192.168.2.549704172.67.164.25443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.1% probability
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9323EC13-B736-45ED-8845-7358C228FF45}Jump to behavior
Source: unknownHTTPS traffic detected: 172.67.164.25:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000008.00000000.2256663495.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: setup.msi
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000B.00000000.2263248130.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: setup.msi
Source: Binary string: ucrtbase.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: setup.msi, MSI55A1.tmp.1.dr, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: setup.msi, 68204f.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.msi, 68204f.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.msi, 68204f.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: setup.msi
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000B.00000002.2266818488.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.msi, MSI55A1.tmp.1.dr, 68204f.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: setup.msi, 68204f.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: setup.msi
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000B.00000000.2263248130.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000008.00000000.2256663495.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: ucrtbase.pdbUGP source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.msi, 68204f.msi.1.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B912A330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,11_2_00007FF8B912A330

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.5:49704 -> 172.67.164.25:443
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: cubermo.com
Source: unknownHTTP traffic detected: POST /updater.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: cubermo.comContent-Length: 71Cache-Control: no-cache
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: setup.msi, 68204f.msi.1.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: powershell.exe, 00000004.00000002.2197381041.0000000000C98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: setup.msi, 68204f.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: setup.msi, 68204f.msi.1.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: setup.msi, 68204f.msi.1.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000004.00000002.2206830499.0000000005DCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: setup.msi, 68204f.msi.1.drString found in binary or memory: http://ocsp.digicert.com0K
Source: setup.msi, 68204f.msi.1.drString found in binary or memory: http://ocsp.digicert.com0N
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000004.00000002.2198351742.0000000004EB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: setup.msi, 68204f.msi.1.drString found in binary or memory: http://schemas.mick
Source: powershell.exe, 00000004.00000002.2198351742.0000000004D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2198351742.0000000004EB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ImporterREDServer.exe, 0000000B.00000002.2266818488.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.drString found in binary or memory: http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-
Source: powershell.exe, 00000004.00000002.2198351742.0000000004D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: setup.msiString found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
Source: powershell.exe, 00000004.00000002.2206830499.0000000005DCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2206830499.0000000005DCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2206830499.0000000005DCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: setup.msi, 68204f.msi.1.drString found in binary or memory: https://cubermo.com/updater.phpx
Source: powershell.exe, 00000004.00000002.2198351742.0000000004EB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2198351742.000000000558C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.2206830499.0000000005DCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.drString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownHTTPS traffic detected: 172.67.164.25:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\68204f.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI29D5.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2AD0.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B0F.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B3F.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B8E.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2BCE.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2BFE.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4A06.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{9323EC13-B736-45ED-8845-7358C228FF45}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5590.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI55A1.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\682052.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\682052.msiJump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.hJump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.iniJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI29D5.tmpJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00F5B5184_2_00F5B518
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_000000014001222011_2_0000000140012220
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_000000014000839011_2_0000000140008390
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_0000000140007FC011_2_0000000140007FC0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B914220811_2_00007FF8B9142208
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B915A27C11_2_00007FF8B915A27C
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B912F9B011_2_00007FF8B912F9B0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B915F9DA11_2_00007FF8B915F9DA
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B913946011_2_00007FF8B9139460
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B9140C6011_2_00007FF8B9140C60
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B914547011_2_00007FF8B9145470
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B913644011_2_00007FF8B9136440
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B9146C8411_2_00007FF8B9146C84
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B91544E011_2_00007FF8B91544E0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B913BCD011_2_00007FF8B913BCD0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B914633811_2_00007FF8B9146338
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B914434011_2_00007FF8B9144340
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B913ABB011_2_00007FF8B913ABB0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B915B69811_2_00007FF8B915B698
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B9152D7011_2_00007FF8B9152D70
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B915BDA011_2_00007FF8B915BDA0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B91595A811_2_00007FF8B91595A8
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B913CDF011_2_00007FF8B913CDF0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B912D81011_2_00007FF8B912D810
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B912E8B011_2_00007FF8B912E8B0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B915288011_2_00007FF8B9152880
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B91360D011_2_00007FF8B91360D0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B9143F0011_2_00007FF8B9143F00
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B913DF1011_2_00007FF8B913DF10
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B914071011_2_00007FF8B9140710
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B9138FB011_2_00007FF8B9138FB0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B912C78011_2_00007FF8B912C780
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B914478011_2_00007FF8B9144780
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8BFB5750811_2_00007FF8BFB57508
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: String function: 000000014000BC30 appears 53 times
Source: api-ms-win-core-handle-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: setup.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameDataUploader.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameucrtbase.dllj% vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenamevcruntime140.dllT vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenamemsvcp140.dllT vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs setup.msi
Source: dvacore.dll.1.drBinary string: Win.FileUtils path: Throw file exception with last error (HRESULT): $$$/dvacore/utility/FileUtils_WIN/Unknown=Unknown$$$/dvacore/utility/FileUtils_WIN/Invalid=Invalid$$$/dvacore/utility/FileUtils_WIN/Removable=Removable$$$/dvacore/utility/FileUtils_WIN/Fixed=Local Disk$$$/dvacore/utility/FileUtils_WIN/Network=Network$$$/dvacore/utility/FileUtils_WIN/CDROM=CD-ROM$$$/dvacore/utility/FileUtils_WIN/RAMDisk=RAM Disk_:\Device\Floppy\\?\\\?\UNC (error Unable to delete \/.\\127.0.0.1xt4
Source: classification engineClassification label: mal68.evad.winMSI@18/94@1/1
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_0000000140010BE0 GetLastError,FormatMessageA,11_2_0000000140010BE0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B912A7B0 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn,11_2_00007FF8B912A7B0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML6017.tmpJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2148:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5404:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4448:120:WilError_03
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF518574BEBB17DA44.TMPJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CFC4A735AC50180D686C8F7014EE44E3
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CFC4A735AC50180D686C8F7014EE44E3Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dvacore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: libzip.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_system.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_date_time.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_threads.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_filesystem.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dvaunittesting.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: utest.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: loadperf.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exeFile written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9323EC13-B736-45ED-8845-7358C228FF45}Jump to behavior
Source: setup.msiStatic file information: File size 60336332 > 1048576
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000008.00000000.2256663495.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: setup.msi
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000B.00000000.2263248130.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: setup.msi
Source: Binary string: ucrtbase.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: setup.msi, MSI55A1.tmp.1.dr, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: setup.msi, 68204f.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.msi, 68204f.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.msi, 68204f.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: setup.msi
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000B.00000002.2266818488.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.msi, MSI55A1.tmp.1.dr, 68204f.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: setup.msi, 68204f.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: setup.msi
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000B.00000000.2263248130.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000008.00000000.2256663495.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: ucrtbase.pdbUGP source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.msi, 68204f.msi.1.dr
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]
Source: vcruntime140.dll.1.drStatic PE information: section name: _RDATA
Source: UnRar.exe.1.drStatic PE information: section name: _RDATA
Source: BCUninstaller.exe.1.drStatic PE information: section name: _RDATA
Source: createdump.exe.1.drStatic PE information: section name: _RDATA
Source: MSI55A1.tmp.1.drStatic PE information: section name: .fptable
Source: MSI29D5.tmp.1.drStatic PE information: section name: .fptable
Source: MSI2AD0.tmp.1.drStatic PE information: section name: .fptable
Source: MSI2B0F.tmp.1.drStatic PE information: section name: .fptable
Source: MSI2B3F.tmp.1.drStatic PE information: section name: .fptable
Source: MSI2B8E.tmp.1.drStatic PE information: section name: .fptable
Source: MSI2BCE.tmp.1.drStatic PE information: section name: .fptable
Source: MSI2BFE.tmp.1.drStatic PE information: section name: .fptable
Source: MSI4A06.tmp.1.drStatic PE information: section name: .fptable
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00F50A90 push FFFFFFE9h; retf 4_2_00F50AA9
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B8E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4A06.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B3F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2AD0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B0F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI55A1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2BFE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2BCE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI29D5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2BFE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2AD0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2BCE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B0F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4A06.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI55A1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B8E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI29D5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B3F.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B915C0C0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_00007FF8B915C0C0
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4005Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1706Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1655Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 2074Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1054Jump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2AD0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2B0F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI55A1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2B8E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2BFE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2BCE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4A06.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI29D5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2B3F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeAPI coverage: 8.2 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2684Thread sleep count: 4005 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5376Thread sleep count: 1706 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4676Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6132Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 7056Thread sleep count: 1655 > 30Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 7056Thread sleep count: 2074 > 30Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 7056Thread sleep count: 1054 > 30Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B912A330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,11_2_00007FF8B912A330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: 68204f.msi.1.drBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 8_2_00007FF7482B2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FF7482B2ECC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 8_2_00007FF7482B2984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00007FF7482B2984
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 8_2_00007FF7482B3074 SetUnhandledExceptionFilter,8_2_00007FF7482B3074
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 8_2_00007FF7482B2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FF7482B2ECC
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_0000000140011004 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0000000140011004
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_0000000140011D78 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0000000140011D78
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_0000000140011F24 SetUnhandledExceptionFilter,11_2_0000000140011F24
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8B9172CDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FF8B9172CDC
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 11_2_00007FF8BFB6004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FF8BFB6004C

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss55f9.ps1" -propfile "c:\users\user\appdata\local\temp\msi55f6.txt" -scriptfile "c:\users\user\appdata\local\temp\scr55f7.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr55f8.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss55f9.ps1" -propfile "c:\users\user\appdata\local\temp\msi55f6.txt" -scriptfile "c:\users\user\appdata\local\temp\scr55f7.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr55f8.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: ___lc_locale_name_func,GetLocaleInfoEx,11_2_00007FF8B914EFC0
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 8_2_00007FF7482B2DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,8_2_00007FF7482B2DA0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		1
Replication Through Removable Media		1
Command and Scripting Interpreter		1
Scripting		1
DLL Side-Loading		1
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		1
DLL Side-Loading		1
Windows Service		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Windows Service		11
Process Injection		2
Obfuscated Files or Information		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Timestomp		NTDS24
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets111
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Masquerading		DCSync121
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job121
Virtualization/Sandbox Evasion		Proc Filesystem1
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
Process Injection		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579288 Sample: setup.msi Startdate: 21/12/2024 Architecture: WINDOWS Score: 68 51 cubermo.com 2->51 59 Suricata IDS alerts for network traffic 2->59 61 AI detected suspicious sample 2->61 63 Sigma detected: Suspicious Script Execution From Temp Folder 2->63 65 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->65 9 msiexec.exe 139 107 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 37 C:\Windows\Installer\MSI55A1.tmp, PE32 9->37 dropped 39 C:\Windows\Installer\MSI4A06.tmp, PE32 9->39 dropped 41 C:\Windows\Installer\MSI2BFE.tmp, PE32 9->41 dropped 43 52 other files (none is malicious) 9->43 dropped 14 msiexec.exe 14 9->14         started        19 cmd.exe 1 9->19         started        21 createdump.exe 1 9->21         started        process6 dnsIp7 53 cubermo.com 172.67.164.25, 443, 49704 CLOUDFLARENETUS United States 14->53 45 C:\Users\user\AppData\Local\...\scr55F7.ps1, Unicode 14->45 dropped 47 C:\Users\user\AppData\Local\...\pss55F9.ps1, Unicode 14->47 dropped 49 C:\Users\user\AppData\Local\...\msi55F6.txt, Unicode 14->49 dropped 55 Query firmware table information (likely to detect VMs) 14->55 57 Bypasses PowerShell execution policy 14->57 23 powershell.exe 17 14->23         started        25 WMIADAP.exe 4 14->25         started        27 ImporterREDServer.exe 1 19->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        file8 signatures9 process10 process11 33 conhost.exe 23->33         started        35 conhost.exe 27->35         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dll0%ReversingLabs
C:\Windows\Installer\MSI29D5.tmp0%ReversingLabs
C:\Windows\Installer\MSI2AD0.tmp0%ReversingLabs
C:\Windows\Installer\MSI2B0F.tmp0%ReversingLabs
C:\Windows\Installer\MSI2B3F.tmp0%ReversingLabs
C:\Windows\Installer\MSI2B8E.tmp0%ReversingLabs
C:\Windows\Installer\MSI2BCE.tmp0%ReversingLabs
C:\Windows\Installer\MSI2BFE.tmp0%ReversingLabs
C:\Windows\Installer\MSI4A06.tmp0%ReversingLabs
C:\Windows\Installer\MSI55A1.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
cubermo.com
172.67.164.25
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://cubermo.com/updater.phptrue
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2206830499.0000000005DCB000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://crl.micropowershell.exe, 00000004.00000002.2197381041.0000000000C98000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.2198351742.0000000004EB6000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.2198351742.0000000004D61000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.2198351742.0000000004EB6000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://go.micropowershell.exe, 00000004.00000002.2198351742.000000000558C000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/powershell.exe, 00000004.00000002.2206830499.0000000005DCB000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2206830499.0000000005DCB000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 00000004.00000002.2206830499.0000000005DCB000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Iconpowershell.exe, 00000004.00000002.2206830499.0000000005DCB000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.micksetup.msi, 68204f.msi.1.drfalse
                            		unknown
                            http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-ImporterREDServer.exe, 0000000B.00000002.2266818488.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.drfalse
                              		unknown
                              https://aka.ms/winui2/webview2download/Reload():setup.msifalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.2198351742.0000000004D61000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://cubermo.com/updater.phpxsetup.msi, 68204f.msi.1.drfalse
                                    		unknown
                                    https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.2198351742.0000000004EB6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      172.67.164.25
                                      		cubermo.comUnited States
                                      		13335CLOUDFLARENETUStrue

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1579288
                                      Start date and time:2024-12-21 13:03:16 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 7m 58s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:14
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:setup.msi
                                      Detection:MAL
                                      Classification:mal68.evad.winMSI@18/94@1/1
                                      EGA Information:
                                      • Successful, ratio: 33.3%
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 14
                                      • Number of non-executed functions: 174
                                      Cookbook Comments:
                                      • Found application associated with file extension: .msi

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
                                      • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target ImporterREDServer.exe, PID 5960 because there are no executed function
                                      • Execution Graph export aborted for target powershell.exe, PID 1576 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      07:04:21API Interceptor4x Sleep call for process: powershell.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      172.67.164.25file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                      • sqribble.com/admin

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      cubermo.comSetup.msiGet hashmaliciousUnknownBrowse
                                      • 172.67.164.25
                                      q9bzWO2X1r.msiGet hashmaliciousUnknownBrowse
                                      • 172.67.164.25

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      CLOUDFLARENETUSSetup.exeGet hashmaliciousLummaCBrowse
                                      • 104.21.18.185
                                      Full-Setup.exeGet hashmaliciousLummaCBrowse
                                      • 104.21.43.127
                                      jqplot.htaGet hashmaliciousUnknownBrowse
                                      • 104.21.90.205
                                      setup.exeGet hashmaliciousLummaCBrowse
                                      • 104.21.84.113
                                      Setup.exeGet hashmaliciousLummaCBrowse
                                      • 104.21.42.70
                                      setup.exeGet hashmaliciousLummaCBrowse
                                      • 172.67.191.144
                                      Setup.exeGet hashmaliciousLummaC StealerBrowse
                                      • 104.21.80.1
                                      Full-Setup.exeGet hashmaliciousLummaC StealerBrowse
                                      • 172.67.179.135
                                      Set-up!.exeGet hashmaliciousLummaCBrowse
                                      • 104.21.6.74
                                      mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                      • 172.69.220.163

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      37f463bf4616ecd445d4a1937da06e19jqplot.htaGet hashmaliciousUnknownBrowse
                                      • 172.67.164.25
                                      Set-up!.exeGet hashmaliciousLummaCBrowse
                                      • 172.67.164.25
                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                      • 172.67.164.25
                                      Oggq2dY6kx.exeGet hashmaliciousAzorultBrowse
                                      • 172.67.164.25
                                      file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                      • 172.67.164.25
                                      file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                      • 172.67.164.25
                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Vidar, XmrigBrowse
                                      • 172.67.164.25
                                      Setup.msiGet hashmaliciousUnknownBrowse
                                      • 172.67.164.25
                                      q9bzWO2X1r.msiGet hashmaliciousUnknownBrowse
                                      • 172.67.164.25
                                      doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 172.67.164.25

                                      Dropped Files

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSetup.msiGet hashmaliciousUnknownBrowse
                                        q9bzWO2X1r.msiGet hashmaliciousUnknownBrowse
                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exeSetup.msiGet hashmaliciousUnknownBrowse
                                            q9bzWO2X1r.msiGet hashmaliciousUnknownBrowse
                                              Setup.msiGet hashmaliciousUnknownBrowse
                                                build.msiGet hashmaliciousUnknownBrowse
                                                  Setup.msiGet hashmaliciousUnknownBrowse
                                                    New xlsx docs074252657723824 - Tuesday, December 3, 2024 at 03_42_05 PM_htmlGet hashmaliciousUnknownBrowse
                                                      m9u08f2pMF.msiGet hashmaliciousUnknownBrowse
                                                        cwqqRXEhZb.msiGet hashmaliciousUnknownBrowse
                                                          Setup.msiGet hashmaliciousUnknownBrowse
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exeSetup.msiGet hashmaliciousUnknownBrowse
                                                                q9bzWO2X1r.msiGet hashmaliciousUnknownBrowse

                                                                  Created / dropped Files

                                                                  C:\Config.Msi\682051.rbs

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):21032
                                                                  Entropy (8bit):5.787432334779985
                                                                  Encrypted:false
                                                                  SSDEEP:384:b2WdS/oLFVzHBygct/mnFdKjf1X4Pqq4w4N1EkXiYO5FoQZ9j1TOFTN3F93D3RXa:b2WdS/oLFVzHBygct/mnFdKjf1X4Pqq1
                                                                  MD5:CF920A128D2612F9F9B23105074CF65A
                                                                  SHA1:ED79A35C1E5738E6085650F8C3D9DBD0E2A49CAF
                                                                  SHA-256:1F0972E7ED13DF1E4A34BB755AFF7F2B041B7F5300EAA17E54885601E7DB5EDC
                                                                  SHA-512:23242BA4AA1E6C8C8973CB941A118AA3D952B63732926174CB9BBB1F65A67FC726835D6FA21144D588BF53B6590E1DAB00B295AE5FD78D62527C2AABB0679CFC
                                                                  Malicious:false
                                                                  Preview:...@IXOS.@.....@.8.Y.@.....@.....@.....@.....@.....@......&.{9323EC13-B736-45ED-8845-7358C228FF45}..App x installer..setup.msi.@.....@.....@.....@......icon_22.exe..&.{1E282293-F569-4B57-A204-E05DDA8D05B2}.....@.....@.....@.....@.......@.....@.....@.......@......App x installer......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{9323EC13-B736-45ED-8845-7358C228FF45}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{9323EC13-B736-45ED-8845-7358C228FF45}.@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}&.{9323EC13-B736-45ED-8845-7358C228FF45}.@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}&.{9323EC13-B736-45ED-8845-7358C228FF45}.@......&.{DE28A560-E5E1-4035-8CA3-44934686A249}&.{9323EC13-B736-45ED-8845-7358C228FF45}.@......&.{03D39B98-E7BB-4062-BD92-307D642A5CF1}&.{9323EC13-B736-45ED-8845-7358C228FF45}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{9323EC

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):1360
                                                                  Entropy (8bit):5.410752962027977
                                                                  Encrypted:false
                                                                  SSDEEP:24:3yWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NK3R82r+SVbR:CWSU4xymI4RfoUeW+mZ9tK8NWR82jVbR
                                                                  MD5:2472A0E38320B59455B7603F9B7F89FB
                                                                  SHA1:691A17B4032C4E00558E5D4F9B9C5C49211AB3F5
                                                                  SHA-256:CCBEE94F167DC6502C5214A18C39A5E09058761CF57BE5A4CFF1A21933BEB376
                                                                  SHA-512:21A0AB8DE21F0654A8E559E78C065A0E17CD445AA2B7053B1D5DA2594CB7395F3A666D2A03C42B3EC856436239B2D9D5B7155EB00DA4A9EC839A2D9CB6CDC991
                                                                  Malicious:false
                                                                  Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bjgd5omh.5xq.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vrrd2zww.oet.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\msi55F6.txt

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):96
                                                                  Entropy (8bit):2.99798449505456
                                                                  Encrypted:false
                                                                  SSDEEP:3:QmalTuOIAlSRYplflbPRYplf955:Qmalt9lLZiLN
                                                                  MD5:F26BF481CA203C7D611850139ACBEF41
                                                                  SHA1:EA86C45B436D1B8F5F42F87AE5034332A5BCFEC4
                                                                  SHA-256:A6AE6BBFC3486BA26A9A3C67B127D6972D16B8B925BDE4AF20880EE1B1D997CB
                                                                  SHA-512:D1D2AE7C30A146AC1A85BDC133CE1F105AFC6F4EC8C5BD21A8EAACD0910929D3A9FCB540AB533A253C296C51DC71D1AE58749F7449DAB1C530E82D78D3544E4E
                                                                  Malicious:true
                                                                  Preview:..C.e.v.e.r.a.l.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .T.r.i.a.l.N.o.w. .:.<.-.>.:. .0. .<.<.:.>.>. .

                                                                  C:\Users\user\AppData\Local\Temp\pss55F9.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):6668
                                                                  Entropy (8bit):3.5127462716425657
                                                                  Encrypted:false
                                                                  SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                                  MD5:30C30EF2CB47E35101D13402B5661179
                                                                  SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                                  SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                                  SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                                  Malicious:true
                                                                  Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                  C:\Users\user\AppData\Local\Temp\scr55F7.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):250
                                                                  Entropy (8bit):3.576902729499699
                                                                  Encrypted:false
                                                                  SSDEEP:6:QfFok79idK3fclQ9zgltHN+KiVmMXFVrMTlp1LlG7JidK3fpdInO:QfF3IugM/XFVrMTWNvn
                                                                  MD5:479FAC6E0C05C5A57698619AFE51DEF2
                                                                  SHA1:1AF4A4DB75ACE8324ED7BFF59D711E80A7BDB821
                                                                  SHA-256:700080D274E5629A2BFA0D47B9BAF53AD69E67A64A2B04D84115D5851AB3DDBD
                                                                  SHA-512:B0B5065C216EBC1124B985F3FF86EE7C7E7E9B994190D1103C454EDD602E0242B7160BFFB202538470254675DFACAC6159F1A459B979DAD563BDED84FCED193E
                                                                  Malicious:true
                                                                  Preview:..$.o.i.g.n.q.p. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".C.e.v.e.r.a.l.S.e.s.".....$.a.v.o.i.j.g. .=. .[.u.i.n.t.3.2.].(.$.o.i.g.n.q.p. .-.r.e.p.l.a.c.e. .'.b.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".T.r.i.a.l.N.o.w.". .$.a.v.o.i.j.g.

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):310928
                                                                  Entropy (8bit):6.001677789306043
                                                                  Encrypted:false
                                                                  SSDEEP:3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
                                                                  MD5:147B71C906F421AC77F534821F80A0C6
                                                                  SHA1:3381128CA482A62333E20D0293FDA50DC5893323
                                                                  SHA-256:7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
                                                                  SHA-512:2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Joe Sandbox View:
                                                                  • Filename: Setup.msi, Detection: malicious, Browse
                                                                  • Filename: q9bzWO2X1r.msi, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}|...|...|....../p....../v....../1...u.a.l....../u...|........./v....../}...Rich|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):117496
                                                                  Entropy (8bit):6.136079902481222
                                                                  Encrypted:false
                                                                  SSDEEP:1536:P4ynPKh5ilvitpOeRZBMZTWTKnSU3hGe+K8b9Ate83CtyxZMPXR0qmOi4:PjoiaUDahe+B92e9tiMPXR0qmOX
                                                                  MD5:F67792E08586EA936EBCAE43AAB0388D
                                                                  SHA1:4A5B4009DE72DB003D57F8A4416D17F95B3539A8
                                                                  SHA-256:4D434BB99C771524C35222E5C65EBEE87FD2F16DDA05BF6191F9723EECE2434D
                                                                  SHA-512:F9E69377201E2DC577792F01B71ED3C9AF6C8AD52DD9E139C99EF1D9096F3EB7796F89642242BE8CEE4030EA9CF60EF1AA93D1B0890326A83CB9063E919F1E4A
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Joe Sandbox View:
                                                                  • Filename: Setup.msi, Detection: malicious, Browse
                                                                  • Filename: q9bzWO2X1r.msi, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,|..B/..B/..B/.../..B/.G...B/.F...B/.A...B/.C...B/.C...B/..G...B/<.C...B/..C/..B/<.G...B/<../..B/.../..B/<.@...B/Rich..B/................PE..d.....-a..........#............................@.....................................].... .................................................D...,...............`....................]..T...................P_..(...P^...............0..H............................text............................... ..`.rdata...o...0...p..."..............@..@.data...@...........................@....pdata..`...........................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):506008
                                                                  Entropy (8bit):6.4284173495366845
                                                                  Encrypted:false
                                                                  SSDEEP:6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
                                                                  MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
                                                                  SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
                                                                  SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
                                                                  SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Joe Sandbox View:
                                                                  • Filename: Setup.msi, Detection: malicious, Browse
                                                                  • Filename: q9bzWO2X1r.msi, Detection: malicious, Browse
                                                                  • Filename: Setup.msi, Detection: malicious, Browse
                                                                  • Filename: build.msi, Detection: malicious, Browse
                                                                  • Filename: Setup.msi, Detection: malicious, Browse
                                                                  • Filename: New xlsx docs074252657723824 - Tuesday, December 3, 2024 at 03_42_05 PM_html, Detection: malicious, Browse
                                                                  • Filename: m9u08f2pMF.msi, Detection: malicious, Browse
                                                                  • Filename: cwqqRXEhZb.msi, Detection: malicious, Browse
                                                                  • Filename: Setup.msi, Detection: malicious, Browse
                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12224
                                                                  Entropy (8bit):6.596101286914553
                                                                  Encrypted:false
                                                                  SSDEEP:192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
                                                                  MD5:919E653868A3D9F0C9865941573025DF
                                                                  SHA1:EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
                                                                  SHA-256:2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
                                                                  SHA-512:6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12224
                                                                  Entropy (8bit):6.640081558424349
                                                                  Encrypted:false
                                                                  SSDEEP:192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
                                                                  MD5:7676560D0E9BC1EE9502D2F920D2892F
                                                                  SHA1:4A7A7A99900E41FF8A359CA85949ACD828DDB068
                                                                  SHA-256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
                                                                  SHA-512:F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11712
                                                                  Entropy (8bit):6.6023398138369505
                                                                  Encrypted:false
                                                                  SSDEEP:192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
                                                                  MD5:AC51E3459E8FCE2A646A6AD4A2E220B9
                                                                  SHA1:60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
                                                                  SHA-256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
                                                                  SHA-512:6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11720
                                                                  Entropy (8bit):6.614262942006268
                                                                  Encrypted:false
                                                                  SSDEEP:192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
                                                                  MD5:B0E0678DDC403EFFC7CDC69AE6D641FB
                                                                  SHA1:C1A4CE4DED47740D3518CD1FF9E9CE277D959335
                                                                  SHA-256:45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
                                                                  SHA-512:2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11720
                                                                  Entropy (8bit):6.654155040985372
                                                                  Encrypted:false
                                                                  SSDEEP:192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
                                                                  MD5:94788729C9E7B9C888F4E323A27AB548
                                                                  SHA1:B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
                                                                  SHA-256:ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
                                                                  SHA-512:AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):15304
                                                                  Entropy (8bit):6.548897063441128
                                                                  Encrypted:false
                                                                  SSDEEP:192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
                                                                  MD5:580D9EA2308FC2D2D2054A79EA63227C
                                                                  SHA1:04B3F21CBBA6D59A61CD839AE3192EA111856F65
                                                                  SHA-256:7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
                                                                  SHA-512:97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11712
                                                                  Entropy (8bit):6.622041192039296
                                                                  Encrypted:false
                                                                  SSDEEP:192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
                                                                  MD5:35BC1F1C6FBCCEC7EB8819178EF67664
                                                                  SHA1:BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
                                                                  SHA-256:7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
                                                                  SHA-512:9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11720
                                                                  Entropy (8bit):6.730719514840594
                                                                  Encrypted:false
                                                                  SSDEEP:192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
                                                                  MD5:3BF4406DE02AA148F460E5D709F4F67D
                                                                  SHA1:89B28107C39BB216DA00507FFD8ADB7838D883F6
                                                                  SHA-256:349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
                                                                  SHA-512:5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11720
                                                                  Entropy (8bit):6.626458901834476
                                                                  Encrypted:false
                                                                  SSDEEP:192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
                                                                  MD5:BBAFA10627AF6DFAE5ED6E4AEAE57B2A
                                                                  SHA1:3094832B393416F212DB9107ADD80A6E93A37947
                                                                  SHA-256:C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
                                                                  SHA-512:D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12232
                                                                  Entropy (8bit):6.577869728469469
                                                                  Encrypted:false
                                                                  SSDEEP:192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
                                                                  MD5:3A4B6B36470BAD66621542F6D0D153AB
                                                                  SHA1:5005454BA8E13BAC64189C7A8416ECC1E3834DC6
                                                                  SHA-256:2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
                                                                  SHA-512:84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11712
                                                                  Entropy (8bit):6.6496318655699795
                                                                  Encrypted:false
                                                                  SSDEEP:192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
                                                                  MD5:A038716D7BBD490378B26642C0C18E94
                                                                  SHA1:29CD67219B65339B637A1716A78221915CEB4370
                                                                  SHA-256:B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
                                                                  SHA-512:43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12736
                                                                  Entropy (8bit):6.587452239016064
                                                                  Encrypted:false
                                                                  SSDEEP:192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
                                                                  MD5:D75144FCB3897425A855A270331E38C9
                                                                  SHA1:132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
                                                                  SHA-256:08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
                                                                  SHA-512:295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):14280
                                                                  Entropy (8bit):6.658205945107734
                                                                  Encrypted:false
                                                                  SSDEEP:384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
                                                                  MD5:8ACB83D102DABD9A5017A94239A2B0C6
                                                                  SHA1:9B43A40A7B498E02F96107E1524FE2F4112D36AE
                                                                  SHA-256:059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
                                                                  SHA-512:B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12224
                                                                  Entropy (8bit):6.621310788423453
                                                                  Encrypted:false
                                                                  SSDEEP:96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
                                                                  MD5:808F1CB8F155E871A33D85510A360E9E
                                                                  SHA1:C6251ABFF887789F1F4FC6B9D85705788379D149
                                                                  SHA-256:DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
                                                                  SHA-512:441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11720
                                                                  Entropy (8bit):6.7263193693903345
                                                                  Encrypted:false
                                                                  SSDEEP:192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
                                                                  MD5:CFF476BB11CC50C41D8D3BF5183D07EC
                                                                  SHA1:71E0036364FD49E3E535093E665F15E05A3BDE8F
                                                                  SHA-256:B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
                                                                  SHA-512:7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12744
                                                                  Entropy (8bit):6.601327134572443
                                                                  Encrypted:false
                                                                  SSDEEP:192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
                                                                  MD5:F43286B695326FC0C20704F0EEBFDEA6
                                                                  SHA1:3E0189D2A1968D7F54E721B1C8949487EF11B871
                                                                  SHA-256:AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
                                                                  SHA-512:6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):14272
                                                                  Entropy (8bit):6.519411559704781
                                                                  Encrypted:false
                                                                  SSDEEP:192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
                                                                  MD5:E173F3AB46096482C4361378F6DCB261
                                                                  SHA1:7922932D87D3E32CE708F071C02FB86D33562530
                                                                  SHA-256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
                                                                  SHA-512:3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12232
                                                                  Entropy (8bit):6.659079053710614
                                                                  Encrypted:false
                                                                  SSDEEP:192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
                                                                  MD5:9C9B50B204FCB84265810EF1F3C5D70A
                                                                  SHA1:0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
                                                                  SHA-256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
                                                                  SHA-512:EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11200
                                                                  Entropy (8bit):6.7627840671368835
                                                                  Encrypted:false
                                                                  SSDEEP:192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
                                                                  MD5:0233F97324AAAA048F705D999244BC71
                                                                  SHA1:5427D57D0354A103D4BB8B655C31E3189192FC6A
                                                                  SHA-256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
                                                                  SHA-512:8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12224
                                                                  Entropy (8bit):6.590253878523919
                                                                  Encrypted:false
                                                                  SSDEEP:192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
                                                                  MD5:E1BA66696901CF9B456559861F92786E
                                                                  SHA1:D28266C7EDE971DC875360EB1F5EA8571693603E
                                                                  SHA-256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
                                                                  SHA-512:08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11720
                                                                  Entropy (8bit):6.672720452347989
                                                                  Encrypted:false
                                                                  SSDEEP:192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
                                                                  MD5:7A15B909B6B11A3BE6458604B2FF6F5E
                                                                  SHA1:0FEB824D22B6BEEB97BCE58225688CB84AC809C7
                                                                  SHA-256:9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
                                                                  SHA-512:D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):13760
                                                                  Entropy (8bit):6.575688560984027
                                                                  Encrypted:false
                                                                  SSDEEP:192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
                                                                  MD5:6C3FCD71A6A1A39EAB3E5C2FD72172CD
                                                                  SHA1:15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
                                                                  SHA-256:A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
                                                                  SHA-512:EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12232
                                                                  Entropy (8bit):6.70261983917014
                                                                  Encrypted:false
                                                                  SSDEEP:192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
                                                                  MD5:D175430EFF058838CEE2E334951F6C9C
                                                                  SHA1:7F17FBDCEF12042D215828C1D6675E483A4C62B1
                                                                  SHA-256:1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
                                                                  SHA-512:6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12744
                                                                  Entropy (8bit):6.599515320379107
                                                                  Encrypted:false
                                                                  SSDEEP:192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
                                                                  MD5:9D43B5E3C7C529425EDF1183511C29E4
                                                                  SHA1:07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
                                                                  SHA-256:19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
                                                                  SHA-512:C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12232
                                                                  Entropy (8bit):6.690164913578267
                                                                  Encrypted:false
                                                                  SSDEEP:192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
                                                                  MD5:43E1AE2E432EB99AA4427BB68F8826BB
                                                                  SHA1:EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
                                                                  SHA-256:3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
                                                                  SHA-512:40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11720
                                                                  Entropy (8bit):6.615761482304143
                                                                  Encrypted:false
                                                                  SSDEEP:192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
                                                                  MD5:735636096B86B761DA49EF26A1C7F779
                                                                  SHA1:E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
                                                                  SHA-256:5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
                                                                  SHA-512:3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12744
                                                                  Entropy (8bit):6.627282858694643
                                                                  Encrypted:false
                                                                  SSDEEP:192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
                                                                  MD5:031DC390780AC08F498E82A5604EF1EB
                                                                  SHA1:CF23D59674286D3DC7A3B10CD8689490F583F15F
                                                                  SHA-256:B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
                                                                  SHA-512:1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):15816
                                                                  Entropy (8bit):6.435326465651674
                                                                  Encrypted:false
                                                                  SSDEEP:192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
                                                                  MD5:285DCD72D73559678CFD3ED39F81DDAD
                                                                  SHA1:DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
                                                                  SHA-256:6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
                                                                  SHA-512:84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12232
                                                                  Entropy (8bit):6.5874576656353145
                                                                  Encrypted:false
                                                                  SSDEEP:192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
                                                                  MD5:5CCE7A5ED4C2EBAF9243B324F6618C0E
                                                                  SHA1:FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
                                                                  SHA-256:AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
                                                                  SHA-512:FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):13768
                                                                  Entropy (8bit):6.645869978118917
                                                                  Encrypted:false
                                                                  SSDEEP:192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
                                                                  MD5:41FBBB054AF69F0141E8FC7480D7F122
                                                                  SHA1:3613A572B462845D6478A92A94769885DA0843AF
                                                                  SHA-256:974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
                                                                  SHA-512:97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):61176
                                                                  Entropy (8bit):5.850944458899023
                                                                  Encrypted:false
                                                                  SSDEEP:1536:8dAqjxlblBAeX9cMPqnLQmnSPFCCBXuk9:8d1l59cJbSNZBXuO
                                                                  MD5:3B02A4FCAAC283D3C5E082B62F88BE25
                                                                  SHA1:C230237FA2BEF46A4C9649871EE46BBA89958C4E
                                                                  SHA-256:D02FB06775ED21CE1124C5A9BA42D7E00872C4CAF3933F0852FFD98591EE9790
                                                                  SHA-512:9FE3ACDC6CDC51F56AB205A669F3865FB18DA79750A62E896615AF98F4D37B4A5DADB898126B421133CBD86805A1A84D1C92A429F88AA2152D07939BEBEB93B0
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.X.F...F...F...>O..F.......F.......F.......F.......F.......F...F...F..-/...F..-/...F..-/#..F...FK..F..-/...F..Rich.F..........PE..d.....-a.........." .....X...|.......Y.................................................... .....................................................x.......h.......................0...P...T.......................(....................p..X............................text....V.......X.................. ..`.rdata...X...p...Z...\..............@..@.data...............................@....pdata..............................@..@.rsrc...h...........................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):127224
                                                                  Entropy (8bit):6.217127607919178
                                                                  Encrypted:false
                                                                  SSDEEP:1536:KOMFt1bvZ+4WYoIW9YAlqlEO/NiuE0PJmISN10ZpzdUAsSAl9/mEzuEVvHV7Gvru:fMFZ+4azlqlEO/0d0PkIxPYGX6
                                                                  MD5:ABDA3CF0D286D6CC5EC2CB1B49DBC180
                                                                  SHA1:85CA9C24AD7CF07830E86607723770645D724C28
                                                                  SHA-256:5549E8D3C90AFC8A90558529FE0127CE8A36805D853ED2BBD2A832E497D07405
                                                                  SHA-512:AF813D4529C7971C6427E84C21275F2D703495E8BCDE72112ED400FCF2BFD64D1E3754E7A8D95A4D1953472C3C9821EF0444CD844F02AE31FA2C5FA8D93E66CF
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'y.fI*.fI*.fI*...*.fI*..M+.fI*..J+.fI*..L+.fI*..H+.fI*..H+.fI*..H+.fI*.fH*.fI*..L+.fI*..I+.fI*...*.fI*.f.*.fI*..K+.fI*Rich.fI*................PE..d.....-a.........." ......................................................... ............ ..........................................x..|B..............p.......@...............D....>..T...................0@..(...0?............... ...............................text...p........................... ..`.rdata....... ......................@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc..D...........................@..B................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):418040
                                                                  Entropy (8bit):6.1735291180760505
                                                                  Encrypted:false
                                                                  SSDEEP:6144:vJXvKtM+eZLmd2Mht6hBj2+1J3Hw2iojntPqbmdv0Pz:vJXvcMRZLmd2Mht6hBj3A2iW8WO
                                                                  MD5:1CC74B77B1A0B6F14B19F45412D62227
                                                                  SHA1:25C8D5B1DD13C826AC97995E2265E7960877A869
                                                                  SHA-256:1314E7F48DCFAA9ED62AD80C19D4EAD856C6D216D6F80B8EFA1A3803087C506A
                                                                  SHA-512:CA88D9DB167FEE11DCF88FD365DBAEF9E2704996E622F1523943C5AF54D6AE2546D860DB86B20757C89FA52E4140D474EB0EA4A69042AA4CAAF6125E0D5381D9
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+ ..Es..Es..Es...s..Es..Ar..Es..Fr..Es..@r..Es..Dr..Es..Dr..Es..Ds(.Es..@r..Es..Er..Es..s..Es...s..Es..Gr..EsRich..Es........PE..d.....-a.........." .........:.......................................................4.... .........................................`n...T...........p.......0..d2...D.................T...................0...(...0................ ...............................text...\........................... ..`.rdata..h.... ......................@..@.data....7.......0..................@....pdata..d2...0...4..................@..@.rsrc........p.......8..............@..@.reloc...............>..............@..B................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):698104
                                                                  Entropy (8bit):6.463466021766765
                                                                  Encrypted:false
                                                                  SSDEEP:12288:rtCgw2rHcLfk4heNe39mSOWE64h/5+JLkxBdmmVaSV:JCglHsfb9vzE64h/CAxBdmmVaSV
                                                                  MD5:087DAF44CD13B79E4D59068B3A1C6250
                                                                  SHA1:653FB242A44C7742764C77D8249D00DDDC1C867E
                                                                  SHA-256:7AAFC98B0189C4DB66E03EC69B0DA58E59F5728FA9C37F7A61D1531E4D146FD6
                                                                  SHA-512:3BB7494191EDDA18416B425762EA35B1C614CA420E6D0A8BBA5B9749C453F2552435FC97CF4532E088BBEC2B57A7DC9F782F7C7CEC67F96A33511C367F6A5052
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>.B.P.B.P.B.P.K...N.P...T.J.P...S.@.P...U.Z.P...Q.F.P...Q.G.P.B.Q...P..U.P.P..P.C.P...C.P.B...C.P..R.C.P.RichB.P.........................PE..d.....-a.........." ................l................................................s.... ..........................................7..T...4...........X....`...D...................Q..T...................@S..(...@R..................H............................text............................... ..`.rdata...V.......X..................@..@.data...`(...0..."..................@....pdata...D...`...F...6..............@..@.rsrc...X............|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):31480
                                                                  Entropy (8bit):5.969706735107452
                                                                  Encrypted:false
                                                                  SSDEEP:384:rTnmLAtoAmXkI4WW9jLU7gJX5ZGz/5UtxcNPMUyZJKSm/dAgZsHL4DhAm:noxXzI5Z05uqlyEiRUhR
                                                                  MD5:CC2C7E9435E8F818F3114AEFCC84E053
                                                                  SHA1:F106C5EEAA3545CB85BA1217F40E4AE8F047E69E
                                                                  SHA-256:59415F12FF688B58C9180A545F4836A4C2DDF472C232B3BE9FAB7965F9980924
                                                                  SHA-512:316D0F0374DA2818CC1A83A6F8BE8E70CCCC2D9F37DB54DF9322FF26FF436EB18532CEB549F286E569E1A6B82BA1345FFE4A7ADC678AE450FC5C3C637F24259D
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{...{...{...r.e.....)...h...)...s...)...y...)....... ...x...{...E......y......z......z...{.a.z......z...Rich{...........PE..d.....-a.........." .....,...4......@0................................................... ..........................................T......tU..x.......`....p.......^..............0F..T....................G..(....F...............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...h....`.......N..............@....pdata.......p.......R..............@..@.rsrc...`............V..............@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):103672
                                                                  Entropy (8bit):5.851546804507911
                                                                  Encrypted:false
                                                                  SSDEEP:1536:DkEZwX0tTbIIJdLJABqKSimO9K64vaO4WpgXyhchiUKcvKXMnVOlVS:QErbXvAxO41yhcBvKXwaVS
                                                                  MD5:129051E3B7B8D3CC55559BEDBED09486
                                                                  SHA1:E257D69C91594C623A8649AC3F76DC4B0C4D8EDF
                                                                  SHA-256:73BFA0700A1C1631483D1ADC79A5225066A28A5CA94D70267DE6B0573BF11BDF
                                                                  SHA-512:6DCF486B58A0C8E16CB0A2A0B7C53812275DF7E55CEBE94B645517D2A061A67CA3B9CFDDA4F94E89BE57D3B629540C4A45DD153EF84DB90E46D06257A936831A
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X..............&........................................&.............&......&......&.J.......".....&......Rich............................PE..d.....-a.........." ................4...............................................:..... ..........................................J.......[..........`............x..............`...T.......................(....................................................text............................... ..`.rdata.............................@..@.data........p.......N..............@....pdata...............\..............@..@.rsrc...`............n..............@..@.reloc...............t..............@..B........................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):57488
                                                                  Entropy (8bit):6.382541157520703
                                                                  Encrypted:false
                                                                  SSDEEP:768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
                                                                  MD5:71F796B486C7FAF25B9B16233A7CE0CD
                                                                  SHA1:21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
                                                                  SHA-256:B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
                                                                  SHA-512:A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):4664568
                                                                  Entropy (8bit):6.259383987199329
                                                                  Encrypted:false
                                                                  SSDEEP:49152:AroFmAk9nrwChDI061WcO0ABWmIex2MvOGL//VCsHqwApmqamnBObTETCAtdB8n:0tI0OWiVmIek+QpmqtB+9
                                                                  MD5:A6A89F55416DB79D9E13B82685A04D60
                                                                  SHA1:EDE6DE1377BBE28E1F0D0DEF095367F1E788FE3B
                                                                  SHA-256:22D7C730C0092CDE5E339276F45882ACF4E172269153C6A328D83314DBACEF4B
                                                                  SHA-512:D2A734AE3ACC3033C050634839E32F90AE29862D77EC28B87945D62D44562ED56AC2A4266BC70F0F42CACCC0A7D93B07E2B42D7FFCEFE2F599A6A9DC2F26C583
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........$n..J=..J=..J=...=..J=..N<..J=..I<..J=..O<..J=..K<..J=..N<..J=..L<..J=..K<..J=..K<..J=..K=i.J=..N<..J=..O<U.J=..J<..J=..=..J=...=..J=..H<..J=Rich..J=................PE..d.....-a.........." ......+..........f(.......................................I.......H... ..........................................7>.8.....A......@I.......G......G......PI..F....1.T...................0.1.(...0.1...............+..............................text.....+.......+................. ..`.rdata.......+.......+.............@..@.data....'...`B......DB.............@....pdata.......G.......E.............@..@.rsrc........@I.......F.............@..@.reloc...F...PI..H....F.............@..B........................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):215288
                                                                  Entropy (8bit):6.050529290720027
                                                                  Encrypted:false
                                                                  SSDEEP:3072:emvBIfdYtwUTAgsHW0Akz0dMtTWYUQ4TyjEXv8pQxI88hw:ekBIATA1z7tTzovXv8Kxzj
                                                                  MD5:BF5EE5008353BB5C52DCF8821082CE6B
                                                                  SHA1:F85B517F96FE87D953925D05238345A03594C8F8
                                                                  SHA-256:9273A49CAC32ACA5358A77D41DE00FEB589ED3285B2B2E07E9CE9CEBF80BAA31
                                                                  SHA-512:B5862D1679AB4F44B228C3E52F5CB98616BF089BAD5EC3BBB63ABDCABDDB55C71C36628E2945C7460AA33F836D85A1A320BF2C704072B307A3B719CD3C6A8549
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[..5...5...5......5...1...5...6...5...0...5...4...5...4...5.#.4...5...4.-.5.#.0...5.#.5...5.#....5.......5.#.7...5.Rich..5.........PE..d.....-a.........." .........j...............................................p............ ..............................................!...........P..h....0.......,.......`..........T...........................@................................................text............................... ..`.rdata..............................@..@.data....$..........................@....pdata.......0... ..................@..@.rsrc...h....P......."..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ghiuoqfj.rar

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:RAR archive data, v5
                                                                  Category:dropped
                                                                  Size (bytes):410206
                                                                  Entropy (8bit):7.999568031713554
                                                                  Encrypted:true
                                                                  SSDEEP:6144:rXYi+uB7rs7BGPhWDoX+CrB6CN50SUF883Rq4l3n2gJIAcxp9F0Q+VUNhJGMEin6:dBthnX+Ct6Cb0SiN3Rz3nWAjUPYPkGb9
                                                                  MD5:E6E291E25DCB77E9E131DBE358EF8623
                                                                  SHA1:ADF74B545083FA7539B093EFFC07D1C4B4FD47A3
                                                                  SHA-256:0CD6382782E4966C15CC30FAC1917137D577752DB2A58C1D1DA4CEFB3BF2300D
                                                                  SHA-512:E080775D49914E406E93735745D9894433C8F2B5AC6D6483C8EC1C2DAE08B9E2D3485FB7FFD4D27245EDAC9578CBAA2DCB79DB0CF3BA6AFD63B40BA25F26ED99
                                                                  Malicious:false
                                                                  Preview:Rar!........!.....G.k.>..crj..V...4....fY....!..sZ..t..*...).0....Dcp.....P.h.T=.....q.T..T.-1(..}G.@....i.[(........"*;.Mt.0....W........A.q.&?/..M.,G...=.W.sV...yM......t...j.q%.......*...Oj./ F.v.h.;..Vs.....b.b[.9.'..)..2...eh&^..Q....V'%!....)..&.J \(!...t..@,.........E...5.e.O.8.6.....#..EB...S.$2.........*.p.Dk)S.....3..!l.t...]...m.......q..c..T...Q.....^e......I(d.8. .:S\..HCx~F:;.<.=D...fQb.....;.~...g.8..................u.......{3I.....18A..2.<.v.d"..+._k.@..;.7..i.=?.R=O.Sw.....X"..X.Rw.a7&......h..C..dd....,|.."....l..@...}..5:.G.S>....# {M....l.._..q..Tq.....I..5;\...%.$[,.....^..p..i.........^.em......vy...^Q&.....X.nX;.1h.B.*+..yQ.K.....V.]....g-3Kq.....P3.%..!d...k.C.a.e..1.*...c..a....4Q...`t.&...J.|f.....g...L7Y.g!.Y2....._.:5...Y$h.s..w..;...L...r..e".......9.Y.G..M.&...Xss.I.[......_..s...4g1.C...asQ......>..4....J.....&~c..TA..<K>....$a.......?O.....}<n6...u......(...zE..."g..u..|.<T.2F.......Q..5O........

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):566704
                                                                  Entropy (8bit):6.494428734965787
                                                                  Encrypted:false
                                                                  SSDEEP:12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
                                                                  MD5:6DA7F4530EDB350CF9D967D969CCECF8
                                                                  SHA1:3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
                                                                  SHA-256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
                                                                  SHA-512:1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):22
                                                                  Entropy (8bit):3.879664004902594
                                                                  Encrypted:false
                                                                  SSDEEP:3:mKDDlR+7H6U:hOD6U
                                                                  MD5:D9324699E54DC12B3B207C7433E1711C
                                                                  SHA1:864EB0A68C2979DCFF624118C9C0618FF76FA76C
                                                                  SHA-256:EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
                                                                  SHA-512:E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
                                                                  Malicious:false
                                                                  Preview:@echo off..Start "" %1

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\classes.jsa

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):12124160
                                                                  Entropy (8bit):4.1175508751036585
                                                                  Encrypted:false
                                                                  SSDEEP:49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
                                                                  MD5:8A13CBE402E0BBF3DA56315F0EBA7F8E
                                                                  SHA1:EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
                                                                  SHA-256:7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
                                                                  SHA-512:46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
                                                                  Malicious:false
                                                                  Preview:.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\classes_nocoops.jsa

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):12124160
                                                                  Entropy (8bit):4.117842215789484
                                                                  Encrypted:false
                                                                  SSDEEP:49152:lIsY5NLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8v:lYNDUK7k59
                                                                  MD5:8DD2CDF8B1702DEE25F4BC2DCE10DA8F
                                                                  SHA1:7AE8D142C41159D65C7AB9598C90EC1DF33138D1
                                                                  SHA-256:B19E92D742D8989D275BB34FB7828211969997D38FF9250D9561F432D5C5F62C
                                                                  SHA-512:6CEBD788559543623A3F54154F6C84E31A9716CFFA19D199087F0704CC9016F54CF0B3CFF6D8DB65428138EEB12553B23EBA7EDAF5B64A050A077DD2951286B0
                                                                  Malicious:false
                                                                  Preview:....j..L.........*.\.....................................+..............................j..-.....................................!>.............................|<:.......................A.......@...... t...............................".....................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.datatransfer.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):51389
                                                                  Entropy (8bit):7.916683616123071
                                                                  Encrypted:false
                                                                  SSDEEP:768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
                                                                  MD5:8F4C0388762CD566EAE3261FF8E55D14
                                                                  SHA1:B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
                                                                  SHA-256:AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
                                                                  SHA-512:1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^*#.j...R.A..qV.1o...p.....|._.-N$.!.;X....|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be.*.eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.*t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N....*..r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.desktop.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):12133334
                                                                  Entropy (8bit):7.944474086295981
                                                                  Encrypted:false
                                                                  SSDEEP:196608:h6fa1BzmQR9sZTGVq8B4ISiOCC0SabOyigGRA7OtuPZIWeXB:6a1gk+8B4IS8S2OyiJRA7OtYZaB
                                                                  MD5:E3705B15388EC3BDFE799AD5DB80B172
                                                                  SHA1:0B9B77F028727C73265393A68F37FC69C30205BD
                                                                  SHA-256:BE59AC0E673827B731CF5616B41DA11581A5863285FEA1A0696AA4F93796BCC3
                                                                  SHA-512:CA44B3E7658232FCC19C9AD223455F326D34B17384E566B8CAF0F7409D71B2B86F4089BF4A35128EC6CFFE080DF84C69C72C22B230FB0F2F8CB345442318F737
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class.X...e../.l.!..!.#..M..."..g..#.B.........0;{.AAD.EE..QQQ.aG....{.]....7......~.{....k...{....<HD...4.......x%?G.4_St.Z...\..].+c..t.t........iC./...gZ..].8C..D'M...\3.+~5......z.<.f1..2.v./.As.Lv.....`2.M%...d.h..S`....YC.....D.u0-l.V#.5.,.e..)[..[.v..*............d.I...A........A+&."..8g.)"..E..1!.Z.]....Ak..5.......<'..L8bC..V4.U2.~$...i....)."I...O...d:......@..S...w0m...-....2..x....z.....O....k.8.}....P.....=..I/...<../.d..k....43VL.i...........C.S|`..!b.8....3.Ey..S..e..+.../T..j...g..B.@q9.."..>.LU..2-i....-.!....Z....g.BGl.j..R...Z.D.YJ.Kd...9 l.FN4.Rk.22..b..Rn...u..x.,...j.I.aZ.....X[{L.e..Z#..`.Z...*8..[.p..0.(...j..W..-M...V..H7.c.KN...5e.."...t[um..R...UF.c..1.....z|z.EeO..j..k.V..\x.8.....et;.9.^.Pa..+......U....Iu.q.t....HY.g...q.......omK...FKr1.F..F?.i.d../.]....68..L.........W..s.CU.|y.....zE..Q\...82..W.i[.#Q..xm......P..u.<.#...yC...,........~B..|sF.

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.instrument.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):41127
                                                                  Entropy (8bit):7.961466748192397
                                                                  Encrypted:false
                                                                  SSDEEP:768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
                                                                  MD5:D039093C051B1D555C8F9B245B3D7FA0
                                                                  SHA1:C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
                                                                  SHA-256:4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
                                                                  SHA-512:334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...*A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z|*.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.logging.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):113725
                                                                  Entropy (8bit):7.928841651831531
                                                                  Encrypted:false
                                                                  SSDEEP:3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
                                                                  MD5:3A03EF8F05A2D0472AE865D9457DAB32
                                                                  SHA1:7204170A08115A16A50D5A06C3DE7B0ADB6113B1
                                                                  SHA-256:584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
                                                                  SHA-512:1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm......*..Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h.*.^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz|..^.........8q..{...}.*G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j*..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.management.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):896846
                                                                  Entropy (8bit):7.923431656723031
                                                                  Encrypted:false
                                                                  SSDEEP:12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
                                                                  MD5:C6FBB7D49CAA027010C2A817D80CA77C
                                                                  SHA1:4191E275E1154271ABF1E54E85A4FF94F59E7223
                                                                  SHA-256:1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
                                                                  SHA-512:FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..|..]{.........S|...(cu/..i.d.z...[....'.M|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):639224
                                                                  Entropy (8bit):6.219852228773659
                                                                  Encrypted:false
                                                                  SSDEEP:12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
                                                                  MD5:01DACEA3CBE5F2557D0816FC64FAE363
                                                                  SHA1:566064A9CB1E33DB10681189A45B105CDD504FD4
                                                                  SHA-256:B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
                                                                  SHA-512:C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):98224
                                                                  Entropy (8bit):6.452201564717313
                                                                  Encrypted:false
                                                                  SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                                  MD5:F34EB034AA4A9735218686590CBA2E8B
                                                                  SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                                  SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                                  SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):37256
                                                                  Entropy (8bit):6.297533243519742
                                                                  Encrypted:false
                                                                  SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
                                                                  MD5:135359D350F72AD4BF716B764D39E749
                                                                  SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
                                                                  SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
                                                                  SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Installer\{9323EC13-B736-45ED-8845-7358C228FF45}\icon_22.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:MS Windows icon resource - 7 icons, 256x256, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                                  Category:dropped
                                                                  Size (bytes):372526
                                                                  Entropy (8bit):4.467275942115759
                                                                  Encrypted:false
                                                                  SSDEEP:3072:aAVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOzzCIhZ:LCANx6xPZX9mBW
                                                                  MD5:B52B2D1D4C9E56CA24AB0CD0730CC5AD
                                                                  SHA1:C70A3683DF57DE3096CA58F314C0B649035392CC
                                                                  SHA-256:73CDA59B9158F5DCA967A6EC24A3608C672DCA63F714BFD7B7B5F81C1303F457
                                                                  SHA-512:CDCAB1C415B87948AD45C967D6C50EA24935D7E58CFC30717E2943D9CE9F5DDEFCB5E60BCE58F9F387635EA30E1A0399DBA644316CC53F1802BAE73B76CB1BFA
                                                                  Malicious:false
                                                                  Preview:............ .( ..v......... .(.... ..@@.... .(B...(..00.... ..%...j.. .... ............... .....>......... .h......(............. ...... ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\68204f.msi

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {1E282293-F569-4B57-A204-E05DDA8D05B2}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sat Dec 21 08:40:04 2024, Last Saved Time/Date: Sat Dec 21 08:40:04 2024, Last Printed: Sat Dec 21 08:40:04 2024, Number of Pages: 450
                                                                  Category:dropped
                                                                  Size (bytes):60336332
                                                                  Entropy (8bit):7.202452747331342
                                                                  Encrypted:false
                                                                  SSDEEP:786432:JWZbjVmrjV7eIAtehOTZqoZ4sdUuzt/NCaY2ksC:JWdVmrjV7eIvhOTZnRjVCa1t
                                                                  MD5:2A680C15A6A3D07A5E4DCE69C190F91C
                                                                  SHA1:73E7AC9D834F35C38712256F744C03471DA90B68
                                                                  SHA-256:38072285421B1DDA58CA4D8F722346D3CDF32B43203AE6EC5254DCDC24546B65
                                                                  SHA-512:BAC395D952C70F73C3B2EB5C1AF5CAD015173E7979A6CC8A227252C836E7DFB625C86ECB26FBA041299E5609D241BD112AF3EA72CD735C43AB8DF3F37BDFC8EC
                                                                  Malicious:false
                                                                  Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...N...:...;...<...=...>...?...@...A...D...C...K...E...F...G...H...I...J...""..L...M...e...O...P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                                  C:\Windows\Installer\682052.msi

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {1E282293-F569-4B57-A204-E05DDA8D05B2}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sat Dec 21 08:40:04 2024, Last Saved Time/Date: Sat Dec 21 08:40:04 2024, Last Printed: Sat Dec 21 08:40:04 2024, Number of Pages: 450
                                                                  Category:dropped
                                                                  Size (bytes):60336332
                                                                  Entropy (8bit):7.202452747331342
                                                                  Encrypted:false
                                                                  SSDEEP:786432:JWZbjVmrjV7eIAtehOTZqoZ4sdUuzt/NCaY2ksC:JWdVmrjV7eIvhOTZnRjVCa1t
                                                                  MD5:2A680C15A6A3D07A5E4DCE69C190F91C
                                                                  SHA1:73E7AC9D834F35C38712256F744C03471DA90B68
                                                                  SHA-256:38072285421B1DDA58CA4D8F722346D3CDF32B43203AE6EC5254DCDC24546B65
                                                                  SHA-512:BAC395D952C70F73C3B2EB5C1AF5CAD015173E7979A6CC8A227252C836E7DFB625C86ECB26FBA041299E5609D241BD112AF3EA72CD735C43AB8DF3F37BDFC8EC
                                                                  Malicious:false
                                                                  Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...N...:...;...<...=...>...?...@...A...D...C...K...E...F...G...H...I...J...""..L...M...e...O...P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                                  C:\Windows\Installer\MSI29D5.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1021792
                                                                  Entropy (8bit):6.608727172078022
                                                                  Encrypted:false
                                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI2AD0.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1021792
                                                                  Entropy (8bit):6.608727172078022
                                                                  Encrypted:false
                                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI2B0F.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1021792
                                                                  Entropy (8bit):6.608727172078022
                                                                  Encrypted:false
                                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI2B3F.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1021792
                                                                  Entropy (8bit):6.608727172078022
                                                                  Encrypted:false
                                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI2B8E.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1201504
                                                                  Entropy (8bit):6.4557937684843365
                                                                  Encrypted:false
                                                                  SSDEEP:24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
                                                                  MD5:E83D774F643972B8ECCDB3A34DA135C5
                                                                  SHA1:A58ECCFB12D723C3460563C5191D604DEF235D15
                                                                  SHA-256:D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
                                                                  SHA-512:CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.|CF..@G.|DF..@G.|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI2BCE.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1021792
                                                                  Entropy (8bit):6.608727172078022
                                                                  Encrypted:false
                                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI2BFE.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1021792
                                                                  Entropy (8bit):6.608727172078022
                                                                  Encrypted:false
                                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI4A06.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):380520
                                                                  Entropy (8bit):6.512348002260683
                                                                  Encrypted:false
                                                                  SSDEEP:6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
                                                                  MD5:FFDAACB43C074A8CB9A608C612D7540B
                                                                  SHA1:8F054A7F77853DE365A7763D93933660E6E1A890
                                                                  SHA-256:7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
                                                                  SHA-512:A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI5590.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):393167
                                                                  Entropy (8bit):4.73706274283849
                                                                  Encrypted:false
                                                                  SSDEEP:3072:VV9LAVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOzzQ:VV9UCANx6xPZX9mBb
                                                                  MD5:AE56E0F1E00E04958B31D4D826E97C71
                                                                  SHA1:79FB15E72B3FD7273FCC9D0A19A94783A10AD222
                                                                  SHA-256:70FEACD17EDD7026807A1142F136FC09D1E67D32E780BFA6E8B94F45207019D2
                                                                  SHA-512:67C07285B5245B947820F05F7F22726125F550C92CBB4E01C6C828D14680B7A8B21F78CCE0689B0E86B9C319561190E498EBA714C1DA22FC768D46C83D3B988B
                                                                  Malicious:false
                                                                  Preview:...@IXOS.@.....@.8.Y.@.....@.....@.....@.....@.....@......&.{9323EC13-B736-45ED-8845-7358C228FF45}..App x installer..setup.msi.@.....@.....@.....@......icon_22.exe..&.{1E282293-F569-4B57-A204-E05DDA8D05B2}.....@.....@.....@.....@.......@.....@.....@.......@......App x installer......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@4....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F}D.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}8.21:\Software\Coors Q Corporation\App x installer\Version.@.......@.....@.....@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}O.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll.@.......@.....@.....@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}V.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dll

                                                                  C:\Windows\Installer\MSI55A1.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):787808
                                                                  Entropy (8bit):6.693392695195763
                                                                  Encrypted:false
                                                                  SSDEEP:24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
                                                                  MD5:8CF47242B5DF6A7F6D2D7AF9CC3A7921
                                                                  SHA1:B51595A8A113CF889B0D1DD4B04DF16B3E18F318
                                                                  SHA-256:CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
                                                                  SHA-512:748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\SourceHash{9323EC13-B736-45ED-8845-7358C228FF45}

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):1.1618910997525278
                                                                  Encrypted:false
                                                                  SSDEEP:12:JSbX72FjSAGiLIlHVRpMh/7777777777777777777777777vDHFXA2lp3Xl0i8Q:JwQI5cu2b6F
                                                                  MD5:CAED05401C998B500399461A02FF5935
                                                                  SHA1:5EF94F78EAB9262C9D92FB67EC3295CB56EB60C3
                                                                  SHA-256:8698578082C991393EC6AF4E29278DFE375188A88687C94CF672D18DDDE48019
                                                                  SHA-512:962AE3433F197D912B726C750C5F6F93111DF9774B9F5EB65641ED5FB8A67910EE005A82B49E3A609B7BE1BC23B9069C0E7020B69C21D6591D93EBAD4986DE44
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):1.587482381733576
                                                                  Encrypted:false
                                                                  SSDEEP:48:L8PhhuRc06WXJ8nT5BCFxiAErCyVSWheMUX/SBTZm:yhh1fnT6FwCeFGX/Gm
                                                                  MD5:F789DFD5F53D036E1BA0DB7A528AB3AB
                                                                  SHA1:8D518BC55F94CA96B5435D1B5180E5A3F6E525F4
                                                                  SHA-256:672052E2E288FB7633009E911973B596466942BBB106AD7AD6E905D79135546C
                                                                  SHA-512:FF810A5E7B6D0734798077D90524FD0EA9A031FD44B1E48EE4216BB63E0C44ACFD585B0ABBCA2774206C16BD072F1AD842BBE6B3D32F1222C08BA640C3CBE969
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):364484
                                                                  Entropy (8bit):5.3654931119176
                                                                  Encrypted:false
                                                                  SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau1:zTtbmkExhMJCIpEa
                                                                  MD5:0181BB729B4523DC895B72ECC2D39DB6
                                                                  SHA1:E1C7B00F40534000987955825BC95FA0600C85A5
                                                                  SHA-256:0D45A0916B282FA37F1C7BC496863B76D7422FD4A1AA3574E79752A0686F9AE3
                                                                  SHA-512:44E1C3901D668562E4C26470DA18E290F95B7A42D569F3E56A7AEC3114B6A21B14B4EDF425C353CE94D51DF5A5BD0AF2331DE01868285E2261D6C3660D8F0203
                                                                  Malicious:false
                                                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                  C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

                                                                  Download File
                                                                  Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):3444
                                                                  Entropy (8bit):5.011954215267298
                                                                  Encrypted:false
                                                                  SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                                                  MD5:B133A676D139032A27DE3D9619E70091
                                                                  SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                                                  SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                                                  SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                                                  Malicious:false
                                                                  Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                                                  C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

                                                                  Download File
                                                                  Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:modified
                                                                  Size (bytes):950
                                                                  Entropy (8bit):2.8937402169492104
                                                                  Encrypted:false
                                                                  SSDEEP:12:Q1NXCaAGaCGopGGD1JTi0SMfmCwOx6ivzivG:Q3wU/IM1x6ozoG
                                                                  MD5:9D007E669CE25371EE9401DC2AC21D2A
                                                                  SHA1:6F0CACCD76F7A94BBCB1124D398E9139E09C6FC4
                                                                  SHA-256:632004D14715476801408FC10E1B119BDC90378D2E8D573B7C14A06816799FA8
                                                                  SHA-512:AB9FEA61D8C00701E402D700873CA2B9A4FFB7D62557A2ED1C86571DCC40D3C33F7B7E358DF506C134EE4ABEE39B1167846C64A34FA19448FD1DC36AF19F579C
                                                                  Malicious:false
                                                                  Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........

                                                                  C:\Windows\Temp\~DF05964E7DC495F044.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):1.2705273214918098
                                                                  Encrypted:false
                                                                  SSDEEP:48:cML0ZutM+CFXJTT5EVnCFxiAErCyVSWheMUX/SBTZm:4ZzrTuVCFwCeFGX/Gm
                                                                  MD5:DEB73580992E58550F730CE884C496E2
                                                                  SHA1:E814D431960353BFA1A6DA1EB0DA134DBF85AD17
                                                                  SHA-256:316F4E4ED4220AD356E9BC1978E4211B788A53D0D7CD5475B34265D087AC8E95
                                                                  SHA-512:072AC69B12FB12B3A56F74180329605356930F23D6C5F2F0CA5B426D288E32C2372015E441D142DE3AF090A86649223C17BC2DCB5527B89979AC8ECE2E0D8FC3
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF0EC2EA038AE7EA34.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF29F784B12D4340C7.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF40FE44FE3FCFCF29.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):1.2705273214918098
                                                                  Encrypted:false
                                                                  SSDEEP:48:cML0ZutM+CFXJTT5EVnCFxiAErCyVSWheMUX/SBTZm:4ZzrTuVCFwCeFGX/Gm
                                                                  MD5:DEB73580992E58550F730CE884C496E2
                                                                  SHA1:E814D431960353BFA1A6DA1EB0DA134DBF85AD17
                                                                  SHA-256:316F4E4ED4220AD356E9BC1978E4211B788A53D0D7CD5475B34265D087AC8E95
                                                                  SHA-512:072AC69B12FB12B3A56F74180329605356930F23D6C5F2F0CA5B426D288E32C2372015E441D142DE3AF090A86649223C17BC2DCB5527B89979AC8ECE2E0D8FC3
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF518574BEBB17DA44.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):73728
                                                                  Entropy (8bit):0.14607512488026028
                                                                  Encrypted:false
                                                                  SSDEEP:24:Crkj6t7Tx0MvxipV0Mv/0MvPAEV0yjCyH1ipV0MvIVQwG6YZMU80Ixk+I:fmZTHSFAErCyVSWheMUXIxkP
                                                                  MD5:0D91680E806417D46533CA304EA1CB2C
                                                                  SHA1:1D7683E88AF74FDA95DCFF45BD877A375A8402A3
                                                                  SHA-256:BC08C908201146288FC3D3BFE2B9C298D0C6728DDBA59126EEEC5C53727A01E7
                                                                  SHA-512:E74BA0611EA24EA533220981D8DA964B6CF77050E7EF6322E85443CA56CE445FDC5F361E0B90A9E25C34135B127624151CDC46CE8FA335DB179EEBB7B11628DC
                                                                  Malicious:false
                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DFA40D511CD4807B1E.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):1.587482381733576
                                                                  Encrypted:false
                                                                  SSDEEP:48:L8PhhuRc06WXJ8nT5BCFxiAErCyVSWheMUX/SBTZm:yhh1fnT6FwCeFGX/Gm
                                                                  MD5:F789DFD5F53D036E1BA0DB7A528AB3AB
                                                                  SHA1:8D518BC55F94CA96B5435D1B5180E5A3F6E525F4
                                                                  SHA-256:672052E2E288FB7633009E911973B596466942BBB106AD7AD6E905D79135546C
                                                                  SHA-512:FF810A5E7B6D0734798077D90524FD0EA9A031FD44B1E48EE4216BB63E0C44ACFD585B0ABBCA2774206C16BD072F1AD842BBE6B3D32F1222C08BA640C3CBE969
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DFC00E80CFD125019D.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DFC789578337D11947.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):0.06902556344309008
                                                                  Encrypted:false
                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOWBOm+A2GyVky6l3X:2F0i8n0itFzDHFXA2E3X
                                                                  MD5:F4C7D65DF7BFA2A3859427C3B7DE2D5A
                                                                  SHA1:97C1C9F069537BE87B048D6AD7188135AA5AE605
                                                                  SHA-256:01B535D9580EF231D03EDED365D39D03CD0CB9392430674717CE6E1F67881E7A
                                                                  SHA-512:B28931C6A46A558C380E2CD1CFE724E751D307AEBA6D2C0A46345051A4503117B57A300CB9BEC8A2424D5EC55B599BC28702B4061D2218A168A5C031A7437397
                                                                  Malicious:false
                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DFDE1B683AE77A0F1F.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DFE0827AA7176D08B4.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):1.587482381733576
                                                                  Encrypted:false
                                                                  SSDEEP:48:L8PhhuRc06WXJ8nT5BCFxiAErCyVSWheMUX/SBTZm:yhh1fnT6FwCeFGX/Gm
                                                                  MD5:F789DFD5F53D036E1BA0DB7A528AB3AB
                                                                  SHA1:8D518BC55F94CA96B5435D1B5180E5A3F6E525F4
                                                                  SHA-256:672052E2E288FB7633009E911973B596466942BBB106AD7AD6E905D79135546C
                                                                  SHA-512:FF810A5E7B6D0734798077D90524FD0EA9A031FD44B1E48EE4216BB63E0C44ACFD585B0ABBCA2774206C16BD072F1AD842BBE6B3D32F1222C08BA640C3CBE969
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DFF78FD8D9E4051391.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DFFD19157CFEB7B480.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):1.2705273214918098
                                                                  Encrypted:false
                                                                  SSDEEP:48:cML0ZutM+CFXJTT5EVnCFxiAErCyVSWheMUX/SBTZm:4ZzrTuVCFwCeFGX/Gm
                                                                  MD5:DEB73580992E58550F730CE884C496E2
                                                                  SHA1:E814D431960353BFA1A6DA1EB0DA134DBF85AD17
                                                                  SHA-256:316F4E4ED4220AD356E9BC1978E4211B788A53D0D7CD5475B34265D087AC8E95
                                                                  SHA-512:072AC69B12FB12B3A56F74180329605356930F23D6C5F2F0CA5B426D288E32C2372015E441D142DE3AF090A86649223C17BC2DCB5527B89979AC8ECE2E0D8FC3
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

                                                                  Download File
                                                                  Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):3444
                                                                  Entropy (8bit):5.011954215267298
                                                                  Encrypted:false
                                                                  SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                                                  MD5:B133A676D139032A27DE3D9619E70091
                                                                  SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                                                  SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                                                  SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                                                  Malicious:false
                                                                  Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                                                  \Device\ConDrv

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):638
                                                                  Entropy (8bit):4.751962275036146
                                                                  Encrypted:false
                                                                  SSDEEP:12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
                                                                  MD5:15CA959638E74EEC47E0830B90D0696E
                                                                  SHA1:E836936738DCB6C551B6B76054F834CFB8CC53E5
                                                                  SHA-256:57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
                                                                  SHA-512:101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
                                                                  Malicious:false
                                                                  Preview:[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

                                                                  Static File Info

                                                                  General

                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {1E282293-F569-4B57-A204-E05DDA8D05B2}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sat Dec 21 08:40:04 2024, Last Saved Time/Date: Sat Dec 21 08:40:04 2024, Last Printed: Sat Dec 21 08:40:04 2024, Number of Pages: 450
                                                                  Entropy (8bit):7.202452747331342
                                                                  TrID:
                                                                  • Windows SDK Setup Transform Script (63028/2) 88.73%
                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 11.27%
                                                                  File name:setup.msi
                                                                  File size:60'336'332 bytes
                                                                  MD5:2a680c15a6a3d07a5e4dce69c190f91c
                                                                  SHA1:73e7ac9d834f35c38712256f744c03471da90b68
                                                                  SHA256:38072285421b1dda58ca4d8f722346d3cdf32b43203ae6ec5254dcdc24546b65
                                                                  SHA512:bac395d952c70f73c3b2eb5c1af5cad015173e7979a6cc8a227252c836e7dfb625c86ecb26fba041299e5609d241bd112af3ea72cd735c43ab8df3f37bdfc8ec
                                                                  SSDEEP:786432:JWZbjVmrjV7eIAtehOTZqoZ4sdUuzt/NCaY2ksC:JWdVmrjV7eIvhOTZnRjVCa1t
                                                                  TLSH:6DD76C01B3FA4148F2F75EB17EBA45A594BABD521B30C0EF1204A60E1B71BC25BB5763
                                                                  File Content Preview:........................>............................................2..................................................................x......................................................................................................................

                                                                  File Icon

                                                                  Icon Hash:2d2e3797b32b2b99

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-12-21T13:04:20.960775+01002829202ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA1192.168.2.549704172.67.164.25443TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 21, 2024 13:04:19.471987009 CET49704443192.168.2.5172.67.164.25
                                                                  Dec 21, 2024 13:04:19.472035885 CET44349704172.67.164.25192.168.2.5
                                                                  Dec 21, 2024 13:04:19.472137928 CET49704443192.168.2.5172.67.164.25
                                                                  Dec 21, 2024 13:04:19.474288940 CET49704443192.168.2.5172.67.164.25
                                                                  Dec 21, 2024 13:04:19.474313974 CET44349704172.67.164.25192.168.2.5
                                                                  Dec 21, 2024 13:04:20.693264961 CET44349704172.67.164.25192.168.2.5
                                                                  Dec 21, 2024 13:04:20.693394899 CET49704443192.168.2.5172.67.164.25
                                                                  Dec 21, 2024 13:04:20.956763029 CET49704443192.168.2.5172.67.164.25
                                                                  Dec 21, 2024 13:04:20.956805944 CET44349704172.67.164.25192.168.2.5
                                                                  Dec 21, 2024 13:04:20.957266092 CET44349704172.67.164.25192.168.2.5
                                                                  Dec 21, 2024 13:04:20.957343102 CET49704443192.168.2.5172.67.164.25
                                                                  Dec 21, 2024 13:04:20.960571051 CET49704443192.168.2.5172.67.164.25
                                                                  Dec 21, 2024 13:04:20.960621119 CET49704443192.168.2.5172.67.164.25
                                                                  Dec 21, 2024 13:04:20.960653067 CET44349704172.67.164.25192.168.2.5
                                                                  Dec 21, 2024 13:04:21.722297907 CET44349704172.67.164.25192.168.2.5
                                                                  Dec 21, 2024 13:04:21.722359896 CET44349704172.67.164.25192.168.2.5
                                                                  Dec 21, 2024 13:04:21.722444057 CET49704443192.168.2.5172.67.164.25
                                                                  Dec 21, 2024 13:04:21.722836018 CET49704443192.168.2.5172.67.164.25
                                                                  Dec 21, 2024 13:04:21.722848892 CET44349704172.67.164.25192.168.2.5
                                                                  Dec 21, 2024 13:04:21.722856998 CET49704443192.168.2.5172.67.164.25
                                                                  Dec 21, 2024 13:04:21.722894907 CET49704443192.168.2.5172.67.164.25

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 21, 2024 13:04:19.141870975 CET5616353192.168.2.51.1.1.1
                                                                  Dec 21, 2024 13:04:19.465344906 CET53561631.1.1.1192.168.2.5

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Dec 21, 2024 13:04:19.141870975 CET192.168.2.51.1.1.10x913Standard query (0)cubermo.comA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Dec 21, 2024 13:04:19.465344906 CET1.1.1.1192.168.2.50x913No error (0)cubermo.com172.67.164.25A (IP address)IN (0x0001)false
                                                                  Dec 21, 2024 13:04:19.465344906 CET1.1.1.1192.168.2.50x913No error (0)cubermo.com104.21.65.145A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • cubermo.com

                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.549704172.67.164.254435808C:\Windows\SysWOW64\msiexec.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-12-21 12:04:20 UTC189OUTPOST /updater.php HTTP/1.1
                                                                  Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                                  User-Agent: AdvancedInstaller
                                                                  Host: cubermo.com
                                                                  Content-Length: 71
                                                                  Cache-Control: no-cache
                                                                  2024-12-21 12:04:20 UTC71OUTData Raw: 44 61 74 65 3d 32 31 25 32 46 31 32 25 32 46 32 30 32 34 26 54 69 6d 65 3d 30 37 25 33 41 30 34 25 33 41 31 37 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 38 2e 39 2e 39 26 53 6f 72 6f 71 56 69 6e 73 3d 54 72 75 65
                                                                  Data Ascii: Date=21%2F12%2F2024&Time=07%3A04%3A17&BuildVersion=8.9.9&SoroqVins=True
                                                                  2024-12-21 12:04:21 UTC828INHTTP/1.1 500 Internal Server Error
                                                                  Date: Sat, 21 Dec 2024 12:04:21 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Cache-Control: no-store
                                                                  cf-cache-status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RaMn2KM4hgFQLmqE24upD7sLbHk41aX5OM%2BcpVLUQNQofUH1I1JhanKVEoaTrwHYrkW9AnmBj8W3aQ183fZKZckBodKOn7BxfO1jqriT2yImXhoXiDo%2FOyAUw8fsAw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8f57bbf0091e4264-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1731&min_rtt=1727&rtt_var=650&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2827&recv_bytes=920&delivery_rate=1690793&cwnd=223&unsent_bytes=0&cid=fc5e6c2e1feb7083&ts=1041&x=0"
                                                                  2024-12-21 12:04:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:07:04:06
                                                                  Start date:21/12/2024
                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
                                                                  Imagebase:0x7ff7a8ea0000
                                                                  File size:69'632 bytes
                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:1
                                                                  Start time:07:04:06
                                                                  Start date:21/12/2024
                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                                  Imagebase:0x7ff7a8ea0000
                                                                  File size:69'632 bytes
                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:3
                                                                  Start time:07:04:09
                                                                  Start date:21/12/2024
                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding CFC4A735AC50180D686C8F7014EE44E3
                                                                  Imagebase:0x4b0000
                                                                  File size:59'904 bytes
                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:07:04:20
                                                                  Start date:21/12/2024
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                                  Imagebase:0xf60000
                                                                  File size:433'152 bytes
                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:07:04:20
                                                                  Start date:21/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:7
                                                                  Start time:07:04:27
                                                                  Start date:21/12/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
                                                                  Imagebase:0x7ff64a4a0000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:8
                                                                  Start time:07:04:27
                                                                  Start date:21/12/2024
                                                                  Path:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"
                                                                  Imagebase:0x7ff7482b0000
                                                                  File size:57'488 bytes
                                                                  MD5 hash:71F796B486C7FAF25B9B16233A7CE0CD
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 0%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:9
                                                                  Start time:07:04:27
                                                                  Start date:21/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:10
                                                                  Start time:07:04:27
                                                                  Start date:21/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:11
                                                                  Start time:07:04:28
                                                                  Start date:21/12/2024
                                                                  Path:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"
                                                                  Imagebase:0x140000000
                                                                  File size:117'496 bytes
                                                                  MD5 hash:F67792E08586EA936EBCAE43AAB0388D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 0%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:12
                                                                  Start time:07:04:28
                                                                  Start date:21/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:13
                                                                  Start time:07:04:49
                                                                  Start date:21/12/2024
                                                                  Path:C:\Windows\System32\wbem\WMIADAP.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:wmiadap.exe /F /T /R
                                                                  Imagebase:0x7ff726c00000
                                                                  File size:182'272 bytes
                                                                  MD5 hash:1BFFABBD200C850E6346820E92B915DC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:false

                                                                  Disassembly

                                                                  Reset < >

                                                                    Executed Functions

                                                                    Function 07711B50 Relevance: 3.9, Strings: 3, Instructions: 163COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2211400805.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_7710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q$$]q
                                                                    • API String ID: 0-182748909
                                                                    • Opcode ID: 48d6ae762a26791c82c393a4bcbd17a788fa2b750040d4962d0ba0f8ecf344f7
                                                                    • Instruction ID: 0d1d773df3cd5f93ab583699d906890d020710dc86f44801cd231cc10a26362b
                                                                    • Opcode Fuzzy Hash: 48d6ae762a26791c82c393a4bcbd17a788fa2b750040d4962d0ba0f8ecf344f7
                                                                    • Instruction Fuzzy Hash: 7251E3B070430E9FDB25CE6DC85066A7BE6EF85241F5488AADA098F292DB34C945C761
                                                                    Function 07711B35 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2211400805.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_7710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q
                                                                    • API String ID: 0-127220927
                                                                    • Opcode ID: b18d91d83fd35090907f755b4327b88b7f5bd943db34083c21a64fe3b709e086
                                                                    • Instruction ID: 8668a88140608a33db0cf7859c4171f76e8966a60559a16333e0c790607e6b85
                                                                    • Opcode Fuzzy Hash: b18d91d83fd35090907f755b4327b88b7f5bd943db34083c21a64fe3b709e086
                                                                    • Instruction Fuzzy Hash: 63318EF0A1430EDFDF24CF1DC5846A97BF2AF42290F9988A6D6498F251E734C945CB51
                                                                    Function 00F536B0 Relevance: .7, Instructions: 675COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2197971509.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 374131bb06dd536aad5b04d44da4a4ed939b46207552158438e1d73d321ab792
                                                                    • Instruction ID: c558350c229e996c3fc05e1bfdaf7c4d5072eb6a21ece0179992f2410c9fc858
                                                                    • Opcode Fuzzy Hash: 374131bb06dd536aad5b04d44da4a4ed939b46207552158438e1d73d321ab792
                                                                    • Instruction Fuzzy Hash: ED42F570A043409FC716CF2CC490AAABBF2FF85340B15859AD9868F7A6C735ED4ADB51
                                                                    Function 00F58478 Relevance: .3, Instructions: 266COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2197971509.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 94b0b2703a09a43fbfbc7a5c3487974479732d0cf808ca967081c844e6633369
                                                                    • Instruction ID: 321e5e803798201479198b0f254a90072444ff808a9e099489f550878b6e9f94
                                                                    • Opcode Fuzzy Hash: 94b0b2703a09a43fbfbc7a5c3487974479732d0cf808ca967081c844e6633369
                                                                    • Instruction Fuzzy Hash: FBA16C35E002088FDB14DFA4D944AADBBB2FF84351F258519E906AB365DF34AD4ADB80
                                                                    Function 00F58BC8 Relevance: .2, Instructions: 193COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2197971509.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e49f9733cc72bb2a033362ac5466c3fb99a9de3f02611dbe34acdd7acfda4a3f
                                                                    • Instruction ID: 2dcc6ba5d2635776e0d4a7905a600316e9bdc56907e3f2002838795eae1264cf
                                                                    • Opcode Fuzzy Hash: e49f9733cc72bb2a033362ac5466c3fb99a9de3f02611dbe34acdd7acfda4a3f
                                                                    • Instruction Fuzzy Hash: 6971CF30A00649CFCB14DF68C844A9DBBF6FF89355F148569D805EB6A1DB75AC0ACB90
                                                                    Function 00F58D36 Relevance: .2, Instructions: 188COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2197971509.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 369629c133649f0264dfcbc4651eb5c8f0077117a9a313b884714f5fab72361f
                                                                    • Instruction ID: fbc3f4ca90c6372ebb804acaf891a46aefeb586555ddf6ea2af7795a756b1e83
                                                                    • Opcode Fuzzy Hash: 369629c133649f0264dfcbc4651eb5c8f0077117a9a313b884714f5fab72361f
                                                                    • Instruction Fuzzy Hash: D0716D30E00248DFDB14DFA5D844BADBBF6BF88355F148429D802AB2A1DF35AC4ADB51
                                                                    Function 00F58962 Relevance: .1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2197971509.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 74eeae32bc7e8328010d297295a762d902d6f9dbc26088668b37d1cd3f5b47c5
                                                                    • Instruction ID: f7ccd25ab6ef2c2f315df3dbf08eb2773fd004ef4b8d188c77b64ceb468de65d
                                                                    • Opcode Fuzzy Hash: 74eeae32bc7e8328010d297295a762d902d6f9dbc26088668b37d1cd3f5b47c5
                                                                    • Instruction Fuzzy Hash: 73414F71A002049FDB14DF64C998AAE7BB6FF88751F144568E906EB7A0CF34AC46EB50
                                                                    Function 00F58BB3 Relevance: .1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2197971509.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 50fd64068315fa38de1a7f616785a8635ff4293cbaf5992b6eef81bc51037552
                                                                    • Instruction ID: 00b7b94b4f6ae08b75ce18ea84ff52fcd675dc6b808948fde1dcf17735759503
                                                                    • Opcode Fuzzy Hash: 50fd64068315fa38de1a7f616785a8635ff4293cbaf5992b6eef81bc51037552
                                                                    • Instruction Fuzzy Hash: 74416D70A002488FDB18DFA9D8447ADBBF6FF88351F148469D406AB7A1DF75AC46CB50
                                                                    Function 00EDD005 Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2197798503.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_edd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05a8bb8d1771b81688efd66dc59e5b3bef66e2e85a8ad4782798a8ca847819c8
                                                                    • Instruction ID: fc0c0da14f902a91faaa5f98cd1ea3f305637728f68cb438a3794fe0666e77de
                                                                    • Opcode Fuzzy Hash: 05a8bb8d1771b81688efd66dc59e5b3bef66e2e85a8ad4782798a8ca847819c8
                                                                    • Instruction Fuzzy Hash: 9801406100E3C09ED7128B258C94B52BFB8DF53224F1DC1DBD9889F2A3C2695C49C772
                                                                    Function 00EDD01D Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2197798503.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_edd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e2f1d3c3b8843b58afb43e1e641b035b4c196f5d23da269eb8dd0402772bb449
                                                                    • Instruction ID: 4ffeed94482a82f37a0dc752fe7a6f60d83097c68d387cfe0176fb18e0f5ccf2
                                                                    • Opcode Fuzzy Hash: e2f1d3c3b8843b58afb43e1e641b035b4c196f5d23da269eb8dd0402772bb449
                                                                    • Instruction Fuzzy Hash: DB01F7710083449AD7208A25CD84B67BF9CEF86324F18C42BED485A346C2799C46C6B1
                                                                    Function 00F588ED Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2197971509.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5c3f031d9945ee4911a61cf0ac41545311eff5b2231618a3e020b42bfa854532
                                                                    • Instruction ID: 9ee7b80bd6dc0e3c6bcfeb8cd2641d8bffc41161032073f144c0b44f9419a1cf
                                                                    • Opcode Fuzzy Hash: 5c3f031d9945ee4911a61cf0ac41545311eff5b2231618a3e020b42bfa854532
                                                                    • Instruction Fuzzy Hash: 6FF01C30A4020A9FDB04DBA4D595BAE7BB2EF40340F108824D602AF2A8DB799D4DDB81

                                                                    Non-executed Functions

                                                                    Function 00F5B518 Relevance: .4, Instructions: 394COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2197971509.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a84b57baf8b4bfd7a64427faec3eb72b625bec33aa0d1113ff89788a0a9e9ac2
                                                                    • Instruction ID: 770067aaf4ebb273533afa0cf105151ce9d99d6b84c2359b69957c0b973f7450
                                                                    • Opcode Fuzzy Hash: a84b57baf8b4bfd7a64427faec3eb72b625bec33aa0d1113ff89788a0a9e9ac2
                                                                    • Instruction Fuzzy Hash: 8CD1D06680E3E11FDB03AB7C98B45D67FB4AE57625B1A40E7C4C0CF0A3D558884ED3A6
                                                                    Function 07711658 Relevance: 15.3, Strings: 12, Instructions: 264COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2211400805.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_7710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 84Xk$84Xk$tP]q$tP]q$tP]q$tP]q$$]q$$]q$$]q$$]q$Pk$Pk
                                                                    • API String ID: 0-1325067662
                                                                    • Opcode ID: 25f0002dbfce6808a7ffd8c494e13a321bf9158726a22c36e558bd93571b3ccd
                                                                    • Instruction ID: 5e2294d4d5ca3f18070c2fba522e8cf8d4bf0c4ada3a50f2044ffc521033d11a
                                                                    • Opcode Fuzzy Hash: 25f0002dbfce6808a7ffd8c494e13a321bf9158726a22c36e558bd93571b3ccd
                                                                    • Instruction Fuzzy Hash: 88916B717083598FD7158B7C9850A6ABBF5EF86260F5884ABD644CF392CE36CC05C7A2
                                                                    Function 07710898 Relevance: 10.2, Strings: 8, Instructions: 175COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2211400805.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_7710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                    • API String ID: 0-3118171705
                                                                    • Opcode ID: ce074e5d7bf17406fea0d871b86abaf6992fbde320560e237820c2f195c33922
                                                                    • Instruction ID: 7971b95c9da65d6cfd600839c3f5778c8479241bf02df4fd3d61be6d0243ab9b
                                                                    • Opcode Fuzzy Hash: ce074e5d7bf17406fea0d871b86abaf6992fbde320560e237820c2f195c33922
                                                                    • Instruction Fuzzy Hash: 6E5129B5704306CFDB248A3D98506BBBBB6EFC5690F28887BD845C7241DA35C985C7A1
                                                                    Function 07710E88 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2211400805.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_7710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4Wk$4Wk$$]q$$]q$$]q
                                                                    • API String ID: 0-2213387735
                                                                    • Opcode ID: e6253ad5583224ddfbe07cd33d7715c3afc74253ba13bfcdde6700c788a13b4e
                                                                    • Instruction ID: a5e1b677b6d5bb7b3ebf4decd89019d3be444998a0f7bcf7362ae8a46145e235
                                                                    • Opcode Fuzzy Hash: e6253ad5583224ddfbe07cd33d7715c3afc74253ba13bfcdde6700c788a13b4e
                                                                    • Instruction Fuzzy Hash: B4117FF132421A9BD738556EA851B7B77CE8FC5A90B14883BE905CB292DF36C881C371
                                                                    Function 077104D1 Relevance: 5.0, Strings: 4, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2211400805.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_7710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$$]q$$]q
                                                                    • API String ID: 0-978391646
                                                                    • Opcode ID: 1fb986e14d9b24a56ed758492e59d34e4d1376032ef18dc7890e4013bfafc5c2
                                                                    • Instruction ID: b5cfdfe3685f38c9694cd378c5e823276646185fce4754838b76489ac99b2796
                                                                    • Opcode Fuzzy Hash: 1fb986e14d9b24a56ed758492e59d34e4d1376032ef18dc7890e4013bfafc5c2
                                                                    • Instruction Fuzzy Hash: 450149727083450FC72A126C1C706697FF35FC2990B6A0AA7C0A1DF297CC2C8C46C392

                                                                    Execution Graph

                                                                    Execution Coverage:3.4%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:1.7%
                                                                    Total number of Nodes:700
                                                                    Total number of Limit Nodes:1
                                                                    execution_graph 2925 7ff7482b7411 2926 7ff7482b7495 2925->2926 2927 7ff7482b7429 2925->2927 2927->2926 2928 7ff7482b43d0 ExFilterRethrow 10 API calls 2927->2928 2929 7ff7482b7476 2928->2929 2930 7ff7482b43d0 ExFilterRethrow 10 API calls 2929->2930 2931 7ff7482b748b terminate 2930->2931 2931->2926 2932 7ff7482b1590 2933 7ff7482b3d50 __std_exception_destroy free 2932->2933 2934 7ff7482b15b2 2933->2934 2489 7ff7482b1550 2492 7ff7482b3d50 2489->2492 2493 7ff7482b3d5f free 2492->2493 2494 7ff7482b1567 2492->2494 2493->2494 2495 7ff7482b27d0 2499 7ff7482b3074 SetUnhandledExceptionFilter 2495->2499 2938 7ff7482b7090 2939 7ff7482b70d2 __GSHandlerCheckCommon 2938->2939 2940 7ff7482b70fa 2939->2940 2942 7ff7482b3d78 2939->2942 2945 7ff7482b3da8 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 2942->2945 2943 7ff7482b3e99 2943->2940 2944 7ff7482b3e64 RtlUnwindEx 2944->2945 2945->2943 2945->2944 2953 7ff7482b3090 2954 7ff7482b30c4 2953->2954 2955 7ff7482b30a8 2953->2955 2955->2954 2960 7ff7482b41c0 2955->2960 2959 7ff7482b30e2 2961 7ff7482b43d0 ExFilterRethrow 10 API calls 2960->2961 2962 7ff7482b30d6 2961->2962 2963 7ff7482b41d4 2962->2963 2964 7ff7482b43d0 ExFilterRethrow 10 API calls 2963->2964 2965 7ff7482b41dd 2964->2965 2965->2959 2966 7ff7482b1510 2967 7ff7482b3cc0 __std_exception_copy 2 API calls 2966->2967 2968 7ff7482b1539 2967->2968 2500 7ff7482b74d6 2511 7ff7482b3b54 2500->2511 2502 7ff7482b751a __GSHandlerCheck_EH 2523 7ff7482b43d0 2502->2523 2504 7ff7482b752e 2505 7ff7482b43d0 ExFilterRethrow 10 API calls 2504->2505 2507 7ff7482b753b 2505->2507 2509 7ff7482b43d0 ExFilterRethrow 10 API calls 2507->2509 2510 7ff7482b7548 2509->2510 2512 7ff7482b43d0 ExFilterRethrow 10 API calls 2511->2512 2513 7ff7482b3b66 2512->2513 2514 7ff7482b3ba1 abort 2513->2514 2515 7ff7482b43d0 ExFilterRethrow 10 API calls 2513->2515 2517 7ff7482b3b71 2515->2517 2516 7ff7482b3b8d 2518 7ff7482b43d0 ExFilterRethrow 10 API calls 2516->2518 2517->2514 2517->2516 2519 7ff7482b3b92 2518->2519 2519->2502 2520 7ff7482b4104 2519->2520 2521 7ff7482b43d0 ExFilterRethrow 10 API calls 2520->2521 2522 7ff7482b4112 2521->2522 2522->2502 2526 7ff7482b43ec 2523->2526 2525 7ff7482b43d9 2525->2504 2527 7ff7482b4404 2526->2527 2528 7ff7482b440b GetLastError 2526->2528 2527->2525 2540 7ff7482b6678 2528->2540 2541 7ff7482b6498 __vcrt_FlsAlloc 5 API calls 2540->2541 2542 7ff7482b669f TlsGetValue 2541->2542 2544 7ff7482b48c7 abort 2548 7ff7482b72c0 2549 7ff7482b72e0 2548->2549 2550 7ff7482b72d3 2548->2550 2552 7ff7482b1e80 2550->2552 2553 7ff7482b1e93 2552->2553 2554 7ff7482b1eb7 2552->2554 2553->2554 2555 7ff7482b1ed8 _invalid_parameter_noinfo_noreturn 2553->2555 2554->2549 2969 7ff7482b2700 2970 7ff7482b2710 2969->2970 2982 7ff7482b2bd8 2970->2982 2972 7ff7482b2ecc 7 API calls 2973 7ff7482b27b5 2972->2973 2974 7ff7482b2734 _RTC_Initialize 2980 7ff7482b2797 2974->2980 2990 7ff7482b2e64 InitializeSListHead 2974->2990 2980->2972 2981 7ff7482b27a5 2980->2981 2983 7ff7482b2c1b 2982->2983 2984 7ff7482b2be9 2982->2984 2983->2974 2985 7ff7482b2c58 2984->2985 2988 7ff7482b2bee __scrt_release_startup_lock 2984->2988 2986 7ff7482b2ecc 7 API calls 2985->2986 2987 7ff7482b2c62 2986->2987 2988->2983 2989 7ff7482b2c0b _initialize_onexit_table 2988->2989 2989->2983 2556 7ff7482b1d39 2557 7ff7482b1d40 2556->2557 2557->2557 2566 7ff7482b2040 2557->2566 2559 7ff7482b1d76 2561 7ff7482b2660 __GSHandlerCheck_EH 8 API calls 2559->2561 2560 7ff7482b18a0 2560->2559 2562 7ff7482b1dd0 2560->2562 2563 7ff7482b20c0 21 API calls 2560->2563 2564 7ff7482b1d87 2561->2564 2565 7ff7482b1450 6 API calls 2562->2565 2563->2560 2565->2559 2567 7ff7482b20a2 2566->2567 2570 7ff7482b2063 BuildCatchObjectHelperInternal 2566->2570 2571 7ff7482b2230 2567->2571 2569 7ff7482b20b5 2569->2560 2570->2560 2572 7ff7482b225e 2571->2572 2573 7ff7482b23ab 2571->2573 2577 7ff7482b22b1 2572->2577 2578 7ff7482b22e6 2572->2578 2579 7ff7482b22be 2572->2579 2574 7ff7482b17e0 21 API calls 2573->2574 2575 7ff7482b23b0 2574->2575 2580 7ff7482b1720 Concurrency::cancel_current_task 4 API calls 2575->2580 2576 7ff7482b2690 5 API calls 2584 7ff7482b22cf BuildCatchObjectHelperInternal 2576->2584 2577->2575 2577->2579 2583 7ff7482b2690 5 API calls 2578->2583 2578->2584 2579->2576 2581 7ff7482b23b6 2580->2581 2582 7ff7482b2364 _invalid_parameter_noinfo_noreturn 2585 7ff7482b2357 BuildCatchObjectHelperInternal 2582->2585 2583->2584 2584->2582 2584->2585 2585->2569 2586 7ff7482b733c _seh_filter_exe 2994 7ff7482b7372 2995 7ff7482b43d0 ExFilterRethrow 10 API calls 2994->2995 2996 7ff7482b7389 2995->2996 2997 7ff7482b43d0 ExFilterRethrow 10 API calls 2996->2997 2998 7ff7482b73a4 2997->2998 2999 7ff7482b43d0 ExFilterRethrow 10 API calls 2998->2999 3000 7ff7482b73ad 2999->3000 3001 7ff7482b5414 __GSHandlerCheck_EH 31 API calls 3000->3001 3002 7ff7482b73f3 3001->3002 3003 7ff7482b43d0 ExFilterRethrow 10 API calls 3002->3003 3004 7ff7482b73f8 3003->3004 3005 7ff7482b756f 3006 7ff7482b43d0 ExFilterRethrow 10 API calls 3005->3006 3007 7ff7482b757d 3006->3007 3008 7ff7482b7588 3007->3008 3009 7ff7482b43d0 ExFilterRethrow 10 API calls 3007->3009 3009->3008 2590 7ff7482b7130 2591 7ff7482b7168 __GSHandlerCheckCommon 2590->2591 2592 7ff7482b7194 2591->2592 2594 7ff7482b3c00 2591->2594 2595 7ff7482b43d0 ExFilterRethrow 10 API calls 2594->2595 2596 7ff7482b3c42 2595->2596 2597 7ff7482b43d0 ExFilterRethrow 10 API calls 2596->2597 2598 7ff7482b3c4f 2597->2598 2599 7ff7482b43d0 ExFilterRethrow 10 API calls 2598->2599 2600 7ff7482b3c58 __GSHandlerCheck_EH 2599->2600 2603 7ff7482b5414 2600->2603 2604 7ff7482b5443 __except_validate_context_record 2603->2604 2605 7ff7482b43d0 ExFilterRethrow 10 API calls 2604->2605 2607 7ff7482b5448 2605->2607 2606 7ff7482b5498 2610 7ff7482b559f 2606->2610 2616 7ff7482b54f3 __GSHandlerCheck_EH 2606->2616 2618 7ff7482b3ca9 2606->2618 2607->2606 2608 7ff7482b55b2 __GSHandlerCheck_EH 2607->2608 2607->2618 2609 7ff7482b55f7 2608->2609 2608->2618 2647 7ff7482b3bbc 2608->2647 2609->2618 2650 7ff7482b49a4 2609->2650 2643 7ff7482b3678 2610->2643 2613 7ff7482b56a2 abort 2615 7ff7482b5543 2619 7ff7482b5cf0 2615->2619 2616->2613 2616->2615 2618->2592 2703 7ff7482b3ba8 2619->2703 2621 7ff7482b5d40 __GSHandlerCheck_EH 2622 7ff7482b5d72 2621->2622 2623 7ff7482b5d5b 2621->2623 2625 7ff7482b43d0 ExFilterRethrow 10 API calls 2622->2625 2624 7ff7482b43d0 ExFilterRethrow 10 API calls 2623->2624 2626 7ff7482b5d60 2624->2626 2627 7ff7482b5d77 2625->2627 2628 7ff7482b5fd0 abort 2626->2628 2629 7ff7482b5d6a 2626->2629 2627->2629 2631 7ff7482b43d0 ExFilterRethrow 10 API calls 2627->2631 2630 7ff7482b43d0 ExFilterRethrow 10 API calls 2629->2630 2637 7ff7482b5d96 __GSHandlerCheck_EH 2630->2637 2632 7ff7482b5d82 2631->2632 2633 7ff7482b43d0 ExFilterRethrow 10 API calls 2632->2633 2633->2629 2634 7ff7482b5f92 2635 7ff7482b43d0 ExFilterRethrow 10 API calls 2634->2635 2636 7ff7482b5f97 2635->2636 2638 7ff7482b5fa2 2636->2638 2639 7ff7482b43d0 ExFilterRethrow 10 API calls 2636->2639 2637->2634 2706 7ff7482b3bd0 2637->2706 2640 7ff7482b2660 __GSHandlerCheck_EH 8 API calls 2638->2640 2639->2638 2641 7ff7482b5fb5 2640->2641 2641->2618 2644 7ff7482b368a 2643->2644 2645 7ff7482b5cf0 __GSHandlerCheck_EH 19 API calls 2644->2645 2646 7ff7482b36a5 2645->2646 2646->2618 2648 7ff7482b43d0 ExFilterRethrow 10 API calls 2647->2648 2649 7ff7482b3bc5 2648->2649 2649->2609 2651 7ff7482b4a01 __GSHandlerCheck_EH 2650->2651 2652 7ff7482b4a20 2651->2652 2653 7ff7482b4a09 2651->2653 2655 7ff7482b43d0 ExFilterRethrow 10 API calls 2652->2655 2654 7ff7482b43d0 ExFilterRethrow 10 API calls 2653->2654 2663 7ff7482b4a0e 2654->2663 2656 7ff7482b4a25 2655->2656 2658 7ff7482b43d0 ExFilterRethrow 10 API calls 2656->2658 2656->2663 2657 7ff7482b4e99 abort 2659 7ff7482b4a30 2658->2659 2660 7ff7482b43d0 ExFilterRethrow 10 API calls 2659->2660 2660->2663 2661 7ff7482b4def 2661->2657 2665 7ff7482b4ded 2661->2665 2745 7ff7482b4ea0 2661->2745 2662 7ff7482b4b54 __GSHandlerCheck_EH 2662->2661 2693 7ff7482b4b90 __GSHandlerCheck_EH 2662->2693 2663->2657 2663->2662 2664 7ff7482b43d0 ExFilterRethrow 10 API calls 2663->2664 2666 7ff7482b4ac0 2664->2666 2667 7ff7482b43d0 ExFilterRethrow 10 API calls 2665->2667 2669 7ff7482b4e37 2666->2669 2673 7ff7482b43d0 ExFilterRethrow 10 API calls 2666->2673 2671 7ff7482b4e30 2667->2671 2668 7ff7482b4dd4 __GSHandlerCheck_EH 2668->2665 2677 7ff7482b4e81 2668->2677 2672 7ff7482b2660 __GSHandlerCheck_EH 8 API calls 2669->2672 2671->2657 2671->2669 2674 7ff7482b4e43 2672->2674 2675 7ff7482b4ad0 2673->2675 2674->2618 2676 7ff7482b43d0 ExFilterRethrow 10 API calls 2675->2676 2678 7ff7482b4ad9 2676->2678 2679 7ff7482b43d0 ExFilterRethrow 10 API calls 2677->2679 2709 7ff7482b3be8 2678->2709 2681 7ff7482b4e86 2679->2681 2683 7ff7482b43d0 ExFilterRethrow 10 API calls 2681->2683 2685 7ff7482b4e8f terminate 2683->2685 2684 7ff7482b43d0 ExFilterRethrow 10 API calls 2686 7ff7482b4b16 2684->2686 2685->2657 2686->2662 2687 7ff7482b43d0 ExFilterRethrow 10 API calls 2686->2687 2688 7ff7482b4b22 2687->2688 2689 7ff7482b43d0 ExFilterRethrow 10 API calls 2688->2689 2690 7ff7482b4b2b 2689->2690 2712 7ff7482b5fd8 2690->2712 2691 7ff7482b3bbc 10 API calls BuildCatchObjectHelperInternal 2691->2693 2693->2668 2693->2691 2723 7ff7482b52d0 2693->2723 2737 7ff7482b48d0 2693->2737 2696 7ff7482b4b3f 2719 7ff7482b60c8 2696->2719 2699 7ff7482b4e7b terminate 2699->2677 2700 7ff7482b4b47 std::bad_alloc::bad_alloc __GSHandlerCheck_EH 2700->2699 2701 7ff7482b3f84 std::_Xinvalid_argument 2 API calls 2700->2701 2702 7ff7482b4e7a 2701->2702 2702->2699 2704 7ff7482b43d0 ExFilterRethrow 10 API calls 2703->2704 2705 7ff7482b3bb1 2704->2705 2705->2621 2707 7ff7482b43d0 ExFilterRethrow 10 API calls 2706->2707 2708 7ff7482b3bde 2707->2708 2708->2637 2710 7ff7482b43d0 ExFilterRethrow 10 API calls 2709->2710 2711 7ff7482b3bf6 2710->2711 2711->2657 2711->2684 2713 7ff7482b60bf abort 2712->2713 2716 7ff7482b6003 2712->2716 2714 7ff7482b4b3b 2714->2662 2714->2696 2715 7ff7482b3bbc 10 API calls BuildCatchObjectHelperInternal 2715->2716 2716->2714 2716->2715 2717 7ff7482b3ba8 BuildCatchObjectHelperInternal 10 API calls 2716->2717 2761 7ff7482b5190 2716->2761 2717->2716 2720 7ff7482b6135 2719->2720 2721 7ff7482b60e5 Is_bad_exception_allowed 2719->2721 2720->2700 2721->2720 2722 7ff7482b3ba8 10 API calls BuildCatchObjectHelperInternal 2721->2722 2722->2721 2724 7ff7482b52fd 2723->2724 2736 7ff7482b538d 2723->2736 2725 7ff7482b3ba8 BuildCatchObjectHelperInternal 10 API calls 2724->2725 2726 7ff7482b5306 2725->2726 2727 7ff7482b3ba8 BuildCatchObjectHelperInternal 10 API calls 2726->2727 2728 7ff7482b531f 2726->2728 2726->2736 2727->2728 2729 7ff7482b534c 2728->2729 2730 7ff7482b3ba8 BuildCatchObjectHelperInternal 10 API calls 2728->2730 2728->2736 2731 7ff7482b3bbc BuildCatchObjectHelperInternal 10 API calls 2729->2731 2730->2729 2732 7ff7482b5360 2731->2732 2733 7ff7482b5379 2732->2733 2734 7ff7482b3ba8 BuildCatchObjectHelperInternal 10 API calls 2732->2734 2732->2736 2735 7ff7482b3bbc BuildCatchObjectHelperInternal 10 API calls 2733->2735 2734->2733 2735->2736 2736->2693 2738 7ff7482b490d __GSHandlerCheck_EH 2737->2738 2739 7ff7482b4933 2738->2739 2775 7ff7482b480c 2738->2775 2741 7ff7482b3ba8 BuildCatchObjectHelperInternal 10 API calls 2739->2741 2742 7ff7482b4945 2741->2742 2784 7ff7482b3838 RtlUnwindEx 2742->2784 2746 7ff7482b4ef4 2745->2746 2747 7ff7482b5169 2745->2747 2749 7ff7482b43d0 ExFilterRethrow 10 API calls 2746->2749 2748 7ff7482b2660 __GSHandlerCheck_EH 8 API calls 2747->2748 2750 7ff7482b5175 2748->2750 2751 7ff7482b4ef9 2749->2751 2750->2665 2752 7ff7482b4f60 __GSHandlerCheck_EH 2751->2752 2753 7ff7482b4f0e EncodePointer 2751->2753 2752->2747 2755 7ff7482b5189 abort 2752->2755 2760 7ff7482b4f82 __GSHandlerCheck_EH 2752->2760 2754 7ff7482b43d0 ExFilterRethrow 10 API calls 2753->2754 2756 7ff7482b4f1e 2754->2756 2756->2752 2808 7ff7482b34f8 2756->2808 2758 7ff7482b3ba8 10 API calls BuildCatchObjectHelperInternal 2758->2760 2759 7ff7482b48d0 __GSHandlerCheck_EH 21 API calls 2759->2760 2760->2747 2760->2758 2760->2759 2762 7ff7482b524c 2761->2762 2763 7ff7482b51bd 2761->2763 2762->2716 2764 7ff7482b3ba8 BuildCatchObjectHelperInternal 10 API calls 2763->2764 2765 7ff7482b51c6 2764->2765 2765->2762 2766 7ff7482b3ba8 BuildCatchObjectHelperInternal 10 API calls 2765->2766 2767 7ff7482b51df 2765->2767 2766->2767 2767->2762 2768 7ff7482b520b 2767->2768 2769 7ff7482b3ba8 BuildCatchObjectHelperInternal 10 API calls 2767->2769 2770 7ff7482b3bbc BuildCatchObjectHelperInternal 10 API calls 2768->2770 2769->2768 2771 7ff7482b521f 2770->2771 2771->2762 2772 7ff7482b5238 2771->2772 2773 7ff7482b3ba8 BuildCatchObjectHelperInternal 10 API calls 2771->2773 2774 7ff7482b3bbc BuildCatchObjectHelperInternal 10 API calls 2772->2774 2773->2772 2774->2762 2776 7ff7482b482f 2775->2776 2787 7ff7482b4608 2776->2787 2778 7ff7482b4840 2779 7ff7482b4881 __AdjustPointer 2778->2779 2782 7ff7482b4845 __AdjustPointer 2778->2782 2780 7ff7482b4864 BuildCatchObjectHelperInternal 2779->2780 2781 7ff7482b3bbc BuildCatchObjectHelperInternal 10 API calls 2779->2781 2780->2739 2781->2780 2782->2780 2783 7ff7482b3bbc BuildCatchObjectHelperInternal 10 API calls 2782->2783 2783->2780 2785 7ff7482b2660 __GSHandlerCheck_EH 8 API calls 2784->2785 2786 7ff7482b394e 2785->2786 2786->2693 2788 7ff7482b4635 2787->2788 2791 7ff7482b463e 2787->2791 2789 7ff7482b3ba8 BuildCatchObjectHelperInternal 10 API calls 2788->2789 2789->2791 2790 7ff7482b46c2 __AdjustPointer BuildCatchObjectHelperInternal 2790->2778 2791->2790 2792 7ff7482b3ba8 BuildCatchObjectHelperInternal 10 API calls 2791->2792 2793 7ff7482b465d 2791->2793 2792->2793 2793->2790 2794 7ff7482b46ca 2793->2794 2797 7ff7482b46aa 2793->2797 2794->2790 2795 7ff7482b3bbc BuildCatchObjectHelperInternal 10 API calls 2794->2795 2799 7ff7482b474a 2794->2799 2795->2799 2796 7ff7482b47e9 abort abort 2798 7ff7482b480c 2796->2798 2797->2790 2797->2796 2800 7ff7482b4608 BuildCatchObjectHelperInternal 10 API calls 2798->2800 2799->2790 2801 7ff7482b3bbc BuildCatchObjectHelperInternal 10 API calls 2799->2801 2802 7ff7482b4840 2800->2802 2801->2790 2803 7ff7482b4881 __AdjustPointer 2802->2803 2804 7ff7482b4845 __AdjustPointer 2802->2804 2805 7ff7482b3bbc BuildCatchObjectHelperInternal 10 API calls 2803->2805 2807 7ff7482b4864 BuildCatchObjectHelperInternal 2803->2807 2806 7ff7482b3bbc BuildCatchObjectHelperInternal 10 API calls 2804->2806 2804->2807 2805->2807 2806->2807 2807->2778 2809 7ff7482b43d0 ExFilterRethrow 10 API calls 2808->2809 2810 7ff7482b3524 2809->2810 2810->2752 2811 7ff7482b43b0 2812 7ff7482b43b9 2811->2812 2813 7ff7482b43ca 2811->2813 2812->2813 2814 7ff7482b43c5 free 2812->2814 2814->2813 3010 7ff7482b2970 3013 7ff7482b2da0 3010->3013 3014 7ff7482b2dc3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 3013->3014 3015 7ff7482b2979 3013->3015 3014->3015 3023 7ff7482b5f75 3031 7ff7482b5e35 __GSHandlerCheck_EH 3023->3031 3024 7ff7482b5f92 3025 7ff7482b43d0 ExFilterRethrow 10 API calls 3024->3025 3026 7ff7482b5f97 3025->3026 3027 7ff7482b5fa2 3026->3027 3028 7ff7482b43d0 ExFilterRethrow 10 API calls 3026->3028 3029 7ff7482b2660 __GSHandlerCheck_EH 8 API calls 3027->3029 3028->3027 3030 7ff7482b5fb5 3029->3030 3031->3024 3032 7ff7482b3bd0 __GSHandlerCheck_EH 10 API calls 3031->3032 3032->3031 2818 7ff7482b74a7 2821 7ff7482b5cc0 2818->2821 2826 7ff7482b5c38 2821->2826 2824 7ff7482b5ce0 2825 7ff7482b43d0 ExFilterRethrow 10 API calls 2825->2824 2827 7ff7482b5ca3 2826->2827 2828 7ff7482b5c5a 2826->2828 2827->2824 2827->2825 2828->2827 2829 7ff7482b43d0 ExFilterRethrow 10 API calls 2828->2829 2829->2827 2830 7ff7482b59ad 2831 7ff7482b43d0 ExFilterRethrow 10 API calls 2830->2831 2832 7ff7482b59ba 2831->2832 2833 7ff7482b43d0 ExFilterRethrow 10 API calls 2832->2833 2835 7ff7482b59c3 __GSHandlerCheck_EH 2833->2835 2834 7ff7482b5a0a RaiseException 2836 7ff7482b5a29 2834->2836 2835->2834 2837 7ff7482b3b54 11 API calls 2836->2837 2842 7ff7482b5a31 2837->2842 2838 7ff7482b5a5a __GSHandlerCheck_EH 2839 7ff7482b43d0 ExFilterRethrow 10 API calls 2838->2839 2840 7ff7482b5a6d 2839->2840 2841 7ff7482b43d0 ExFilterRethrow 10 API calls 2840->2841 2843 7ff7482b5a76 2841->2843 2842->2838 2844 7ff7482b4104 10 API calls 2842->2844 2845 7ff7482b43d0 ExFilterRethrow 10 API calls 2843->2845 2844->2838 2846 7ff7482b5a7f 2845->2846 2847 7ff7482b43d0 ExFilterRethrow 10 API calls 2846->2847 2848 7ff7482b5a8e 2847->2848 2243 7ff7482b27ec 2266 7ff7482b2b8c 2243->2266 2246 7ff7482b2943 2306 7ff7482b2ecc IsProcessorFeaturePresent 2246->2306 2247 7ff7482b280d 2249 7ff7482b294d 2247->2249 2254 7ff7482b282b __scrt_release_startup_lock 2247->2254 2250 7ff7482b2ecc 7 API calls 2249->2250 2251 7ff7482b2958 2250->2251 2253 7ff7482b2960 _exit 2251->2253 2252 7ff7482b2850 2254->2252 2255 7ff7482b28d6 _get_initial_narrow_environment __p___argv __p___argc 2254->2255 2259 7ff7482b28ce _register_thread_local_exe_atexit_callback 2254->2259 2272 7ff7482b1060 2255->2272 2259->2255 2261 7ff7482b2903 2262 7ff7482b2908 _cexit 2261->2262 2263 7ff7482b290d 2261->2263 2262->2263 2302 7ff7482b2d20 2263->2302 2313 7ff7482b316c 2266->2313 2269 7ff7482b2bbb __scrt_initialize_crt 2271 7ff7482b2805 2269->2271 2315 7ff7482b404c 2269->2315 2271->2246 2271->2247 2273 7ff7482b1386 2272->2273 2287 7ff7482b10b4 2272->2287 2342 7ff7482b1450 __acrt_iob_func 2273->2342 2275 7ff7482b1399 2300 7ff7482b3020 GetModuleHandleW 2275->2300 2276 7ff7482b1289 2276->2273 2277 7ff7482b129f 2276->2277 2347 7ff7482b2688 2277->2347 2279 7ff7482b12a9 2281 7ff7482b12b9 GetTempPathA 2279->2281 2282 7ff7482b1325 2279->2282 2280 7ff7482b1125 strcmp 2280->2287 2283 7ff7482b12e9 strcat_s 2281->2283 2284 7ff7482b12cb GetLastError 2281->2284 2356 7ff7482b23c0 2282->2356 2283->2282 2289 7ff7482b1304 2283->2289 2288 7ff7482b1450 6 API calls 2284->2288 2285 7ff7482b1151 strcmp 2285->2287 2287->2276 2287->2280 2287->2285 2292 7ff7482b117d strcmp 2287->2292 2298 7ff7482b1226 strcmp 2287->2298 2293 7ff7482b12df GetLastError 2288->2293 2294 7ff7482b1450 6 API calls 2289->2294 2291 7ff7482b1344 __acrt_iob_func fflush __acrt_iob_func fflush 2297 7ff7482b1312 2291->2297 2292->2287 2293->2297 2294->2297 2297->2275 2298->2287 2299 7ff7482b1239 atoi 2298->2299 2299->2287 2301 7ff7482b28ff 2300->2301 2301->2251 2301->2261 2304 7ff7482b2d31 __scrt_initialize_crt 2302->2304 2303 7ff7482b2916 2303->2252 2304->2303 2305 7ff7482b404c __scrt_initialize_crt 7 API calls 2304->2305 2305->2303 2307 7ff7482b2ef2 2306->2307 2308 7ff7482b2f11 RtlCaptureContext RtlLookupFunctionEntry 2307->2308 2309 7ff7482b2f3a RtlVirtualUnwind 2308->2309 2310 7ff7482b2f76 2308->2310 2309->2310 2311 7ff7482b2fa8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2310->2311 2312 7ff7482b2ffa 2311->2312 2312->2249 2314 7ff7482b2bae __scrt_dllmain_crt_thread_attach 2313->2314 2314->2269 2314->2271 2316 7ff7482b4054 2315->2316 2317 7ff7482b405e 2315->2317 2321 7ff7482b44f4 2316->2321 2317->2271 2322 7ff7482b4059 2321->2322 2323 7ff7482b4503 2321->2323 2325 7ff7482b6460 2322->2325 2329 7ff7482b6630 2323->2329 2326 7ff7482b648b 2325->2326 2327 7ff7482b648f 2326->2327 2328 7ff7482b646e DeleteCriticalSection 2326->2328 2327->2317 2328->2326 2333 7ff7482b6498 2329->2333 2334 7ff7482b65b2 TlsFree 2333->2334 2335 7ff7482b64dc 2333->2335 2335->2334 2336 7ff7482b650a LoadLibraryExW 2335->2336 2337 7ff7482b65a1 GetProcAddress 2335->2337 2341 7ff7482b654d LoadLibraryExW 2335->2341 2338 7ff7482b6581 2336->2338 2339 7ff7482b652b GetLastError 2336->2339 2337->2334 2338->2337 2340 7ff7482b6598 FreeLibrary 2338->2340 2339->2335 2340->2337 2341->2335 2341->2338 2392 7ff7482b1010 2342->2392 2344 7ff7482b148a __acrt_iob_func 2395 7ff7482b1000 2344->2395 2346 7ff7482b14a2 __stdio_common_vfprintf __acrt_iob_func fflush 2346->2275 2350 7ff7482b2690 2347->2350 2348 7ff7482b26aa malloc 2349 7ff7482b26b4 2348->2349 2348->2350 2349->2279 2350->2348 2351 7ff7482b26ba 2350->2351 2352 7ff7482b26c5 2351->2352 2397 7ff7482b2b30 2351->2397 2401 7ff7482b1720 2352->2401 2355 7ff7482b26cb 2355->2279 2357 7ff7482b2688 5 API calls 2356->2357 2358 7ff7482b23f5 OpenProcess 2357->2358 2359 7ff7482b2458 K32GetModuleBaseNameA 2358->2359 2360 7ff7482b243b GetLastError 2358->2360 2362 7ff7482b2492 2359->2362 2363 7ff7482b2470 GetLastError 2359->2363 2361 7ff7482b1450 6 API calls 2360->2361 2369 7ff7482b2453 2361->2369 2418 7ff7482b1800 2362->2418 2364 7ff7482b1450 6 API calls 2363->2364 2366 7ff7482b2484 CloseHandle 2364->2366 2366->2369 2368 7ff7482b25fa 2429 7ff7482b2660 2368->2429 2369->2368 2374 7ff7482b25f3 _invalid_parameter_noinfo_noreturn 2369->2374 2370 7ff7482b25b3 CloseHandle 2370->2369 2371 7ff7482b24ae 2372 7ff7482b13c0 6 API calls 2371->2372 2373 7ff7482b24cf CreateFileA 2372->2373 2375 7ff7482b250f GetLastError 2373->2375 2376 7ff7482b2543 2373->2376 2374->2368 2378 7ff7482b1450 6 API calls 2375->2378 2379 7ff7482b2550 MiniDumpWriteDump 2376->2379 2383 7ff7482b258a CloseHandle CloseHandle 2376->2383 2381 7ff7482b2538 CloseHandle 2378->2381 2382 7ff7482b2576 GetLastError 2379->2382 2379->2383 2381->2369 2382->2376 2384 7ff7482b258c 2382->2384 2383->2369 2386 7ff7482b1450 6 API calls 2384->2386 2386->2383 2387 7ff7482b13c0 __acrt_iob_func 2388 7ff7482b1010 fprintf __stdio_common_vfprintf 2387->2388 2389 7ff7482b13fa __acrt_iob_func 2388->2389 2488 7ff7482b1000 2389->2488 2391 7ff7482b1412 __stdio_common_vfprintf __acrt_iob_func fflush 2391->2291 2396 7ff7482b1000 2392->2396 2394 7ff7482b1036 __stdio_common_vfprintf 2394->2344 2395->2346 2396->2394 2398 7ff7482b2b3e std::bad_alloc::bad_alloc 2397->2398 2407 7ff7482b3f84 2398->2407 2400 7ff7482b2b4f 2402 7ff7482b172e Concurrency::cancel_current_task 2401->2402 2403 7ff7482b3f84 std::_Xinvalid_argument 2 API calls 2402->2403 2404 7ff7482b173f 2403->2404 2412 7ff7482b3cc0 2404->2412 2408 7ff7482b3fc0 RtlPcToFileHeader 2407->2408 2409 7ff7482b3fa3 2407->2409 2410 7ff7482b3fe7 RaiseException 2408->2410 2411 7ff7482b3fd8 2408->2411 2409->2408 2410->2400 2411->2410 2413 7ff7482b176d 2412->2413 2414 7ff7482b3ce1 2412->2414 2413->2355 2414->2413 2414->2414 2415 7ff7482b3cf6 malloc 2414->2415 2416 7ff7482b3d23 free 2415->2416 2417 7ff7482b3d07 2415->2417 2416->2413 2417->2416 2419 7ff7482b1850 2418->2419 2420 7ff7482b1863 WSAStartup 2418->2420 2421 7ff7482b1450 6 API calls 2419->2421 2422 7ff7482b185c 2420->2422 2426 7ff7482b187f 2420->2426 2421->2422 2423 7ff7482b2660 __GSHandlerCheck_EH 8 API calls 2422->2423 2424 7ff7482b1d87 2423->2424 2424->2370 2424->2371 2425 7ff7482b1dd0 2428 7ff7482b1450 6 API calls 2425->2428 2426->2422 2426->2425 2438 7ff7482b20c0 2426->2438 2428->2422 2430 7ff7482b2669 2429->2430 2431 7ff7482b29c0 IsProcessorFeaturePresent 2430->2431 2432 7ff7482b1334 2430->2432 2433 7ff7482b29d8 2431->2433 2432->2291 2432->2387 2483 7ff7482b2a94 RtlCaptureContext 2433->2483 2439 7ff7482b20e9 2438->2439 2440 7ff7482b2218 2438->2440 2442 7ff7482b2144 2439->2442 2444 7ff7482b2137 2439->2444 2445 7ff7482b216c 2439->2445 2462 7ff7482b17e0 2440->2462 2453 7ff7482b2690 2442->2453 2443 7ff7482b221d 2447 7ff7482b1720 Concurrency::cancel_current_task 4 API calls 2443->2447 2444->2442 2444->2443 2448 7ff7482b2690 5 API calls 2445->2448 2451 7ff7482b2155 BuildCatchObjectHelperInternal 2445->2451 2449 7ff7482b2223 2447->2449 2448->2451 2450 7ff7482b21e0 _invalid_parameter_noinfo_noreturn 2452 7ff7482b21d3 BuildCatchObjectHelperInternal 2450->2452 2451->2450 2451->2452 2452->2426 2454 7ff7482b26aa malloc 2453->2454 2455 7ff7482b26b4 2454->2455 2456 7ff7482b269b 2454->2456 2455->2451 2456->2454 2457 7ff7482b26ba 2456->2457 2458 7ff7482b26c5 2457->2458 2460 7ff7482b2b30 Concurrency::cancel_current_task 2 API calls 2457->2460 2459 7ff7482b1720 Concurrency::cancel_current_task 4 API calls 2458->2459 2461 7ff7482b26cb 2459->2461 2460->2458 2461->2451 2475 7ff7482b34d4 2462->2475 2480 7ff7482b33f8 2475->2480 2478 7ff7482b3f84 std::_Xinvalid_argument 2 API calls 2479 7ff7482b34f6 2478->2479 2481 7ff7482b3cc0 __std_exception_copy 2 API calls 2480->2481 2482 7ff7482b342c 2481->2482 2482->2478 2484 7ff7482b2aae RtlLookupFunctionEntry 2483->2484 2485 7ff7482b2ac4 RtlVirtualUnwind 2484->2485 2486 7ff7482b29eb 2484->2486 2485->2484 2485->2486 2487 7ff7482b2984 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2486->2487 2488->2391 3033 7ff7482b195f 3034 7ff7482b196d 3033->3034 3034->3034 3035 7ff7482b1a23 3034->3035 3036 7ff7482b1ee0 22 API calls 3034->3036 3037 7ff7482b2230 22 API calls 3035->3037 3038 7ff7482b1a67 BuildCatchObjectHelperInternal 3035->3038 3036->3035 3037->3038 3039 7ff7482b1da2 _invalid_parameter_noinfo_noreturn 3038->3039 3040 7ff7482b18a0 3038->3040 3041 7ff7482b1da9 WSAGetLastError 3039->3041 3044 7ff7482b1d76 3040->3044 3045 7ff7482b1dd0 3040->3045 3046 7ff7482b20c0 21 API calls 3040->3046 3042 7ff7482b1450 6 API calls 3041->3042 3042->3044 3043 7ff7482b2660 __GSHandlerCheck_EH 8 API calls 3047 7ff7482b1d87 3043->3047 3044->3043 3048 7ff7482b1450 6 API calls 3045->3048 3046->3040 3048->3044 3052 7ff7482b5860 3053 7ff7482b43d0 ExFilterRethrow 10 API calls 3052->3053 3054 7ff7482b58ad 3053->3054 3055 7ff7482b43d0 ExFilterRethrow 10 API calls 3054->3055 3056 7ff7482b58bb __except_validate_context_record 3055->3056 3057 7ff7482b43d0 ExFilterRethrow 10 API calls 3056->3057 3058 7ff7482b5914 3057->3058 3059 7ff7482b43d0 ExFilterRethrow 10 API calls 3058->3059 3060 7ff7482b591d 3059->3060 3061 7ff7482b43d0 ExFilterRethrow 10 API calls 3060->3061 3062 7ff7482b5926 3061->3062 3081 7ff7482b3b18 3062->3081 3065 7ff7482b43d0 ExFilterRethrow 10 API calls 3066 7ff7482b5959 3065->3066 3067 7ff7482b5991 3066->3067 3068 7ff7482b5aa9 abort 3066->3068 3069 7ff7482b3b54 11 API calls 3067->3069 3074 7ff7482b5a31 3069->3074 3070 7ff7482b5a5a __GSHandlerCheck_EH 3071 7ff7482b43d0 ExFilterRethrow 10 API calls 3070->3071 3072 7ff7482b5a6d 3071->3072 3073 7ff7482b43d0 ExFilterRethrow 10 API calls 3072->3073 3075 7ff7482b5a76 3073->3075 3074->3070 3076 7ff7482b4104 10 API calls 3074->3076 3077 7ff7482b43d0 ExFilterRethrow 10 API calls 3075->3077 3076->3070 3078 7ff7482b5a7f 3077->3078 3079 7ff7482b43d0 ExFilterRethrow 10 API calls 3078->3079 3080 7ff7482b5a8e 3079->3080 3082 7ff7482b43d0 ExFilterRethrow 10 API calls 3081->3082 3083 7ff7482b3b29 3082->3083 3084 7ff7482b3b34 3083->3084 3085 7ff7482b43d0 ExFilterRethrow 10 API calls 3083->3085 3086 7ff7482b43d0 ExFilterRethrow 10 API calls 3084->3086 3085->3084 3087 7ff7482b3b45 3086->3087 3087->3065 3087->3066 3088 7ff7482b7260 3089 7ff7482b7280 3088->3089 3090 7ff7482b7273 3088->3090 3091 7ff7482b1e80 _invalid_parameter_noinfo_noreturn 3090->3091 3091->3089 3092 7ff7482b1ce0 3093 7ff7482b2688 5 API calls 3092->3093 3094 7ff7482b1cea gethostname 3093->3094 3095 7ff7482b1da9 WSAGetLastError 3094->3095 3096 7ff7482b1d08 3094->3096 3097 7ff7482b1450 6 API calls 3095->3097 3098 7ff7482b2040 22 API calls 3096->3098 3099 7ff7482b1d76 3097->3099 3102 7ff7482b18a0 3098->3102 3100 7ff7482b2660 __GSHandlerCheck_EH 8 API calls 3099->3100 3101 7ff7482b1d87 3100->3101 3102->3099 3103 7ff7482b1dd0 3102->3103 3104 7ff7482b20c0 21 API calls 3102->3104 3105 7ff7482b1450 6 API calls 3103->3105 3104->3102 3105->3099 2852 7ff7482b4024 2859 7ff7482b642c 2852->2859 2855 7ff7482b4031 2871 7ff7482b6714 2859->2871 2862 7ff7482b402d 2862->2855 2864 7ff7482b44ac 2862->2864 2863 7ff7482b6460 __vcrt_uninitialize_locks DeleteCriticalSection 2863->2862 2876 7ff7482b65e8 2864->2876 2872 7ff7482b6498 __vcrt_FlsAlloc 5 API calls 2871->2872 2873 7ff7482b674a 2872->2873 2874 7ff7482b675f InitializeCriticalSectionAndSpinCount 2873->2874 2875 7ff7482b6444 2873->2875 2874->2875 2875->2862 2875->2863 2877 7ff7482b6498 __vcrt_FlsAlloc 5 API calls 2876->2877 2878 7ff7482b660d TlsAlloc 2877->2878 3106 7ff7482b7559 3109 7ff7482b4158 3106->3109 3110 7ff7482b4182 3109->3110 3111 7ff7482b4170 3109->3111 3113 7ff7482b43d0 ExFilterRethrow 10 API calls 3110->3113 3111->3110 3112 7ff7482b4178 3111->3112 3115 7ff7482b43d0 ExFilterRethrow 10 API calls 3112->3115 3119 7ff7482b4180 3112->3119 3114 7ff7482b4187 3113->3114 3117 7ff7482b43d0 ExFilterRethrow 10 API calls 3114->3117 3114->3119 3116 7ff7482b41a7 3115->3116 3118 7ff7482b43d0 ExFilterRethrow 10 API calls 3116->3118 3117->3119 3120 7ff7482b41b4 terminate 3118->3120 2880 7ff7482b191a 2881 7ff7482b194d 2880->2881 2882 7ff7482b18a0 2880->2882 2883 7ff7482b20c0 21 API calls 2881->2883 2885 7ff7482b1dd0 2882->2885 2886 7ff7482b20c0 21 API calls 2882->2886 2889 7ff7482b1d76 2882->2889 2883->2882 2884 7ff7482b2660 __GSHandlerCheck_EH 8 API calls 2887 7ff7482b1d87 2884->2887 2888 7ff7482b1450 6 API calls 2885->2888 2886->2882 2888->2889 2889->2884 2890 7ff7482b291a 2891 7ff7482b3020 __scrt_is_managed_app GetModuleHandleW 2890->2891 2892 7ff7482b2921 2891->2892 2893 7ff7482b2960 _exit 2892->2893 2894 7ff7482b2925 2892->2894 2895 7ff7482b1b18 _time64 2896 7ff7482b1b34 2895->2896 2896->2896 2897 7ff7482b1bf1 2896->2897 2911 7ff7482b1ee0 2896->2911 2899 7ff7482b2230 22 API calls 2897->2899 2900 7ff7482b1c34 BuildCatchObjectHelperInternal 2897->2900 2899->2900 2901 7ff7482b1da2 _invalid_parameter_noinfo_noreturn 2900->2901 2902 7ff7482b18a0 2900->2902 2903 7ff7482b1da9 WSAGetLastError 2901->2903 2906 7ff7482b1d76 2902->2906 2907 7ff7482b1dd0 2902->2907 2908 7ff7482b20c0 21 API calls 2902->2908 2904 7ff7482b1450 6 API calls 2903->2904 2904->2906 2905 7ff7482b2660 __GSHandlerCheck_EH 8 API calls 2909 7ff7482b1d87 2905->2909 2906->2905 2910 7ff7482b1450 6 API calls 2907->2910 2908->2902 2910->2906 2915 7ff7482b1f25 2911->2915 2924 7ff7482b1f04 BuildCatchObjectHelperInternal 2911->2924 2912 7ff7482b2031 2913 7ff7482b17e0 21 API calls 2912->2913 2914 7ff7482b2036 2913->2914 2918 7ff7482b1720 Concurrency::cancel_current_task 4 API calls 2914->2918 2915->2912 2917 7ff7482b1fa9 2915->2917 2919 7ff7482b1f74 2915->2919 2916 7ff7482b2690 5 API calls 2923 7ff7482b1f92 BuildCatchObjectHelperInternal 2916->2923 2921 7ff7482b2690 5 API calls 2917->2921 2917->2923 2922 7ff7482b203c 2918->2922 2919->2914 2919->2916 2920 7ff7482b202a _invalid_parameter_noinfo_noreturn 2920->2912 2921->2923 2923->2920 2923->2924 2924->2897

                                                                    Executed Functions

                                                                    Function 00007FF7482B1060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 7ff7482b1060-7ff7482b10ae 1 7ff7482b1386-7ff7482b1394 call 7ff7482b1450 0->1 2 7ff7482b10b4-7ff7482b10c6 0->2 7 7ff7482b1399 1->7 3 7ff7482b10d0-7ff7482b10d6 2->3 5 7ff7482b127f-7ff7482b1283 3->5 6 7ff7482b10dc-7ff7482b10df 3->6 5->3 11 7ff7482b1289-7ff7482b1299 5->11 8 7ff7482b10e1-7ff7482b10e5 6->8 9 7ff7482b10ed 6->9 10 7ff7482b139e-7ff7482b13b7 7->10 8->9 12 7ff7482b10e7-7ff7482b10eb 8->12 13 7ff7482b10f0-7ff7482b10fc 9->13 11->1 14 7ff7482b129f-7ff7482b12b7 call 7ff7482b2688 11->14 12->9 15 7ff7482b1104-7ff7482b110b 12->15 16 7ff7482b1110-7ff7482b1113 13->16 17 7ff7482b10fe-7ff7482b1102 13->17 23 7ff7482b12b9-7ff7482b12c9 GetTempPathA 14->23 24 7ff7482b132a-7ff7482b1336 call 7ff7482b23c0 14->24 20 7ff7482b127b 15->20 21 7ff7482b1125-7ff7482b1136 strcmp 16->21 22 7ff7482b1115-7ff7482b1119 16->22 17->13 17->15 20->5 26 7ff7482b1267-7ff7482b126e 21->26 27 7ff7482b113c-7ff7482b113f 21->27 22->21 25 7ff7482b111b-7ff7482b111f 22->25 28 7ff7482b12e9-7ff7482b1302 strcat_s 23->28 29 7ff7482b12cb-7ff7482b12e7 GetLastError call 7ff7482b1450 GetLastError 23->29 41 7ff7482b1346 24->41 42 7ff7482b1338-7ff7482b1344 call 7ff7482b13c0 24->42 25->21 25->26 30 7ff7482b1276 26->30 31 7ff7482b1151-7ff7482b1162 strcmp 27->31 32 7ff7482b1141-7ff7482b1145 27->32 37 7ff7482b1325 28->37 38 7ff7482b1304-7ff7482b1312 call 7ff7482b1450 28->38 52 7ff7482b1313-7ff7482b1323 call 7ff7482b2680 29->52 30->20 34 7ff7482b1258-7ff7482b1265 31->34 35 7ff7482b1168-7ff7482b116b 31->35 32->31 39 7ff7482b1147-7ff7482b114b 32->39 34->20 43 7ff7482b117d-7ff7482b118e strcmp 35->43 44 7ff7482b116d-7ff7482b1171 35->44 37->24 38->52 39->31 39->34 49 7ff7482b134b-7ff7482b1384 __acrt_iob_func fflush __acrt_iob_func fflush call 7ff7482b2680 41->49 42->49 50 7ff7482b1194-7ff7482b1197 43->50 51 7ff7482b1247-7ff7482b1256 43->51 44->43 48 7ff7482b1173-7ff7482b1177 44->48 48->43 48->51 49->10 56 7ff7482b11a5-7ff7482b11af 50->56 57 7ff7482b1199-7ff7482b119d 50->57 51->30 52->10 61 7ff7482b11b0-7ff7482b11bb 56->61 57->56 60 7ff7482b119f-7ff7482b11a3 57->60 60->56 63 7ff7482b11c3-7ff7482b11d2 60->63 64 7ff7482b11d7-7ff7482b11da 61->64 65 7ff7482b11bd-7ff7482b11c1 61->65 63->30 66 7ff7482b11ec-7ff7482b11f6 64->66 67 7ff7482b11dc-7ff7482b11e0 64->67 65->61 65->63 69 7ff7482b1200-7ff7482b120b 66->69 67->66 68 7ff7482b11e2-7ff7482b11e6 67->68 68->20 68->66 70 7ff7482b1215-7ff7482b1218 69->70 71 7ff7482b120d-7ff7482b1211 69->71 73 7ff7482b1226-7ff7482b1237 strcmp 70->73 74 7ff7482b121a-7ff7482b121e 70->74 71->69 72 7ff7482b1213 71->72 72->20 73->20 76 7ff7482b1239-7ff7482b1245 atoi 73->76 74->73 75 7ff7482b1220-7ff7482b1224 74->75 75->20 75->73 76->20
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
                                                                    • String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
                                                                    • API String ID: 2647627392-2367407095
                                                                    • Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                                    • Instruction ID: 30735db66d4a5f2668d3907800f07967f768f82b8bf32db4b5e3296dd28e772b
                                                                    • Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                                    • Instruction Fuzzy Hash: 0FA18261D1E79AD5FB61BF20A400279E6E4EF4E754F884132C94D5279AEE3CE845C328
                                                                    Function 00007FF7482B27EC Relevance: 13.6, APIs: 9, Instructions: 102COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                                    • String ID:
                                                                    • API String ID: 2308368977-0
                                                                    • Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                                    • Instruction ID: ddd0d6079feb0efe933513125aa0e46cc2ee61ade833b959f66f32ddfee9cc2e
                                                                    • Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                                    • Instruction Fuzzy Hash: B2312521E0E64FC2EA14BF6594553BAE291EF4D784FC45039EA4D0B3A7DE2CE844C278
                                                                    Function 00007FF7482B1450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                                    • String ID: [createdump]
                                                                    • API String ID: 3735572767-2657508301
                                                                    • Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                                    • Instruction ID: f1766a2f83d8c1e54666b563ec04edafc56f34ba73622edaeca3f82a3c884415
                                                                    • Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                                    • Instruction Fuzzy Hash: 28012C21A0DB85C2E600BF90F81517AE364FB88BD1F804535EE8D037699F3CD455C714

                                                                    Non-executed Functions

                                                                    Function 00007FF7482B2ECC Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                    • String ID:
                                                                    • API String ID: 3140674995-0
                                                                    • Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                                    • Instruction ID: 763a92757871f49237bdd7da8e4d737dfd1e88d52e4468343c513ac543ec5b5e
                                                                    • Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                                    • Instruction Fuzzy Hash: C6311E72609B85C6EB60AF64E8403FAB3A5FB48784F84443ADB4E47B94DF38D548C724
                                                                    Function 00007FF7482B3074 Relevance: .0, Instructions: 2COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                                    • Instruction ID: 468ef067681a0186289f38d416ae6179a8d26454ac3a419d31727b2dee5b0e10
                                                                    • Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                                    • Instruction Fuzzy Hash: 30A0022190EC0AD1E644BF5CEC58132E3F0FF68380BC00D31D50D412A0AF3DA444D328
                                                                    Function 00007FF7482B23C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7482B242D
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7482B243B
                                                                      • Part of subcall function 00007FF7482B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7482B1475
                                                                      • Part of subcall function 00007FF7482B1450: fprintf.MSPDB140-MSVCRT ref: 00007FF7482B1485
                                                                      • Part of subcall function 00007FF7482B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7482B1494
                                                                      • Part of subcall function 00007FF7482B1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7482B14B3
                                                                      • Part of subcall function 00007FF7482B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7482B14BE
                                                                      • Part of subcall function 00007FF7482B1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7482B14C7
                                                                    • K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7482B2466
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7482B2470
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7482B2487
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7482B25F3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
                                                                    • String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
                                                                    • API String ID: 3971781330-1292085346
                                                                    • Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                                    • Instruction ID: bf0ad2d653b7ac3a5fd5695464310eceeeacf1214d8a457f1284d253a8fa1ce5
                                                                    • Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                                    • Instruction Fuzzy Hash: 88615F31A0EB49C2E614BF15A85067AE7A1FB897D0F900531EA9E03BA5DF3CE445D728
                                                                    Function 00007FF7482B49A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316COMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 177 7ff7482b49a4-7ff7482b4a07 call 7ff7482b4518 180 7ff7482b4a20-7ff7482b4a29 call 7ff7482b43d0 177->180 181 7ff7482b4a09-7ff7482b4a12 call 7ff7482b43d0 177->181 188 7ff7482b4a3f-7ff7482b4a42 180->188 189 7ff7482b4a2b-7ff7482b4a38 call 7ff7482b43d0 * 2 180->189 186 7ff7482b4e99-7ff7482b4e9f abort 181->186 187 7ff7482b4a18-7ff7482b4a1e 181->187 187->188 188->186 191 7ff7482b4a48-7ff7482b4a54 188->191 189->188 193 7ff7482b4a7f 191->193 194 7ff7482b4a56-7ff7482b4a7d 191->194 195 7ff7482b4a81-7ff7482b4a83 193->195 194->195 195->186 197 7ff7482b4a89-7ff7482b4a8f 195->197 199 7ff7482b4a95-7ff7482b4a99 197->199 200 7ff7482b4b59-7ff7482b4b6f call 7ff7482b5724 197->200 199->200 202 7ff7482b4a9f-7ff7482b4aaa 199->202 205 7ff7482b4def-7ff7482b4df3 200->205 206 7ff7482b4b75-7ff7482b4b79 200->206 202->200 204 7ff7482b4ab0-7ff7482b4ab5 202->204 204->200 207 7ff7482b4abb-7ff7482b4ac5 call 7ff7482b43d0 204->207 210 7ff7482b4df5-7ff7482b4dfc 205->210 211 7ff7482b4e2b-7ff7482b4e35 call 7ff7482b43d0 205->211 206->205 208 7ff7482b4b7f-7ff7482b4b8a 206->208 218 7ff7482b4e37-7ff7482b4e56 call 7ff7482b2660 207->218 219 7ff7482b4acb-7ff7482b4af1 call 7ff7482b43d0 * 2 call 7ff7482b3be8 207->219 208->205 212 7ff7482b4b90-7ff7482b4b94 208->212 210->186 214 7ff7482b4e02-7ff7482b4e26 call 7ff7482b4ea0 210->214 211->186 211->218 216 7ff7482b4dd4-7ff7482b4dd8 212->216 217 7ff7482b4b9a-7ff7482b4bd1 call 7ff7482b36d0 212->217 214->211 216->211 223 7ff7482b4dda-7ff7482b4de7 call 7ff7482b3670 216->223 217->216 231 7ff7482b4bd7-7ff7482b4be2 217->231 246 7ff7482b4b11-7ff7482b4b1b call 7ff7482b43d0 219->246 247 7ff7482b4af3-7ff7482b4af7 219->247 233 7ff7482b4e81-7ff7482b4e98 call 7ff7482b43d0 * 2 terminate 223->233 234 7ff7482b4ded 223->234 235 7ff7482b4be6-7ff7482b4bf6 231->235 233->186 234->211 238 7ff7482b4d2f-7ff7482b4dce 235->238 239 7ff7482b4bfc-7ff7482b4c02 235->239 238->216 238->235 239->238 242 7ff7482b4c08-7ff7482b4c31 call 7ff7482b56a8 239->242 242->238 252 7ff7482b4c37-7ff7482b4c7e call 7ff7482b3bbc * 2 242->252 246->200 256 7ff7482b4b1d-7ff7482b4b3d call 7ff7482b43d0 * 2 call 7ff7482b5fd8 246->256 247->246 248 7ff7482b4af9-7ff7482b4b04 247->248 248->246 253 7ff7482b4b06-7ff7482b4b0b 248->253 263 7ff7482b4c80-7ff7482b4ca5 call 7ff7482b3bbc call 7ff7482b52d0 252->263 264 7ff7482b4cba-7ff7482b4cd0 call 7ff7482b5ab0 252->264 253->186 253->246 273 7ff7482b4b3f-7ff7482b4b49 call 7ff7482b60c8 256->273 274 7ff7482b4b54 256->274 279 7ff7482b4cd7-7ff7482b4d26 call 7ff7482b48d0 263->279 280 7ff7482b4ca7-7ff7482b4cb3 263->280 275 7ff7482b4cd2 264->275 276 7ff7482b4d2b 264->276 284 7ff7482b4b4f-7ff7482b4e7a call 7ff7482b4090 call 7ff7482b5838 call 7ff7482b3f84 273->284 285 7ff7482b4e7b-7ff7482b4e80 terminate 273->285 274->200 275->252 276->238 279->276 280->263 283 7ff7482b4cb5 280->283 283->264 284->285 285->233
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                    • String ID: csm$csm$csm
                                                                    • API String ID: 695522112-393685449
                                                                    • Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                                    • Instruction ID: 9d4bca18a7b82e5c9e994c1679d41c83dc58291f0f8a36a1d67e3b04c3128dbf
                                                                    • Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                                    • Instruction Fuzzy Hash: 9EE1597290DA8ACAE720BF24D4802BDF7A0FB48B48F944135EB9D47796DE38E485C754
                                                                    Function 00007FF7482B13C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                                    • String ID: [createdump]
                                                                    • API String ID: 3735572767-2657508301
                                                                    • Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                                    • Instruction ID: edd248e601ce9aa1c69cd9e070c2bff35acc9bcdf5f2efe1bebe68d07fbae59a
                                                                    • Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                                    • Instruction Fuzzy Hash: DC011A31A0DB8582E600BF90F8141BAE360EB88BD1F804535EA8D037699E7CD495C754
                                                                    Function 00007FF7482B1800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92networkCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • WSAStartup.WS2_32 ref: 00007FF7482B186C
                                                                      • Part of subcall function 00007FF7482B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7482B1475
                                                                      • Part of subcall function 00007FF7482B1450: fprintf.MSPDB140-MSVCRT ref: 00007FF7482B1485
                                                                      • Part of subcall function 00007FF7482B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7482B1494
                                                                      • Part of subcall function 00007FF7482B1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7482B14B3
                                                                      • Part of subcall function 00007FF7482B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7482B14BE
                                                                      • Part of subcall function 00007FF7482B1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7482B14C7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
                                                                    • String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
                                                                    • API String ID: 3378602911-3973674938
                                                                    • Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                                    • Instruction ID: 17a1a558e83e131daccc7576883716db3f7133229141b7cc0175fb5cdb96a25c
                                                                    • Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                                    • Instruction Fuzzy Hash: D331C062A0EAC9C6E759BF1598547F9E7A2BB4A784F840032DE4D13396CE3CE145C328
                                                                    Function 00007FF7482B6498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF7482B669F,?,?,?,00007FF7482B441E,?,?,?,00007FF7482B43D9), ref: 00007FF7482B651D
                                                                    • GetLastError.KERNEL32(?,00000000,00007FF7482B669F,?,?,?,00007FF7482B441E,?,?,?,00007FF7482B43D9,?,?,?,?,00007FF7482B3524), ref: 00007FF7482B652B
                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00007FF7482B669F,?,?,?,00007FF7482B441E,?,?,?,00007FF7482B43D9,?,?,?,?,00007FF7482B3524), ref: 00007FF7482B6555
                                                                    • FreeLibrary.KERNEL32(?,00000000,00007FF7482B669F,?,?,?,00007FF7482B441E,?,?,?,00007FF7482B43D9,?,?,?,?,00007FF7482B3524), ref: 00007FF7482B659B
                                                                    • GetProcAddress.KERNEL32(?,00000000,00007FF7482B669F,?,?,?,00007FF7482B441E,?,?,?,00007FF7482B43D9,?,?,?,?,00007FF7482B3524), ref: 00007FF7482B65A7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID: Library$Load$AddressErrorFreeLastProc
                                                                    • String ID: api-ms-
                                                                    • API String ID: 2559590344-2084034818
                                                                    • Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                                    • Instruction ID: 2752b8f02d7d652278d7a4ba7f960d2847cc51b74e0b2e6168d75478e31b0278
                                                                    • Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                                    • Instruction Fuzzy Hash: 52318D21E1FA4AD1EE22BF12A800575E2D4FF4CBA0F994634DD1D4A388EF3CE5548328
                                                                    Function 00007FF7482B1B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 360 7ff7482b1b18-7ff7482b1b32 _time64 361 7ff7482b1b80-7ff7482b1ba8 360->361 362 7ff7482b1b34-7ff7482b1b37 360->362 361->361 364 7ff7482b1baa-7ff7482b1bd8 361->364 363 7ff7482b1b40-7ff7482b1b68 362->363 363->363 365 7ff7482b1b6a-7ff7482b1b71 363->365 366 7ff7482b1bfa-7ff7482b1c32 364->366 367 7ff7482b1bda-7ff7482b1bf5 call 7ff7482b1ee0 364->367 365->364 369 7ff7482b1c64-7ff7482b1c78 call 7ff7482b2230 366->369 370 7ff7482b1c34-7ff7482b1c43 366->370 367->366 378 7ff7482b1c7d-7ff7482b1c88 369->378 372 7ff7482b1c45 370->372 373 7ff7482b1c48-7ff7482b1c62 call 7ff7482b68c0 370->373 372->373 373->378 379 7ff7482b1c8a-7ff7482b1c98 378->379 380 7ff7482b1cbb-7ff7482b1cde 378->380 382 7ff7482b1cb3-7ff7482b1cb6 call 7ff7482b2680 379->382 383 7ff7482b1c9a-7ff7482b1cad 379->383 381 7ff7482b1d55-7ff7482b1d70 380->381 387 7ff7482b18a0-7ff7482b18a3 381->387 388 7ff7482b1d76 381->388 382->380 383->382 385 7ff7482b1da2-7ff7482b1dce _invalid_parameter_noinfo_noreturn WSAGetLastError call 7ff7482b1450 call 7ff7482b2680 383->385 390 7ff7482b1d78-7ff7482b1da1 call 7ff7482b2660 385->390 392 7ff7482b18a5-7ff7482b18b7 387->392 393 7ff7482b18f3-7ff7482b18fe 387->393 388->390 398 7ff7482b18e2-7ff7482b18ee call 7ff7482b20c0 392->398 399 7ff7482b18b9-7ff7482b18c8 392->399 396 7ff7482b1dd0-7ff7482b1dde call 7ff7482b1450 393->396 397 7ff7482b1904-7ff7482b1915 393->397 396->390 397->381 398->381 400 7ff7482b18ca 399->400 401 7ff7482b18cd-7ff7482b18dd 399->401 400->401 401->381
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID: _time64
                                                                    • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                    • API String ID: 1670930206-4114407318
                                                                    • Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                                    • Instruction ID: c4ce0758973a1f0d0fcbd0eae7542575efd479bd9e6bdcfb65cae32070aea26d
                                                                    • Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                                    • Instruction Fuzzy Hash: 5551E362A1DB8986EB00EF28E4403BDE7A5EB497D0F800132DA5D277A9DF3CE041D714
                                                                    Function 00007FF7482B4EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID: EncodePointerabort
                                                                    • String ID: MOC$RCC
                                                                    • API String ID: 1188231555-2084237596
                                                                    • Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                                    • Instruction ID: c9bbb712eb2080589ad3f21d285e0e35b0f5b8b30072fb41452e34e3667f539e
                                                                    • Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                                    • Instruction Fuzzy Hash: 18919073A09B8ACAE710AF65E8802BDF7A0FB48788F544129EA8D1B755DF38D195C704
                                                                    Function 00007FF7482B5414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 459 7ff7482b5414-7ff7482b5461 call 7ff7482b63f4 call 7ff7482b43d0 464 7ff7482b5463-7ff7482b5469 459->464 465 7ff7482b548e-7ff7482b5492 459->465 464->465 466 7ff7482b546b-7ff7482b546e 464->466 467 7ff7482b55b2-7ff7482b55c7 call 7ff7482b5724 465->467 468 7ff7482b5498-7ff7482b549b 465->468 470 7ff7482b5480-7ff7482b5483 466->470 471 7ff7482b5470-7ff7482b5474 466->471 479 7ff7482b55d2-7ff7482b55d8 467->479 480 7ff7482b55c9-7ff7482b55cc 467->480 472 7ff7482b54a1-7ff7482b54d1 468->472 473 7ff7482b5680 468->473 470->465 476 7ff7482b5485-7ff7482b5488 470->476 471->476 477 7ff7482b5476-7ff7482b547e 471->477 472->473 478 7ff7482b54d7-7ff7482b54de 472->478 474 7ff7482b5685-7ff7482b56a1 473->474 476->465 476->473 477->465 477->470 478->473 481 7ff7482b54e4-7ff7482b54e8 478->481 482 7ff7482b55da-7ff7482b55de 479->482 483 7ff7482b5647-7ff7482b567b call 7ff7482b49a4 479->483 480->473 480->479 484 7ff7482b559f-7ff7482b55ad call 7ff7482b3678 481->484 485 7ff7482b54ee-7ff7482b54f1 481->485 482->483 486 7ff7482b55e0-7ff7482b55e7 482->486 483->473 484->473 489 7ff7482b5556-7ff7482b5559 485->489 490 7ff7482b54f3-7ff7482b5508 call 7ff7482b4520 485->490 486->483 491 7ff7482b55e9-7ff7482b55f0 486->491 489->484 492 7ff7482b555b-7ff7482b5563 489->492 497 7ff7482b56a2-7ff7482b56a7 abort 490->497 499 7ff7482b550e-7ff7482b5511 490->499 491->483 496 7ff7482b55f2-7ff7482b5605 call 7ff7482b3bbc 491->496 492->497 498 7ff7482b5569-7ff7482b5593 492->498 496->483 508 7ff7482b5607-7ff7482b5645 496->508 498->497 501 7ff7482b5599-7ff7482b559d 498->501 502 7ff7482b5513-7ff7482b5538 499->502 503 7ff7482b553a-7ff7482b553d 499->503 505 7ff7482b5546-7ff7482b5551 call 7ff7482b5cf0 501->505 502->503 503->497 506 7ff7482b5543 503->506 505->473 506->505 508->474
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID: __except_validate_context_recordabort
                                                                    • String ID: csm$csm
                                                                    • API String ID: 746414643-3733052814
                                                                    • Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                                    • Instruction ID: 40516fada7075efd36fb3fc25abba3770198612da02b92710c37f94f05e07a59
                                                                    • Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                                    • Instruction Fuzzy Hash: 8071B13290E686CAD761BF259540779FBA0FB48B99F848136DA8D0BB85CF3CE451CB14
                                                                    Function 00007FF7482B195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                    • API String ID: 0-4114407318
                                                                    • Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                                    • Instruction ID: cad42a6726ddd929c55c7bbadaf8ca60a84ead43c465a60a175676e59788ca48
                                                                    • Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                                    • Instruction Fuzzy Hash: D851C522A1DB8986E700EF29E4407BAE761EB897D0F900135EA9D17BE9CF3DE041D754
                                                                    Function 00007FF7482B5860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFrameInfo__except_validate_context_record
                                                                    • String ID: csm
                                                                    • API String ID: 2558813199-1018135373
                                                                    • Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                                    • Instruction ID: e00cddcd01012b456a84c1a8fe5199c7ae8c705f028834b5c1fd2d91f3395dfa
                                                                    • Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                                    • Instruction Fuzzy Hash: 1B51283261EA4AC6D660BF15A58027EF7B4FB88B94F540134EB8D07B56CF78E460CB54
                                                                    Function 00007FF7482B17E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 00007FF7482B17EB
                                                                    • WSAStartup.WS2_32 ref: 00007FF7482B186C
                                                                      • Part of subcall function 00007FF7482B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7482B1475
                                                                      • Part of subcall function 00007FF7482B1450: fprintf.MSPDB140-MSVCRT ref: 00007FF7482B1485
                                                                      • Part of subcall function 00007FF7482B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7482B1494
                                                                      • Part of subcall function 00007FF7482B1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7482B14B3
                                                                      • Part of subcall function 00007FF7482B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7482B14BE
                                                                      • Part of subcall function 00007FF7482B1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7482B14C7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
                                                                    • String ID: --name$Pipe syntax in dump name not supported$string too long
                                                                    • API String ID: 1412700758-3183687674
                                                                    • Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                                    • Instruction ID: 3fbd009d4ae49e09c4a034b0f9f9a7d713d4c008093977e9720ab89b3be42131
                                                                    • Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                                    • Instruction Fuzzy Hash: 08019222A1D989D5F761BF12EC417BAE350BB4D7A4F800035EE0C16756CE3CD486C714
                                                                    Function 00007FF7482B1CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastgethostname
                                                                    • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                    • API String ID: 3782448640-4114407318
                                                                    • Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                                    • Instruction ID: 218f2555fa37b44a6b4aaa964fef3f389b5911af6998a6b9077320b9add3859c
                                                                    • Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                                    • Instruction Fuzzy Hash: 0011C811E1E24AC5E645BF21A4507BAE250DF8D7A0F801535D95F173D6DD3CE0428768
                                                                    Function 00007FF7482B4158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID: terminate
                                                                    • String ID: MOC$RCC$csm
                                                                    • API String ID: 1821763600-2671469338
                                                                    • Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                                    • Instruction ID: b0b09676ae64a2b63ee3fa2cb2630d38f92c077c3efdf0c5d36f69f5a47c7e3a
                                                                    • Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                                    • Instruction Fuzzy Hash: 13F0693692DA4ED1E3247F51A1850BDF3A4FB5CB44F985031E71806392CF7CE4A1866A
                                                                    Function 00007FF7482B20C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF7482B18EE), ref: 00007FF7482B21E0
                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7482B221E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                    • String ID: Invalid process id '%d' error %d
                                                                    • API String ID: 73155330-4244389950
                                                                    • Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                                    • Instruction ID: fd237223263acdc496d5cb413635010f8ed14ce393b0969be2d89d83fa112984
                                                                    • Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                                    • Instruction Fuzzy Hash: 58310322B1E789D5EA14BF1195042B9E3A5EB0DBD0F880631DB6D0B7D6DE7CE090C328
                                                                    Function 00007FF7482B3F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7482B173F), ref: 00007FF7482B3FC8
                                                                    • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7482B173F), ref: 00007FF7482B400E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2264006699.00007FF7482B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7482B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.2263893541.00007FF7482B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264056960.00007FF7482BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.2264097606.00007FF7482BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7482b0000_createdump.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFileHeaderRaise
                                                                    • String ID: csm
                                                                    • API String ID: 2573137834-1018135373
                                                                    • Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                                    • Instruction ID: 8e3ee8cc33e612fce9e90fa24ef9be45673636b708ea30ab8732932d5502a03c
                                                                    • Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                                    • Instruction Fuzzy Hash: D4112B3661DB8582EB11AF15E44426AF7E0FB88B84F984231EE8D07B98DF3DD5558704

                                                                    Non-executed Functions

                                                                    Function 00007FF8B915C0C0 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$HandleModule
                                                                    • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                                    • API String ID: 667068680-295688737
                                                                    • Opcode ID: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                                    • Instruction ID: 6ab8ebed1963be2b31e5272e3cb1a11b39f51e54116b0a457de9db16ee00c588
                                                                    • Opcode Fuzzy Hash: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                                    • Instruction Fuzzy Hash: 3DA1A3A4E09B8781EA009F59FC681743BA0BF49BD5B949035CA6E43324EF7CA549F390
                                                                    Function 0000000140008390 Relevance: 19.7, APIs: 13, Instructions: 152fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00000001400078C0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                                      • Part of subcall function 00000001400078C0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                                      • Part of subcall function 00000001400078C0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                                      • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                                      • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                                      • Part of subcall function 00000001400078C0: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                                      • Part of subcall function 00000001400078C0: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                                    • OpenEventA.KERNEL32 ref: 00000001400083D0
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008411
                                                                    • OpenEventA.KERNEL32 ref: 0000000140008454
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008495
                                                                    • CloseHandle.KERNEL32 ref: 00000001400084B4
                                                                      • Part of subcall function 0000000140007A80: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                                      • Part of subcall function 0000000140007A80: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                                      • Part of subcall function 0000000140007A80: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                                      • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                                      • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                                      • Part of subcall function 0000000140007A80: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                                      • Part of subcall function 0000000140007A80: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                                    • OpenFileMappingA.KERNEL32 ref: 00000001400084F4
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008535
                                                                    • CloseHandle.KERNEL32 ref: 0000000140008554
                                                                    • CloseHandle.KERNEL32 ref: 0000000140008561
                                                                    • MapViewOfFile.KERNEL32 ref: 0000000140008592
                                                                    • CloseHandle.KERNEL32 ref: 00000001400085AB
                                                                    • CloseHandle.KERNEL32 ref: 00000001400085B8
                                                                    • CloseHandle.KERNEL32 ref: 00000001400085C5
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: U?$char_traits@$D@std@@@std@@$CloseHandle$??6?$basic_ostream@V01@$Open_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@D@std@@@1@_EventFileV?$basic_streambuf@$MappingView
                                                                    • String ID:
                                                                    • API String ID: 1089015687-0
                                                                    • Opcode ID: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                                    • Instruction ID: fd742db5588232a2ef73a73be7c7ffe6f8b637fdc8693f60d02eba1a373aa13c
                                                                    • Opcode Fuzzy Hash: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                                    • Instruction Fuzzy Hash: 93613DB1210A4482FB17DB27F85539963A2BB8EBE4F404215FB9E4B7B6DE3DC1818700
                                                                    Function 0000000140007FC0 Relevance: 18.2, APIs: 12, Instructions: 159fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleMappingView_invalid_parameter_noinfo_noreturnmemcpymemset$Unmap
                                                                    • String ID:
                                                                    • API String ID: 2074253140-0
                                                                    • Opcode ID: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                                    • Instruction ID: c383ff2e5a2ae1bd4c41fba5bb50c967b221784ccd91ddafc61d096c64d59825
                                                                    • Opcode Fuzzy Hash: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                                    • Instruction Fuzzy Hash: F471AA71305A4185FB22CB56F8907E973A2FB8DBD4F404225ABAD4B7B9DE3DC0818704
                                                                    Function 00007FF8B915B698 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 225COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: iswdigit$btowclocaleconv
                                                                    • String ID: 0$0
                                                                    • API String ID: 240710166-203156872
                                                                    • Opcode ID: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                                    • Instruction ID: 316cf4906bc3121ab0701cf20bbbbc22d49115aa3cf928890fc8b2f4f986ea7d
                                                                    • Opcode Fuzzy Hash: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                                    • Instruction Fuzzy Hash: 4E812672A585C686E7218F3DD85027A77A1FF90B88F498135DB8A462E4EF3CF845E700
                                                                    Function 00007FF8B915A27C Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 247COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: memchr$isdigit$localeconv
                                                                    • String ID: 0$0123456789abcdefABCDEF
                                                                    • API String ID: 1981154758-1185640306
                                                                    • Opcode ID: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                                    • Instruction ID: 9857644a177b4acafb1bfb8ea71c1c279c76288d130dd7a54e6c62d5698b06a7
                                                                    • Opcode Fuzzy Hash: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                                    • Instruction Fuzzy Hash: 4B916962B0D5D646F7228F28E81037E3B91FB44B88F4A9036DF8A47641DA3CF846E740
                                                                    Function 00007FF8B915BDA0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 239COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: iswdigit$localeconv
                                                                    • String ID: 0$0$0123456789abcdefABCDEF
                                                                    • API String ID: 2634821343-613610638
                                                                    • Opcode ID: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                                    • Instruction ID: 1cc17a1f57e781238d7533d9105d87bc94268193ee177e4698adbc7b0ab03fbb
                                                                    • Opcode Fuzzy Hash: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                                    • Instruction Fuzzy Hash: 24813962E485D687EB758F38D95027A76A0FB54B84F09C031DF8A47684EB3CF845E780
                                                                    Function 00007FF8B912A330 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Findmemmove$CloseFileFirst_invalid_parameter_noinfo_noreturnwcscpy_s
                                                                    • String ID: .$.
                                                                    • API String ID: 479945582-3769392785
                                                                    • Opcode ID: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                                    • Instruction ID: 4e892001e761dd563d694e178cd484561e2d58c36365697051067366bbf7057c
                                                                    • Opcode Fuzzy Hash: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                                    • Instruction Fuzzy Hash: 2141E362A186C285EA21EF6DE8482BD7360FB847E4F554231EBAD03AD4EF7CD485D700
                                                                    Function 0000000140012220 Relevance: 8.9, APIs: 7, Instructions: 138COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionThrow$MemoryRecycle@Recycler@allocator@dvacore@@$_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 1799700165-0
                                                                    • Opcode ID: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                                    • Instruction ID: 3a6b280c2881091f38a62e61b74d670a019ca3ad59059a788fa850ef2ffa55ac
                                                                    • Opcode Fuzzy Hash: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                                    • Instruction Fuzzy Hash: D52112B5611A80CAE71DEE37A8523EA1362E79C7C4F149536BF594FAAEDE31C4218340
                                                                    Function 00007FF8B9139460 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                                    • String ID:
                                                                    • API String ID: 1326169664-0
                                                                    • Opcode ID: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                                    • Instruction ID: 53c94fdeca03f4c2265118b68353d0362c6c9bef816df872c637881ee50ca88d
                                                                    • Opcode Fuzzy Hash: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                                    • Instruction Fuzzy Hash: 2EE15862B09B86D5FB00DFA9D4401AC6772EB88BD8B914126DF9D27B99DF3CD44AD300
                                                                    Function 00007FF8B9138FB0 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                                    • String ID:
                                                                    • API String ID: 1326169664-0
                                                                    • Opcode ID: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                                    • Instruction ID: 1d1210de702ef12024f4b99e3b9e808cd123ef5036cb9f697e97c0093960eb24
                                                                    • Opcode Fuzzy Hash: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                                    • Instruction Fuzzy Hash: 28E15762B09B86D5FB008FA9D8401AC67B2EB48BD8B514126DF9D27B99DF3CD44AD300
                                                                    Function 0000000140010BE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorFormatLastMessage
                                                                    • String ID: GetLastError() = 0x%X
                                                                    • API String ID: 3479602957-3384952017
                                                                    • Opcode ID: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                                    • Instruction ID: 03957f339625c86e619908699dc07c15f857aa178ffe48bb474e222578fe156c
                                                                    • Opcode Fuzzy Hash: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                                    • Instruction Fuzzy Hash: 63219032A18BC083E7118B2AE400399B7A4F7D97A4F159315EBE8036E9EB78C545CB40
                                                                    Function 00007FF8B912A7B0 Relevance: 3.1, APIs: 2, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: DiskFreeSpace_invalid_parameter_noinfo_noreturnmemcpymemmove
                                                                    • String ID:
                                                                    • API String ID: 1762017149-0
                                                                    • Opcode ID: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                                    • Instruction ID: 74be85dc7f92cc21b04262fa6b9789d99b7351a7a32c0caec0eb96a9622e5909
                                                                    • Opcode Fuzzy Hash: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                                    • Instruction Fuzzy Hash: FB415C62B05B8598FB00DFA5D8402AC37B5FB48BA8F555625CF5D23B98EF38D095C340
                                                                    Function 00007FF8B914EFC0 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale___lc_locale_name_func
                                                                    • String ID:
                                                                    • API String ID: 3366915261-0
                                                                    • Opcode ID: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                                    • Instruction ID: eed2ff9a7634d57add0e3d3ac162a6d156ab610046c29bf7ba1222f037160a5a
                                                                    • Opcode Fuzzy Hash: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                                    • Instruction Fuzzy Hash: 5FF01CB2E2C183C6E3A85F1CE5597392661FB88785F600136E74F43794CF6DD544AB41
                                                                    Function 0000000140004730 Relevance: 67.0, APIs: 5, Strings: 33, Instructions: 470COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.VCRUNTIME140 ref: 000000014000475B
                                                                      • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                                      • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                                      • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                                    • ?RationalApproximation@utility@dvacore@@YA?AV?$rational@H@boost@@N@Z.DVACORE ref: 0000000140004866
                                                                      • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140004A15
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn$memcmp$Approximation@utility@dvacore@@H@boost@@RationalV?$rational@memset
                                                                    • String ID: brightness$camera_firmware_version$camera_id$channel_mask$clip_id$contrast$digital_gain_blue$digital_gain_green$digital_gain_red$exposure_compensation$exposure_time$framerate_denominator$framerate_numerator$genlock_setting$gmt_date$gmt_time$iso$jamsync_setting$local_date$local_time$pixel_aspect_ratio$reel_id_full$sample_size$samplerate$saturation$sensor_id$sensor_name$shutter_degrees$shutter_fractions$shutter_phase_offset$user_timecode_preference$white_balance_kelvin$white_balance_tint
                                                                    • API String ID: 2423274481-1946953090
                                                                    • Opcode ID: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                                    • Instruction ID: 3df9d643723a61ec3293b9608ef6f05312d7ec0c5a500361e19cd6c4bd00b042
                                                                    • Opcode Fuzzy Hash: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                                    • Instruction Fuzzy Hash: 2C32FAB1204A4091EB07EF27E5913EA2762AB8EBD8F444522FB5D4F7B7EE39C5458340
                                                                    Function 00007FF8BFB58C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Name::operator+
                                                                    • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
                                                                    • API String ID: 2943138195-1388207849
                                                                    • Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                                    • Instruction ID: 068a6b9716060ae1e26ada4f22578aad42724b643fa7f0f771500449a72cfd55
                                                                    • Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                                    • Instruction Fuzzy Hash: E6F13772E18A1298FB548BACC8642BC77B1BB157C4F44493ACB1D56AA8DF7DF648C340
                                                                    Function 00007FF8BFB5C3C8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Name::operator+
                                                                    • String ID: `anonymous namespace'
                                                                    • API String ID: 2943138195-3062148218
                                                                    • Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                                    • Instruction ID: 75ea70e35156edc82ce5e7570eaaa75789c41a3466db041b8bdeabafae65f872
                                                                    • Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                                    • Instruction Fuzzy Hash: 45E19BB2A08B8699EB10CFA8E8901ED77A1FB45788F548036EB4D5BB55DF3CE554CB00
                                                                    Function 0000000140002630 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 290COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400026F4
                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002732
                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 000000014000274E
                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002782
                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00000001400027D4
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400028A8
                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00000001400028DE
                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 00000001400028FA
                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 000000014000292E
                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z.MSVCP140 ref: 000000014000295A
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002A28
                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A68
                                                                    • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A72
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: U?$char_traits@$D@std@@@std@@$_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??6?$basic_ostream@D@std@@@1@@V01@V?$basic_streambuf@$??1?$basic_ios@??1?$basic_iostream@
                                                                    • String ID: (
                                                                    • API String ID: 703713002-3887548279
                                                                    • Opcode ID: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                                    • Instruction ID: baf078011914228b1285121be46ed74d2e86fc5146668a69ad3868f5cbe279a1
                                                                    • Opcode Fuzzy Hash: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                                    • Instruction Fuzzy Hash: 38D18DB2214B8495EB11CF6AE4903EE7761F789BD4F509206EB8E57BA9DF39C085C700
                                                                    Function 00000001400107F0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 268libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn$Library$ByteCharErrorLastLoadMultiWide$AddressFreeProc
                                                                    • String ID: [NOT FOUND ] %s
                                                                    • API String ID: 2350601386-3340296899
                                                                    • Opcode ID: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                                    • Instruction ID: 89755aee4be5230680617513bdac96f2938001ccf8c1f4c7198f5862e1eb9078
                                                                    • Opcode Fuzzy Hash: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                                    • Instruction Fuzzy Hash: 84B1BE32605B9481FB169B26E54039D6761F788BE4F048615FBE90BBE6DFBAC5D0C340
                                                                    Function 00007FF8BFB5A83C Relevance: 22.9, APIs: 15, Instructions: 358COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Name::operator+
                                                                    • String ID:
                                                                    • API String ID: 2943138195-0
                                                                    • Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                                    • Instruction ID: 4f4508b26aa8a0d8552ea3d74a8e55ad08a185c526bd8285f8df3e9118556e17
                                                                    • Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                                    • Instruction Fuzzy Hash: F7F17C76B08A869AFB10DFA8D4A01EC77B5EB0478CB444036EB4D6BA95DF3CE549C340
                                                                    Function 000000014001189C Relevance: 22.6, APIs: 15, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__p___argc__p___argv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                                    • String ID:
                                                                    • API String ID: 1818695170-0
                                                                    • Opcode ID: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                                    • Instruction ID: 023b0e87761b9852ca56ff973ea6cc8ec164607202ff5c8f9f76f90c0a7f0558
                                                                    • Opcode Fuzzy Hash: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                                    • Instruction Fuzzy Hash: BA315E3120520192FA5BEB67E5223E927A1AB9D7C4F444025BB994F2F7DE7FC805C351
                                                                    Function 00007FF8BFB5D20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Name::operator+
                                                                    • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
                                                                    • API String ID: 2943138195-2309034085
                                                                    • Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                                    • Instruction ID: 6d25dfcd1342862d0deba7f21f385fb222df94dfc500b672838d77ce6b5804fa
                                                                    • Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                                    • Instruction Fuzzy Hash: 02E14A62E0C61294FB15ABECD9B51BC67A1AF497C8F540236CF0E26AA9DF3CB545C340
                                                                    Function 0000000140003320 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 422COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: memcmp$_invalid_parameter_noinfo_noreturn$clockmemcpymemset
                                                                    • String ID: B8RB$MRDH$SideCarLut$flip_horizontal$flip_vertical
                                                                    • API String ID: 140832405-680935841
                                                                    • Opcode ID: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                                    • Instruction ID: 18037ac5236aebefbc83965bda8a7e26ab6d0ca403e2fb1aff30bf3622b6eda0
                                                                    • Opcode Fuzzy Hash: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                                    • Instruction Fuzzy Hash: BD2270B2605BC485EB22DF2AE8413E93364F799798F449215EB9C5B7A6EF35C285C300
                                                                    Function 00007FF8BFB52CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                    • String ID: csm$csm$csm
                                                                    • API String ID: 3436797354-393685449
                                                                    • Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                                    • Instruction ID: c304ab78dd0d98073890ea77c25c2a452582aa5c6147a1e88b7abc89428eace4
                                                                    • Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                                    • Instruction Fuzzy Hash: 5CD13A72A08B418AEB609BA9D4602AD7BA1FB45BD8F040139EF8D57B59CF3CF595C700
                                                                    Function 00007FF8B91226E0 Relevance: 18.2, APIs: 12, Instructions: 238COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$__strncntfreemalloc$CompareInfoString
                                                                    • String ID:
                                                                    • API String ID: 3420081407-0
                                                                    • Opcode ID: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                                    • Instruction ID: 8e2102065ad0be9632e5d8b30ccf08c62322b207b3d4a2fe44520b5f1b8bc0c1
                                                                    • Opcode Fuzzy Hash: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                                    • Instruction Fuzzy Hash: E7A1B062A0C6C286FB39AF2894103BE7A91EF04BE4F444A31DB5D16BC4EF7CE445A341
                                                                    Function 00007FF8B913692C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF8B915B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B0
                                                                      • Part of subcall function 00007FF8B915B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B8
                                                                      • Part of subcall function 00007FF8B915B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0C1
                                                                      • Part of subcall function 00007FF8B915B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0DD
                                                                    • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8B913A87E), ref: 00007FF8B9136971
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8B913A87E), ref: 00007FF8B913698E
                                                                    • _Maklocstr.LIBCPMT ref: 00007FF8B91369AA
                                                                    • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8B913A87E), ref: 00007FF8B91369B3
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8B913A87E), ref: 00007FF8B91369D0
                                                                    • _Maklocstr.LIBCPMT ref: 00007FF8B91369EC
                                                                    • _Maklocstr.LIBCPMT ref: 00007FF8B9136A01
                                                                      • Part of subcall function 00007FF8B9124D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8B9132124,?,?,?,00007FF8B91243DB,?,?,?,00007FF8B9125B31), ref: 00007FF8B9124D72
                                                                      • Part of subcall function 00007FF8B9124D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8B9132124,?,?,?,00007FF8B91243DB,?,?,?,00007FF8B9125B31), ref: 00007FF8B9124D98
                                                                      • Part of subcall function 00007FF8B9124D50: memcpy.VCRUNTIME140(?,?,?,00007FF8B9132124,?,?,?,00007FF8B91243DB,?,?,?,00007FF8B9125B31), ref: 00007FF8B9124DB0
                                                                    Strings
                                                                    • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FF8B9136999
                                                                    • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FF8B91369DB
                                                                    • :AM:am:PM:pm, xrefs: 00007FF8B91369FA
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Maklocstrfree$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                                    • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                    • API String ID: 2460671452-35662545
                                                                    • Opcode ID: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                                    • Instruction ID: a326cc245c81fdaad747ce138b2a4f9ebc7038490c9f576269766bc71e370ef2
                                                                    • Opcode Fuzzy Hash: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                                    • Instruction Fuzzy Hash: 1F218F62A08F8282EB00DF29E4512A977A1FB98FC4F848231DB5D43756EF3CE581D780
                                                                    Function 00007FF8B9122B20 Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiStringWide$freemalloc$__strncnt
                                                                    • String ID:
                                                                    • API String ID: 1733283546-0
                                                                    • Opcode ID: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                                    • Instruction ID: 7ae07f7c819b96540b05037bb3693fe540979b6f443935a5fc00c4af79def82d
                                                                    • Opcode Fuzzy Hash: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                                    • Instruction Fuzzy Hash: 3E918C72A08BC686EB289F19D44037E76A1FB44BE8F544A34EB5D17B98EF7CE4459300
                                                                    Function 00007FF8B9159350 Relevance: 16.7, APIs: 11, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Xp_setw$Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                                    • String ID:
                                                                    • API String ID: 3166507417-0
                                                                    • Opcode ID: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                                    • Instruction ID: f92ee2717abb3413c88bb65d9d771973e2c3d6321cd5b701fbb100745ca7929b
                                                                    • Opcode Fuzzy Hash: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                                    • Instruction Fuzzy Hash: FA61C562F086829AFB11DFA9D4401FD2721AB49788F914136DF0D2779ADE3CF94AD700
                                                                    Function 00000001400071E0 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetDllDirectoryW.KERNEL32 ref: 000000014000721A
                                                                    • ?AppDir@Dir@filesupport@dvacore@@SA?AV123@XZ.DVACORE ref: 0000000140007225
                                                                    • ?FullPath@Dir@filesupport@dvacore@@QEBA?AV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@std@@XZ.DVACORE ref: 0000000140007236
                                                                    • ?UTF16to8@string@dvacore@@YA?AV?$basic_string@EU?$char_traits@E@std@@U?$SBAAllocator@E@allocator@dvacore@@@std@@AEBV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@4@@Z.DVACORE ref: 0000000140007245
                                                                    • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140007275
                                                                    • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 00000001400072A6
                                                                    • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400072B6
                                                                    • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007362
                                                                    • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007372
                                                                    • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 000000014000738A
                                                                      • Part of subcall function 0000000140008300: WaitForMultipleObjects.KERNEL32 ref: 0000000140008346
                                                                      • Part of subcall function 0000000140008300: ResetEvent.KERNEL32 ref: 0000000140008355
                                                                      • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007859
                                                                      • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007866
                                                                      • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007873
                                                                      • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007880
                                                                      • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000788D
                                                                      • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000789A
                                                                    • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400073F6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Dir@filesupport@dvacore@@$CloseHandle$Allocator@_Allocator@allocator@dvacore@@BlockDispose@FileSmallU?$char_traits@_UnmapV?$basic_string@_ViewW@std@@atoi$Allocator@Dir@DirectoryE@allocator@dvacore@@@std@@E@std@@EventF16to8@string@dvacore@@FullMultipleObjectsPath@ResetU?$char_traits@V123@V?$basic_string@W@allocator@dvacore@@@4@@W@allocator@dvacore@@@std@@Wait
                                                                    • String ID:
                                                                    • API String ID: 2702579277-0
                                                                    • Opcode ID: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                                    • Instruction ID: 4e02132fa2518a481f17a5c3ad5963577c23686a774b89ce01035fe16d76d46e
                                                                    • Opcode Fuzzy Hash: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                                    • Instruction Fuzzy Hash: 09618EB2608A4082FB12CB26F8947EA67A2F78EBD0F505121FB9D476B5DF3DC5498700
                                                                    Function 00007FF8B9169BC0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 229COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                    • API String ID: 2003779279-1866435925
                                                                    • Opcode ID: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                                    • Instruction ID: 2297edfb134d836924281d62f720be6511737a061a7bfa6294c304adf5046ed9
                                                                    • Opcode Fuzzy Hash: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                                    • Instruction Fuzzy Hash: 36919E62A18A8682EB659F1DD4813B92760FB84FC4F948036CB4E477A6DF3DE446E300
                                                                    Function 00007FF8BFB5E350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                                    • API String ID: 0-3207858774
                                                                    • Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                                    • Instruction ID: 31119113c83f8495ba825f183c268c4142c02d2822f0560fbac6ee3191513794
                                                                    • Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                                    • Instruction Fuzzy Hash: C5915922B18A46A9FB11DBA9E4602BC77A1BB55BC8F884136DB4D07795EF3CF505C340
                                                                    Function 00007FF8BFB5A13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Name::operator+$Name::operator+=
                                                                    • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                                    • API String ID: 179159573-1464470183
                                                                    • Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                                    • Instruction ID: 40a659fdb2e09ca2b293a78b24a8ee7f0a139cea34c1bf7840e68336fc13f537
                                                                    • Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                                    • Instruction Fuzzy Hash: 6C518832F18A5699FB14DBA8E8611BC77B4BB153C8F10013ADB0D26A98DF3EE541C300
                                                                    Function 00007FF8B915B440 Relevance: 15.2, APIs: 10, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Xp_setw$Xp_setn$Xp_addx$iswspaceiswxdigit
                                                                    • String ID:
                                                                    • API String ID: 3781602613-0
                                                                    • Opcode ID: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                                    • Instruction ID: f13b956be5cc04c769999bf571099b97792d0155467aff531cd2583d66e5782c
                                                                    • Opcode Fuzzy Hash: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                                    • Instruction Fuzzy Hash: 4F61B222F085829AF711DEBAC4801FD2721AB55788F918536DF0D67B89DF3CF94A9700
                                                                    Function 00007FF8BFB588E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Name::operator+
                                                                    • String ID:
                                                                    • API String ID: 2943138195-0
                                                                    • Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                                    • Instruction ID: 1abd63c88a69bc7d3b6fbc376632a1b00ef799599b8e7716e8ed91a41bc551ee
                                                                    • Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                                    • Instruction Fuzzy Hash: 53614962B14B6698FB00DBE8D8A01EC37B1BB44788F505436EF4D6BA99EF78E545C340
                                                                    Function 00007FF8BFB531A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                                    • String ID: csm$csm$csm
                                                                    • API String ID: 211107550-393685449
                                                                    • Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                                    • Instruction ID: b9d00e891fabbcea3be1a6a97a67e608d4f7618409377851067a450fe77baa81
                                                                    • Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                                    • Instruction Fuzzy Hash: FDE18E73A086828AE7119FA8D4A12AD7BA1FB44B88F18413ADF8D57755DF3CF495C700
                                                                    Function 00007FF8B915A080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 148COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: memchrtolower$_errnoisspace
                                                                    • String ID: 0$0123456789abcdefghijklmnopqrstuvwxyz
                                                                    • API String ID: 3508154992-2692187688
                                                                    • Opcode ID: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                                    • Instruction ID: e8cf50c512bf5504f0d78cc1d25708bdffb2e873734ab65cdfd6303ed64fe59e
                                                                    • Opcode Fuzzy Hash: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                                    • Instruction Fuzzy Hash: C051D712A4E6C649FB618F28A9513B96A90AB45BD4F4B4032CF9E47395DE3CB843E310
                                                                    Function 00007FF8BFB5BE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Name::operator+
                                                                    • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                                    • API String ID: 2943138195-2239912363
                                                                    • Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                                    • Instruction ID: 25ff7df49b4238d9b5282ccf248ff31c5be935d7625c790decb5b9396cd139d9
                                                                    • Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                                    • Instruction Fuzzy Hash: DD515B62E18B9699FB11CBA8D8952BC77B0BB18788F44853ADF4D12B95DF7CE044CB10
                                                                    Function 00000001400078C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                                    • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                                      • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                      • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                      • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                      • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                                      • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                      • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                      • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                                    • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                                    • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                                    • String ID: ImptRED_CEvent_
                                                                    • API String ID: 2242036409-942587184
                                                                    • Opcode ID: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                                    • Instruction ID: 9b405900c275d478bf9193c59fc3990d56eeb31e22b03c6e117ca8d8066cf312
                                                                    • Opcode Fuzzy Hash: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                                    • Instruction Fuzzy Hash: 1D519AB2204B8096EB11CB6AE89079E7B70F389B98F504111EF8D57BA9DF3DC549CB00
                                                                    Function 0000000140007E00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E41
                                                                    • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007E60
                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E94
                                                                      • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                      • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                      • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                      • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007ECB
                                                                      • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                      • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                      • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007EE5
                                                                    • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F92
                                                                    • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F9C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                                    • String ID: ImptRED_SEvent_
                                                                    • API String ID: 2242036409-1609572862
                                                                    • Opcode ID: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                                    • Instruction ID: 8a97eb910a4fcdb6b4de6865597d3f36b8df7ed7ebbeccb018c797ebbaee1b0b
                                                                    • Opcode Fuzzy Hash: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                                    • Instruction Fuzzy Hash: 15519A72204B8096EB11CB6AE8907AE7B70F389B98F504111EF8D17BA8DF3DC549CB40
                                                                    Function 0000000140007A80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                                    • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                                      • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                      • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                      • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                      • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                                      • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                      • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                      • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                                    • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                                    • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                                    • String ID: ImptRED_CmdMap_
                                                                    • API String ID: 2242036409-3276274529
                                                                    • Opcode ID: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                                    • Instruction ID: 80f30c22282736ca9dbe0986c54b36137faedd7c3a9fa85d2e807ed86ae44cad
                                                                    • Opcode Fuzzy Hash: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                                    • Instruction Fuzzy Hash: BC518972204B8096EB11CB6AE8907DE7B70F389B98F504111EF8D17BA8DF79C449CB00
                                                                    Function 0000000140007C40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007C81
                                                                    • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007CA0
                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007CD4
                                                                      • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                      • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                      • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                      • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D0B
                                                                      • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                      • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                      • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D25
                                                                    • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DD2
                                                                    • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DDC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                                    • String ID: ImptRED_DMap_
                                                                    • API String ID: 2242036409-2879874026
                                                                    • Opcode ID: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                                    • Instruction ID: 0bc148500ed73b7892a49071eae52613f37d732fbc5d9ce32192ec441dd01905
                                                                    • Opcode Fuzzy Hash: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                                    • Instruction Fuzzy Hash: F9518BB2204B4096EB11CB56E8807AE7B70F789B98F504116EF8D17BA8DF7DC549CB00
                                                                    Function 00007FF8B9126C20 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                    • API String ID: 1099746521-1866435925
                                                                    • Opcode ID: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                                    • Instruction ID: b65d40f9a18345f8dc2efcc32ccebdbd449eab728e7dce5069b964d76c8f682d
                                                                    • Opcode Fuzzy Hash: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                                    • Instruction Fuzzy Hash: FD21D391A1858B96FA04BF18D8816FD2321EF547C4F984436D75E025E6FE2ED64AE340
                                                                    Function 0000000140004FF0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 275stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                                      • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                                      • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00000001400050DF
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140005233
                                                                      • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                                    • memcmp.VCRUNTIME140 ref: 00000001400052B4
                                                                    • memcmp.VCRUNTIME140 ref: 0000000140005325
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400053DA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturnmemcmp$strcmp
                                                                    • String ID: MRDH$SideCarLut
                                                                    • API String ID: 916663099-3852011117
                                                                    • Opcode ID: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                                    • Instruction ID: 38950fd8b35224f21f2e144008351fd49fe11793fcade85143d264d05d5c62af
                                                                    • Opcode Fuzzy Hash: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                                    • Instruction Fuzzy Hash: 4DD192B2204A8496EB62DF26E8843DE2761F74A7D5F841212FB5D4BAF6EF74C645C300
                                                                    Function 00007FF8B9169940 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                    • API String ID: 2003779279-1866435925
                                                                    • Opcode ID: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                                    • Instruction ID: e2114b6e92f3511b482502e1f3318bb0e832523b44a925aaafc5d675d6eb11c0
                                                                    • Opcode Fuzzy Hash: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                                    • Instruction Fuzzy Hash: 9C618F66A08A8686EB65CF1DD4913B96BA0FB84FC4F548036CB4E477A6DF3DD446E300
                                                                    Function 00007FF8B91343F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionThrowfputwcfwritestd::ios_base::failure::failure
                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                    • API String ID: 1428583292-1866435925
                                                                    • Opcode ID: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                                    • Instruction ID: ca3a484df1cff6dc49d834338f0412ee5b599b7cb7a7cc21fa5c21289f36eeac
                                                                    • Opcode Fuzzy Hash: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                                    • Instruction Fuzzy Hash: 4F717C72A19A82A9EB50CF29E4802AD37B0FB54BC8F944032EB4D57BA4DF3DD555D700
                                                                    Function 00007FF8BFB55F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
                                                                    • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                                    • API String ID: 1852475696-928371585
                                                                    • Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                                    • Instruction ID: 3ac18b2b1c50c007c7d29c6d9e444f76a1a5d048688676d789821e7303d06be2
                                                                    • Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                                    • Instruction Fuzzy Hash: F3519E62A19A4692EE20CB98E4A06BDB361FF44BD9F405435DB4D47765EF3CF505C700
                                                                    Function 00007FF8B91696E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 160COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::ios_base::failure::failure.LIBCPMT ref: 00007FF8B91698D3
                                                                    • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B915C678), ref: 00007FF8B91698E4
                                                                    • std::ios_base::failure::failure.LIBCPMT ref: 00007FF8B9169927
                                                                    • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B915C678), ref: 00007FF8B9169938
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                    • API String ID: 2003779279-1866435925
                                                                    • Opcode ID: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                                    • Instruction ID: 855a5117ddf409555e054ea29fc1ea96c2da6f25aa565a93ba7d0b6eef5b264c
                                                                    • Opcode Fuzzy Hash: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                                    • Instruction Fuzzy Hash: D0618C62A08A8A86EB65CF1DD4913B92B60FB84FD8F558036CB4E473A6DF3DD446D340
                                                                    Function 00007FF8B9159E70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: memchrtolower$_errnoisspace
                                                                    • String ID: 0123456789abcdefghijklmnopqrstuvwxyz
                                                                    • API String ID: 3508154992-4256519037
                                                                    • Opcode ID: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                                    • Instruction ID: 1cb21f90bed685518efcbc9adb03daa241ce91a1fb2b24f6b964d864efe99e72
                                                                    • Opcode Fuzzy Hash: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                                    • Instruction Fuzzy Hash: 6351D622A0DBC646F7218E29A8103797E90AF45BD4F8A4036DF9D43796DF3CF842A701
                                                                    Function 00007FF8BFB5E148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Name::operator+$Name::operator+=
                                                                    • String ID: {for
                                                                    • API String ID: 179159573-864106941
                                                                    • Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                                    • Instruction ID: 5646e32a3e87211d3cb43c94bc2ac8cf56fa6be53f93fc6759ba3e57043f6a55
                                                                    • Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                                    • Instruction Fuzzy Hash: 11515972A08A89A9FB129FA8D4513EC77A1FB45788F808035EB4C4BB99DF7CE555C340
                                                                    Function 00007FF8B912B280 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                    • API String ID: 2003779279-1866435925
                                                                    • Opcode ID: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                                    • Instruction ID: 848ca20e76936694f1410d10bc088d97bf48a2bf8f22c00e1e0535aee9833601
                                                                    • Opcode Fuzzy Hash: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                                    • Instruction Fuzzy Hash: 10515E62A08A8A81EB50DF2DD4802AD7760EF44FC4F648536DB5E836B5EF3DE546D300
                                                                    Function 00007FF8BFB568AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(?,?,?,00007FF8BFB56A6B,?,?,00000000,00007FF8BFB5689C,?,?,?,?,00007FF8BFB565E5), ref: 00007FF8BFB56931
                                                                    • GetLastError.KERNEL32(?,?,?,00007FF8BFB56A6B,?,?,00000000,00007FF8BFB5689C,?,?,?,?,00007FF8BFB565E5), ref: 00007FF8BFB5693F
                                                                    • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8BFB56A6B,?,?,00000000,00007FF8BFB5689C,?,?,?,?,00007FF8BFB565E5), ref: 00007FF8BFB56958
                                                                    • LoadLibraryExW.KERNEL32(?,?,?,00007FF8BFB56A6B,?,?,00000000,00007FF8BFB5689C,?,?,?,?,00007FF8BFB565E5), ref: 00007FF8BFB5696A
                                                                    • FreeLibrary.KERNEL32(?,?,?,00007FF8BFB56A6B,?,?,00000000,00007FF8BFB5689C,?,?,?,?,00007FF8BFB565E5), ref: 00007FF8BFB569B0
                                                                    • GetProcAddress.KERNEL32(?,?,?,00007FF8BFB56A6B,?,?,00000000,00007FF8BFB5689C,?,?,?,?,00007FF8BFB565E5), ref: 00007FF8BFB569BC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                                    • String ID: api-ms-
                                                                    • API String ID: 916704608-2084034818
                                                                    • Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                                    • Instruction ID: 02fae29bc83136c0fc4e9673bbbb61e8bf76dedf702c2311f7aa863e44cb34a3
                                                                    • Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                                    • Instruction Fuzzy Hash: AA31AF21A2AA8291EE119B8AE8205B573A5BF08FE0F594539DF2D4B394EF3CF544C700
                                                                    Function 00007FF8B91512C4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF8B915B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B0
                                                                      • Part of subcall function 00007FF8B915B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B8
                                                                      • Part of subcall function 00007FF8B915B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0C1
                                                                      • Part of subcall function 00007FF8B915B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0DD
                                                                    • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8B915243E), ref: 00007FF8B9151309
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8B915243E), ref: 00007FF8B9151326
                                                                    • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8B915243E), ref: 00007FF8B915134B
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8B915243E), ref: 00007FF8B9151368
                                                                      • Part of subcall function 00007FF8B9124D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8B9132124,?,?,?,00007FF8B91243DB,?,?,?,00007FF8B9125B31), ref: 00007FF8B9124D72
                                                                      • Part of subcall function 00007FF8B9124D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8B9132124,?,?,?,00007FF8B91243DB,?,?,?,00007FF8B9125B31), ref: 00007FF8B9124D98
                                                                      • Part of subcall function 00007FF8B9124D50: memcpy.VCRUNTIME140(?,?,?,00007FF8B9132124,?,?,?,00007FF8B91243DB,?,?,?,00007FF8B9125B31), ref: 00007FF8B9124DB0
                                                                    Strings
                                                                    • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FF8B9151331
                                                                    • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FF8B9151373
                                                                    • :AM:am:PM:pm, xrefs: 00007FF8B9151392
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                                    • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                    • API String ID: 1539549574-35662545
                                                                    • Opcode ID: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                                    • Instruction ID: de711fb4f9f2a5c54af67bbd6d40e0801d3a026cd5a5aa4fb8bd56ccdd891761
                                                                    • Opcode Fuzzy Hash: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                                    • Instruction Fuzzy Hash: F0219C62A04B8282EB00DF39E4502A877A1FB98FC4F888234DB5D03756EF3CE581D380
                                                                    Function 00007FF8B9136A20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF8B915B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B0
                                                                      • Part of subcall function 00007FF8B915B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B8
                                                                      • Part of subcall function 00007FF8B915B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0C1
                                                                      • Part of subcall function 00007FF8B915B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0DD
                                                                    • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8B913A96E), ref: 00007FF8B9136A5E
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8B913A96E), ref: 00007FF8B9136A7B
                                                                    • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8B913A96E), ref: 00007FF8B9136A9B
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8B913A96E), ref: 00007FF8B9136AB8
                                                                      • Part of subcall function 00007FF8B9124DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8B9136AB5,?,?,?,?,?,?,?,?,?,00007FF8B913A96E), ref: 00007FF8B9124DF9
                                                                      • Part of subcall function 00007FF8B9124DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8B9136AB5,?,?,?,?,?,?,?,?,?,00007FF8B913A96E), ref: 00007FF8B9124E28
                                                                      • Part of subcall function 00007FF8B9124DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FF8B9136AB5,?,?,?,?,?,?,?,?,?,00007FF8B913A96E), ref: 00007FF8B9124E3F
                                                                    Strings
                                                                    • :AM:am:PM:pm, xrefs: 00007FF8B9136AD4
                                                                    • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FF8B9136AC3
                                                                    • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FF8B9136A86
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                                    • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                    • API String ID: 1539549574-3743323925
                                                                    • Opcode ID: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                                    • Instruction ID: d891cb3744b54b913580fab437af6160e7919777c56896bf2c38224bbbb81ca5
                                                                    • Opcode Fuzzy Hash: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                                    • Instruction Fuzzy Hash: DE213E62A08B8682EB10DF29E45427977B0FB99BC4F844234EB8E43756EF7CE584D740
                                                                    Function 00007FF8BFB527CC Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: abort$AdjustPointer
                                                                    • String ID:
                                                                    • API String ID: 1501936508-0
                                                                    • Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                                    • Instruction ID: d603c67e47ef0a207dfe27a44a4542029c61f6478c5206d2513d602d1720f631
                                                                    • Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                                    • Instruction Fuzzy Hash: 0A518F62E0BA8381FAA99BDDD864638B794AF44FD4F098435CF4D0AB95DF2CF4418300
                                                                    Function 00007FF8BFB525E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: abort$AdjustPointer
                                                                    • String ID:
                                                                    • API String ID: 1501936508-0
                                                                    • Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                                    • Instruction ID: 4b3a9116b2d3d73f37c0235d6d5e05ad41767a2e1467df25b0bf8d18af087b7e
                                                                    • Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                                    • Instruction Fuzzy Hash: 29517A62A0BA4281FE66DB9DD9A4639B394AF55FC4F098435CF4E06B95DF2CF8428300
                                                                    Function 00007FF8B9159950 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                                    • String ID:
                                                                    • API String ID: 578106097-0
                                                                    • Opcode ID: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                                    • Instruction ID: 9a159152d5b05c318ad7b88451cc3e0019ee933c3fa9d145e14ab9bddff79a71
                                                                    • Opcode Fuzzy Hash: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                                    • Instruction Fuzzy Hash: F561D222B1C68286E711EE69E4816BE6720FB857C4F914532EF4E1769ADE3CF50AD700
                                                                    Function 00007FF8B91590D0 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                                    • String ID:
                                                                    • API String ID: 578106097-0
                                                                    • Opcode ID: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                                    • Instruction ID: bcbeeb36afea2f9dc3cc11df316b389b777daaeee9c58a78a03d57576143749d
                                                                    • Opcode Fuzzy Hash: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                                    • Instruction Fuzzy Hash: 8161D222B1C68286E611DF69E4816AE6760FF947C4F914132EF4E53786DE3CF90ADB00
                                                                    Function 000000014000C2E0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 164COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                                      • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                                      • Part of subcall function 000000014000C8A0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000014000C98E
                                                                    • memmove.VCRUNTIME140 ref: 000000014000C3C8
                                                                    • memmove.VCRUNTIME140 ref: 000000014000C427
                                                                      • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0B6
                                                                      • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0C4
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000C52F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memmove$__acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturn
                                                                    • String ID: REDR3D-x64.dll$[LOAD PATH ] %s$[TEST TEST] IGNORING REDIRECT %s
                                                                    • API String ID: 1084872782-103080910
                                                                    • Opcode ID: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                                    • Instruction ID: cfd617ef930489ab8aca6008b2e9167fc097850ba9bca21f1b358ae0caa8a91c
                                                                    • Opcode Fuzzy Hash: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                                    • Instruction Fuzzy Hash: 8E719AB2721A4086EB12CF66E8443DD37B1F749BD8F484622EF195BBA9DB38C181C340
                                                                    Function 00007FF8BFB55520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: FileHeader_local_unwind
                                                                    • String ID: MOC$RCC$csm$csm
                                                                    • API String ID: 2627209546-1441736206
                                                                    • Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                                    • Instruction ID: 8b18119cb169274b0427895217e15c40434db6177f9f2c4d31bf0135eca136ed
                                                                    • Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                                    • Instruction Fuzzy Hash: 42518C72A0969286EA609FA9D82077D77A0FF84BDAF542035EF4C42389DF3CF4418A01
                                                                    Function 00000001400074F0 Relevance: 10.6, APIs: 7, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                    • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                    • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                    • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                    • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                    • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                    • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                                                    • String ID:
                                                                    • API String ID: 1492985063-0
                                                                    • Opcode ID: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                                    • Instruction ID: c8404d0b7dac135a461826d57f818375c200501a51cfbfcecc82e8383ca51cf8
                                                                    • Opcode Fuzzy Hash: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                                    • Instruction Fuzzy Hash: 11515F72600A4082EB62CF1BE5947A9A7A0F789FE5F15C611EF9E477F1CB7AC5468300
                                                                    Function 00007FF8B912BA68 Relevance: 10.6, APIs: 7, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8B9151347), ref: 00007FF8B912BB38
                                                                    • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8B9151347), ref: 00007FF8B912BB48
                                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8B9151347), ref: 00007FF8B912BB5D
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8B9151347), ref: 00007FF8B912BB91
                                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8B9151347), ref: 00007FF8B912BB9B
                                                                    • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8B9151347), ref: 00007FF8B912BBAB
                                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8B9151347), ref: 00007FF8B912BBBB
                                                                      • Part of subcall function 00007FF8B91725AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8B9125AF8), ref: 00007FF8B91725C6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memset$_invalid_parameter_noinfo_noreturnmalloc
                                                                    • String ID:
                                                                    • API String ID: 2538139528-0
                                                                    • Opcode ID: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                                    • Instruction ID: 736e615300fa704c14b68547afb9320fb7e51f340d6a885c9cf9d724a2e8a063
                                                                    • Opcode Fuzzy Hash: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                                    • Instruction Fuzzy Hash: 7941D761B08AC291EE04EF2AE4442ADB711FB45BC4F548936EF1D0BB9ADE7CD042D340
                                                                    Function 00007FF8B91358B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionThrowsetvbufstd::ios_base::failure::failure
                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                    • API String ID: 2924853686-1866435925
                                                                    • Opcode ID: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                                    • Instruction ID: aaeb4666f7f55b84b265fbea5bfe31972b63df0ee766399fe9239dc12aa8f411
                                                                    • Opcode Fuzzy Hash: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                                    • Instruction Fuzzy Hash: F7417972A18B86A6EB548F29E4403AD33B0FB14BD8F544131DB4C47699EF3CE5A5D740
                                                                    Function 00007FF8B9132FAC Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentThread$xtime_get
                                                                    • String ID:
                                                                    • API String ID: 1104475336-0
                                                                    • Opcode ID: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                                    • Instruction ID: 72640e153548432687ccb97043169fcd0a192c7c333477db660b2a0e6f9a46ca
                                                                    • Opcode Fuzzy Hash: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                                    • Instruction Fuzzy Hash: D1412B32A4C687A7EA60CF1DE48423D67B0EB44B95F904035CB5E436A0DF3DE886E705
                                                                    Function 00007FF8B9143B28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF8B9143B56
                                                                      • Part of subcall function 00007FF8B915B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B0
                                                                      • Part of subcall function 00007FF8B915B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B8
                                                                      • Part of subcall function 00007FF8B915B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0C1
                                                                      • Part of subcall function 00007FF8B915B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0DD
                                                                    • _Maklocstr.LIBCPMT ref: 00007FF8B9143BCF
                                                                    • _Maklocstr.LIBCPMT ref: 00007FF8B9143BE5
                                                                    • _Getvals.LIBCPMT ref: 00007FF8B9143C8A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Maklocstr$Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                                    • String ID: false$true
                                                                    • API String ID: 2626534690-2658103896
                                                                    • Opcode ID: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                                    • Instruction ID: 8e2265737388c63edfe95bfd04dbabd9170986ebe73cab0ddbdfdbf9d7fbc245
                                                                    • Opcode Fuzzy Hash: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                                    • Instruction Fuzzy Hash: 8A414C26B08B819AF711CF78E4401ED33B1FB98788B445226EF4D27A59EF38D556D740
                                                                    Function 00007FF8BFB5D740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: NameName::atol
                                                                    • String ID: `template-parameter$void
                                                                    • API String ID: 2130343216-4057429177
                                                                    • Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                                    • Instruction ID: 3acdff01d3a00e3b639569eeb64e13ac25778d08a1f52df0c35ff8e179dc44cd
                                                                    • Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                                    • Instruction Fuzzy Hash: 1C411762F18B5698FB109BA8D8612AC73B2BB08BC8F945139DF0D6AB55DF7CA505C340
                                                                    Function 00007FF8BFB58624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Name::operator+
                                                                    • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                                    • API String ID: 2943138195-2211150622
                                                                    • Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                                    • Instruction ID: 1e411f4135ee2d5e95ea954832af5444a362bdecd609dc8be444898ddb99e59e
                                                                    • Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                                    • Instruction Fuzzy Hash: 77414572E18B4A98FB118FACD8902BC7BA0BB09788F544135DB8D567A8DF3CE545C780
                                                                    Function 00007FF8BFB5A31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Name::operator+
                                                                    • String ID: char $int $long $short $unsigned
                                                                    • API String ID: 2943138195-3894466517
                                                                    • Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                                    • Instruction ID: 1feacaae37452b96976730b65e3e800e7e0e4f0ca23d181b3b194f2c29aeec6f
                                                                    • Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                                    • Instruction Fuzzy Hash: 9C416A32E1865699FB158FECD8641BCB7B5BB09788F448136CB0C66BA8DF3CA544C700
                                                                    Function 00007FF8B912C0A0 Relevance: 9.3, APIs: 6, Instructions: 318stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturnmemsetstrcspn$localeconvmemmove
                                                                    • String ID:
                                                                    • API String ID: 3009415009-0
                                                                    • Opcode ID: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                                    • Instruction ID: 0a596272a44caf847c68ad0738a1e576f5eee9ab73cdba6fb126906faa9765ea
                                                                    • Opcode Fuzzy Hash: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                                    • Instruction Fuzzy Hash: BEE14762B09B8689FB119FA9D4402AC7771FB49BC8F504126DF5D27B99EE3CD44AE300
                                                                    Function 00007FF8B91586F0 Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Dunscale$_errno
                                                                    • String ID:
                                                                    • API String ID: 2900277114-0
                                                                    • Opcode ID: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                                    • Instruction ID: 568b6ce82dd5dbae737ac8d74f9071eb91b9aee1e2448c90fde593143a1a7b5c
                                                                    • Opcode Fuzzy Hash: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                                    • Instruction Fuzzy Hash: 83A1C227D18ECA86E711DF3884401BE2362FF567D9F524275EB4E26695EF3CB092A300
                                                                    Function 00007FF8B91500EC Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Dunscale$_errno
                                                                    • String ID:
                                                                    • API String ID: 2900277114-0
                                                                    • Opcode ID: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                                    • Instruction ID: 0ade39402dfc91655789d8cf412355592a2bef5f226b80c5af1bf853d1b877a8
                                                                    • Opcode Fuzzy Hash: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                                    • Instruction Fuzzy Hash: 75A1B332A086C79AEB11DEAA85800BD6355FF5A3D8F554230E74E22695DF3CB496E700
                                                                    Function 000000014000AF60 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 192COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: memmove$memcpy$_invalid_parameter_noinfo_noreturn
                                                                    • String ID: R3DAPI 7.3.1-44A14 (20200513 W64S)
                                                                    • API String ID: 100741404-1215215629
                                                                    • Opcode ID: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                                    • Instruction ID: 1f94f83d43c849715069b53280c3cf1e8531b19b99bc01c412034d7b6d4e24df
                                                                    • Opcode Fuzzy Hash: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                                    • Instruction Fuzzy Hash: B19122B1211A8499EB22DF27F8503DA7361F74ABD4F884222EB490B7B9DB7EC141C701
                                                                    Function 00007FF8B9128F20 Relevance: 9.2, APIs: 6, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: fgetc
                                                                    • String ID:
                                                                    • API String ID: 2807381905-0
                                                                    • Opcode ID: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                                    • Instruction ID: 2ad5b62e7eca843feb65e89c0015f3d8be78e529fa1bcf865ab3c2ef860d7c0f
                                                                    • Opcode Fuzzy Hash: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                                    • Instruction Fuzzy Hash: 42914872609A8688EB20DF29C4943AC37A5FB48B98F551632EB5E47B99EF3DD444D300
                                                                    Function 00007FF8B915B960 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                                    • String ID:
                                                                    • API String ID: 3490103321-0
                                                                    • Opcode ID: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                                    • Instruction ID: 31a00726f80fb3f199ab033892900d13c69a01f8ede2b5bf741ee60074b682c8
                                                                    • Opcode Fuzzy Hash: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                                    • Instruction Fuzzy Hash: 8561F322B1C68286E711EF69E4816BE6720FB857C4F518532EF4E13699DF7CF50A9700
                                                                    Function 00007FF8B915B1C0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                                    • String ID:
                                                                    • API String ID: 3490103321-0
                                                                    • Opcode ID: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                                    • Instruction ID: f14bb56eb7d18db2bb469e3ebe6f40cbd93177674a751de9a420512cfa0a584d
                                                                    • Opcode Fuzzy Hash: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                                    • Instruction Fuzzy Hash: B761D222B1CA8286E751DF69E4816BE6760FB94784F514132EF4E23785DF3CF40A9B00
                                                                    Function 00007FF8B9129A58 Relevance: 9.1, APIs: 6, Instructions: 112COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 1775671525-0
                                                                    • Opcode ID: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                                    • Instruction ID: d1abc1b4701f7aafcc57dfb66c3483a6424928abd47938a84e0209444e89b9bd
                                                                    • Opcode Fuzzy Hash: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                                    • Instruction Fuzzy Hash: B541D26571878A91EE14AF1EE5046AD7751EB08BE0F544A32DF6D07BD6EE3CE041E300
                                                                    Function 00007FF8B912A000 Relevance: 9.1, APIs: 6, Instructions: 93fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: FileHandle$CloseCreateInformation
                                                                    • String ID:
                                                                    • API String ID: 1240749428-0
                                                                    • Opcode ID: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                                    • Instruction ID: 7757d78ef445638918937adb4b66833cf11e60cd472ee932bd6299ffdccbb9eb
                                                                    • Opcode Fuzzy Hash: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                                    • Instruction Fuzzy Hash: 6341C172F086828AF720CF78A8107AD37A0AB487A8F015735EE2D02AD4EF3CD5959740
                                                                    Function 00007FF8BFB562D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                                    • String ID:
                                                                    • API String ID: 3741236498-0
                                                                    • Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                                    • Instruction ID: af0933bb3797747168a052490f2502fc375b4c4dbe54d5d6b32d139cdbcd485a
                                                                    • Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                                    • Instruction Fuzzy Hash: F931DF22B29B9191EB11DF6EA81456973A1FF08FE4B594639DF2D43380EE3DE842C300
                                                                    Function 00000001400117B8 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_configthreadlocale_initialize_narrow_environment_initialize_onexit_table_onexit
                                                                    • String ID:
                                                                    • API String ID: 2153537742-0
                                                                    • Opcode ID: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                                    • Instruction ID: 534899ad21150968aac174715d7514135b35f9473fc5e80356d1b8ef46292b69
                                                                    • Opcode Fuzzy Hash: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                                    • Instruction Fuzzy Hash: 95115E38A0024155FA5FB7F398173EC11969FAC3C4F454524BB498F2F3EE7B88658662
                                                                    Function 00007FF8B9122F50 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FF8B9125F96), ref: 00007FF8B9122F59
                                                                    • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8B9125F96), ref: 00007FF8B9122F6B
                                                                    • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FF8B9125F96), ref: 00007FF8B9122F7A
                                                                    • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FF8B9125F96), ref: 00007FF8B9122FE0
                                                                    • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FF8B9125F96), ref: 00007FF8B9122FEE
                                                                    • _wcsdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FF8B9125F96), ref: 00007FF8B9123001
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: __pctype_func$___lc_codepage_func___lc_locale_name_func_wcsdupcalloc
                                                                    • String ID:
                                                                    • API String ID: 490008815-0
                                                                    • Opcode ID: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                                    • Instruction ID: 29f905b5c7249ea24675e011c3df446404acc748bae9eeae31b57bf6efb14f1c
                                                                    • Opcode Fuzzy Hash: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                                    • Instruction Fuzzy Hash: 05214A62D08B8583E7069F38D50527C37A0FBA9B88F15A224CF9D16222EF3DE1E5D340
                                                                    Function 0000000140007850 Relevance: 9.0, APIs: 6, Instructions: 21fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandle$FileUnmapView
                                                                    • String ID:
                                                                    • API String ID: 260491571-0
                                                                    • Opcode ID: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                                    • Instruction ID: e4157fc547da492297a5d265050bc8fab675aa544c6886f43f24823cbbcadd6d
                                                                    • Opcode Fuzzy Hash: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                                    • Instruction Fuzzy Hash: 1DF01438616E00D5FA07DB63ECA83A427A1BB8DBD9F440211EB4E4B331DE3F85998300
                                                                    Function 00007FF8BFB538A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: abort$CallEncodePointerTranslator
                                                                    • String ID: MOC$RCC
                                                                    • API String ID: 2889003569-2084237596
                                                                    • Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                                    • Instruction ID: e03df598335402d2fee93cdd325a0a07405f7f3264ea9327ebb65dbed9f2c3b6
                                                                    • Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                                    • Instruction Fuzzy Hash: 69918E73A087858AE711CBA9E4A02AD7BA1F7447C8F14412AEF8D57755DF3CE1A5C700
                                                                    Function 00007FF8BFB5BB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Name::operator+
                                                                    • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                                    • API String ID: 2943138195-757766384
                                                                    • Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                                    • Instruction ID: 5a144ee347fe62cc6be96d2353166bf13a032aba3a792f6e0a84042b075a0cb4
                                                                    • Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                                    • Instruction Fuzzy Hash: 807149B2A08B4694FB148FADD9611B8B7A5BB157C4F44853ADB4E47AA8DF3CF250C340
                                                                    Function 000000014000ABD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 150COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcmp.VCRUNTIME140 ref: 000000014000AD12
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000ADD5
                                                                      • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                                      • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: __acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnmemcmp
                                                                    • String ID: @$[FAIL INT. ] path '%s' already exists at index %u$[FAIL INT. ] too many paths
                                                                    • API String ID: 3207467095-2931640462
                                                                    • Opcode ID: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                                    • Instruction ID: 2da19ac7c4dfbac8c42f28ebd32a6b72bd3b2cb838895640dc67fbc0c8e08b7c
                                                                    • Opcode Fuzzy Hash: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                                    • Instruction Fuzzy Hash: DC5169B2B10A5489EB11CF6AE8407DD37B1F709BA8F504216EF2A67BE9DB74C581C740
                                                                    Function 00007FF8BFB53690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: abort$CallEncodePointerTranslator
                                                                    • String ID: MOC$RCC
                                                                    • API String ID: 2889003569-2084237596
                                                                    • Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                                    • Instruction ID: e4a5d8972f54ce7c97539821e24126d99c0bf30a023b8349103f47bde61c684a
                                                                    • Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                                    • Instruction Fuzzy Hash: D2614677A08A858AEB249FA9D4907AD77A1FB44BC8F184125EF4D17B58DF3CE065C700
                                                                    Function 00007FF8B9159CD4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8B9159122), ref: 00007FF8B9159CFA
                                                                    • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8B9159122), ref: 00007FF8B9159D0B
                                                                    • isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8B9159122), ref: 00007FF8B9159D64
                                                                    • isalnum.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8B9159122), ref: 00007FF8B9159E14
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: isspace$isalnumisxdigit
                                                                    • String ID: (
                                                                    • API String ID: 3355161242-3887548279
                                                                    • Opcode ID: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                                    • Instruction ID: ef4a28f431c67412d22c655dc14e4157dd64338da1b92ea45c2caef980a4ae8d
                                                                    • Opcode Fuzzy Hash: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                                    • Instruction Fuzzy Hash: 9141C857D0C1C256EF214F39A6513F96B929F22BC4F9AD030CB9807197DE2DF806A712
                                                                    Function 00007FF8B915BBD8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8B915B212), ref: 00007FF8B915BBFE
                                                                    • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8B915B212), ref: 00007FF8B915BC0F
                                                                    • iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8B915B212), ref: 00007FF8B915BC76
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: iswspace$iswxdigit
                                                                    • String ID: (
                                                                    • API String ID: 3812816871-3887548279
                                                                    • Opcode ID: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                                    • Instruction ID: 5ab66c899e54c24dc61b07f8314ed36868cadbd8191a33fd5cd0435fd3b56339
                                                                    • Opcode Fuzzy Hash: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                                    • Instruction Fuzzy Hash: 13518E66D485D381FB249F7A95103F972A1EF20BD8F4AC031EB9D46094EF7DF841A210
                                                                    Function 00007FF8B91439E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF8B915B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B0
                                                                      • Part of subcall function 00007FF8B915B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B8
                                                                      • Part of subcall function 00007FF8B915B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0C1
                                                                      • Part of subcall function 00007FF8B915B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0DD
                                                                    • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FF8B913A22C), ref: 00007FF8B9143A25
                                                                      • Part of subcall function 00007FF8B912B794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8B9151347,?,?,?,?,?,?,?,?,?,00007FF8B915243E), ref: 00007FF8B912B7BF
                                                                      • Part of subcall function 00007FF8B912B794: memcpy.VCRUNTIME140(?,?,00000000,00007FF8B9151347,?,?,?,?,?,?,?,?,?,00007FF8B915243E), ref: 00007FF8B912B7DB
                                                                    • _Getvals.LIBCPMT ref: 00007FF8B9143A61
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                                    • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                                    • API String ID: 3848194746-3573081731
                                                                    • Opcode ID: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                                    • Instruction ID: acb81e64a85993014e59f1af7170c02ef928a85e8057c602b25ed682222303f7
                                                                    • Opcode Fuzzy Hash: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                                    • Instruction Fuzzy Hash: 0A41BC72A08BC297E725CF2A929056E7BA0FB48781B144235DB8983F51DF7DF562DB00
                                                                    Function 00007FF8B9143CB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF8B9143CE2
                                                                      • Part of subcall function 00007FF8B915B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B0
                                                                      • Part of subcall function 00007FF8B915B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B8
                                                                      • Part of subcall function 00007FF8B915B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0C1
                                                                      • Part of subcall function 00007FF8B915B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0DD
                                                                    • _Maklocstr.LIBCPMT ref: 00007FF8B9143D5B
                                                                    • _Maklocstr.LIBCPMT ref: 00007FF8B9143D71
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                                    • String ID: false$true
                                                                    • API String ID: 309754672-2658103896
                                                                    • Opcode ID: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                                    • Instruction ID: 0c8c2fa125b2fa2ab1275aa120a749d62c01c650851801f0089157c98e85a090
                                                                    • Opcode Fuzzy Hash: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                                    • Instruction Fuzzy Hash: 9D417A22B18B859AE710DFB4E4401ED33B0FB88788B404126EF4E27B59EF38D595D790
                                                                    Function 00007FF8B91283E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                    • API String ID: 2003779279-1866435925
                                                                    • Opcode ID: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                                    • Instruction ID: 418ba98fd98749d0bfbecf7ae2c05ce723ba2139d5cbd3e3e455e387fb7c73c3
                                                                    • Opcode Fuzzy Hash: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                                    • Instruction Fuzzy Hash: 0F21BD62A086C696EA15EF18E6403AD7760FB547C4F940031D74D47AA5EF3CE1A5E300
                                                                    Function 00007FF8B9128D10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                    • API String ID: 2003779279-1866435925
                                                                    • Opcode ID: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                                    • Instruction ID: f1bd6b1a704a8efa440d49a903053ea48e3ce6589edef9f60af0f21f8a07cfaa
                                                                    • Opcode Fuzzy Hash: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                                    • Instruction Fuzzy Hash: 57F0ADA1A1868B96FA14EF08D8816F93321EB507C4FA44831D31E065A5EF3DE14BE740
                                                                    Function 0000000140006B70 Relevance: 7.8, APIs: 5, Instructions: 255COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ?Recycle@MemoryRecycler@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140006CC6
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140006CF5
                                                                    • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006D52
                                                                    • memcpy.VCRUNTIME140 ref: 0000000140006DD5
                                                                    • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006E6E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: D@std@@@std@@Pninc@?$basic_streambuf@U?$char_traits@$MemoryRecycle@Recycler@allocator@dvacore@@_invalid_parameter_noinfo_noreturnmemcpy
                                                                    • String ID:
                                                                    • API String ID: 3275830057-0
                                                                    • Opcode ID: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                                    • Instruction ID: 3173563bc62d35887f7c9779bdd612006aafe20ffacca945d5b8f48763ffbb63
                                                                    • Opcode Fuzzy Hash: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                                    • Instruction Fuzzy Hash: 5CA16BB2704B8485EB16CF2AE5443A977A2F389FE8F584516EF8D177A4DB38C895C340
                                                                    Function 00007FF8B9134A60 Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: fgetwc
                                                                    • String ID:
                                                                    • API String ID: 2948136663-0
                                                                    • Opcode ID: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                                    • Instruction ID: fc80de568f0bf5252adb4975ba8b76d23a9163e549c19c8a47da9d2ef7241832
                                                                    • Opcode Fuzzy Hash: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                                    • Instruction Fuzzy Hash: 54813972609A82D9EB608F69C0903AC33B1FB48B88F511536EB5E57B99DF3DD458E300
                                                                    Function 0000000140009FD0 Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 2665656946-0
                                                                    • Opcode ID: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                                    • Instruction ID: 6f8685d0ee64a854513a2710a76b76ebba126a19a16799565d604b2c87d49ee9
                                                                    • Opcode Fuzzy Hash: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                                    • Instruction Fuzzy Hash: 884191B2304B8495EE16DB27B9043D9A395A74EBE0F440625BF6D0B7E5DE7CC081C304
                                                                    Function 00007FF8B912B90C Relevance: 7.6, APIs: 5, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF8B9151347), ref: 00007FF8B912B9D3
                                                                    • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF8B9151347), ref: 00007FF8B912B9E1
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF8B9151347), ref: 00007FF8B912BA1A
                                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF8B9151347), ref: 00007FF8B912BA24
                                                                    • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF8B9151347), ref: 00007FF8B912BA32
                                                                      • Part of subcall function 00007FF8B91725AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8B9125AF8), ref: 00007FF8B91725C6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: memcpymemset$_invalid_parameter_noinfo_noreturnmalloc
                                                                    • String ID:
                                                                    • API String ID: 3375828981-0
                                                                    • Opcode ID: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                                    • Instruction ID: a145e9d486b6efe8e86fb8d8f920e8919cc0eb0fccb4a31c7220488aef023211
                                                                    • Opcode Fuzzy Hash: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                                    • Instruction Fuzzy Hash: 8E31E861B0CAC281EE14AF2AA5043BE7751FB05BD0F148935DF5D0BB96EE7CE082A340
                                                                    Function 00007FF8BFB59FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: NameName::$Name::operator+
                                                                    • String ID:
                                                                    • API String ID: 826178784-0
                                                                    • Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                                    • Instruction ID: ec5a9b69af77d94cae8671b06292fb25ea9d53b429101d3e08106d6299d64256
                                                                    • Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                                    • Instruction Fuzzy Hash: F6416C22B18B5694EB10CBA9D8A01BC77A8BB19BC0B584036EB5D67795DF3CF959C300
                                                                    Function 00007FF8B9124C30 Relevance: 7.5, APIs: 6, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF8B9132160: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FF8B9124C3E,?,?,00000000,00007FF8B9125B5B), ref: 00007FF8B913216F
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8B9125B5B), ref: 00007FF8B9124C47
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8B9125B5B), ref: 00007FF8B9124C5B
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8B9125B5B), ref: 00007FF8B9124C6F
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8B9125B5B), ref: 00007FF8B9124C83
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8B9125B5B), ref: 00007FF8B9124C97
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8B9125B5B), ref: 00007FF8B9124CAB
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: free$setlocale
                                                                    • String ID:
                                                                    • API String ID: 294139027-0
                                                                    • Opcode ID: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                                    • Instruction ID: 604d7a911923113ea78221916a0306c4641ec67f856f76060c32fef90be46d42
                                                                    • Opcode Fuzzy Hash: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                                    • Instruction Fuzzy Hash: DD110022A0668685FB199F69C0A533D23A1EF48F88F180134CB1E19194DF7DD894F390
                                                                    Function 00007FF8B9133380 Relevance: 7.5, APIs: 5, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: __acrt_iob_func$abortfputcfputs
                                                                    • String ID:
                                                                    • API String ID: 2697642930-0
                                                                    • Opcode ID: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                                    • Instruction ID: 75ead1dffffaa9fa4094436911b87c966711567113e98e48772a59cd0f3c5204
                                                                    • Opcode Fuzzy Hash: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                                    • Instruction Fuzzy Hash: EAE0ECE4A086C386F7086F69EC193347B279F48BD2F240038CB2F46364DE3C64886211
                                                                    Function 00007FF8B914C480 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                                    • String ID: %.0Lf$0123456789-
                                                                    • API String ID: 4032823789-3094241602
                                                                    • Opcode ID: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                                    • Instruction ID: 9871e04ab4cf04ac7d509c07b268791289dcbc76c0eca4acf3d1b14ae3349bf7
                                                                    • Opcode Fuzzy Hash: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                                    • Instruction Fuzzy Hash: BC713762B19B96C9EB00CFA9E4542AC2771EB48BD8F404136EF4D1BB99DE3CD44AD740
                                                                    Function 00007FF8B9156E40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturnmemchrmemmove
                                                                    • String ID: 0123456789-
                                                                    • API String ID: 2457263114-3850129594
                                                                    • Opcode ID: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                                    • Instruction ID: c6bb517d1c2951638215973ccd8c80104840848b30dab29e4e6b53b65125772f
                                                                    • Opcode Fuzzy Hash: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                                    • Instruction Fuzzy Hash: 31717822B09B8689FB01CFA9D4502AC7771AB59BD8F450036DF5E17BA9CE3CE45AD340
                                                                    Function 000000014000CA70 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 174COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CB86
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CCD1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                    • String ID: gfffffff$gfffffff
                                                                    • API String ID: 3668304517-161084747
                                                                    • Opcode ID: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                                    • Instruction ID: 0937b4d6cc115db4af66b3ecbb46b401b0ea56f4de858bbb036e92e46f157e0a
                                                                    • Opcode Fuzzy Hash: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                                    • Instruction Fuzzy Hash: D151B5B2311B8942EE25CB17F945799B355E748BE4F048226AFAD8B7E4DF38D081C301
                                                                    Function 00007FF8B91570C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_invalid_parameter_noinfo_noreturnswprintf_s
                                                                    • String ID: %.0Lf
                                                                    • API String ID: 1248405305-1402515088
                                                                    • Opcode ID: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                                    • Instruction ID: 918cbc68d499a2f8ee9e9b9230a3f7b73f76af605e1504e05dd6406b57b1f270
                                                                    • Opcode Fuzzy Hash: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                                    • Instruction Fuzzy Hash: F5619E62B08BC285EB01DFBAE8402AD6761EB49BD4F554135EF4D27B6ADE3CE046D300
                                                                    Function 00007FF8BFB54044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF8BFB56710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB5239E), ref: 00007FF8BFB5671E
                                                                    • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB541C3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: abort
                                                                    • String ID: $csm$csm
                                                                    • API String ID: 4206212132-1512788406
                                                                    • Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                                    • Instruction ID: e1e926ce83c20af8917b42cc972f7549b617d7a558e764d6ddef93e09155bbd5
                                                                    • Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                                    • Instruction Fuzzy Hash: 9D71AF32908691C6DB688FAA94747797BA1FB04BC8F148135DF8C47A89CB3CE451C741
                                                                    Function 00007FF8BFB53E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF8BFB56710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB5239E), ref: 00007FF8BFB5671E
                                                                    • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB53F13
                                                                    • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF8BFB53F23
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Frameabort$EmptyHandler3::StateUnwind
                                                                    • String ID: csm$csm
                                                                    • API String ID: 4108983575-3733052814
                                                                    • Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                                    • Instruction ID: c3a8c95847d54fc58d33ba0368de09549c581773c2054d2f03c3bc8bbb52fa09
                                                                    • Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                                    • Instruction Fuzzy Hash: 1951373390878286EA648BAAE46426877A1FB54BD5F184136EB8D47B95CF3CF465CB00
                                                                    Function 00007FF8B9122500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Exception$RaiseThrowabort
                                                                    • String ID: csm
                                                                    • API String ID: 3758033050-1018135373
                                                                    • Opcode ID: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                                    • Instruction ID: 5958e2687d2ecef1b62ae7c7f488682aa2ca5f0f6ca38713bfaa7da5603392a6
                                                                    • Opcode Fuzzy Hash: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                                    • Instruction Fuzzy Hash: 50519A23904BC686EB25DF28C4502AC33A0FB58B98F559721DB5D037A6EF3DE596C300
                                                                    Function 00007FF8B912F950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF8B912F8D4
                                                                    • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF8B912F8E6
                                                                    • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF8B912F96B
                                                                      • Part of subcall function 00007FF8B9124D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8B9132124,?,?,?,00007FF8B91243DB,?,?,?,00007FF8B9125B31), ref: 00007FF8B9124D72
                                                                      • Part of subcall function 00007FF8B9124D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8B9132124,?,?,?,00007FF8B91243DB,?,?,?,00007FF8B9125B31), ref: 00007FF8B9124D98
                                                                      • Part of subcall function 00007FF8B9124D50: memcpy.VCRUNTIME140(?,?,?,00007FF8B9132124,?,?,?,00007FF8B91243DB,?,?,?,00007FF8B9125B31), ref: 00007FF8B9124DB0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: setlocale$freemallocmemcpy
                                                                    • String ID: bad locale name
                                                                    • API String ID: 1663771476-1405518554
                                                                    • Opcode ID: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                                    • Instruction ID: d3667526b5a9b869d98233a3314a2c974988db6a89857c26ed7b1d343f51afe2
                                                                    • Opcode Fuzzy Hash: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                                    • Instruction Fuzzy Hash: 123170A2F0C6C251FB55AF1DA54017EB691AF85BC0F688036EB5E47795EE3CE881A340
                                                                    Function 00007FF8B915430C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF8B915B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B0
                                                                      • Part of subcall function 00007FF8B915B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B8
                                                                      • Part of subcall function 00007FF8B915B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0C1
                                                                      • Part of subcall function 00007FF8B915B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0DD
                                                                    • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,0000003F,?,00000001,00007FF8B9152278), ref: 00007FF8B915434D
                                                                      • Part of subcall function 00007FF8B912B794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8B9151347,?,?,?,?,?,?,?,?,?,00007FF8B915243E), ref: 00007FF8B912B7BF
                                                                      • Part of subcall function 00007FF8B912B794: memcpy.VCRUNTIME140(?,?,00000000,00007FF8B9151347,?,?,?,?,?,?,?,?,?,00007FF8B915243E), ref: 00007FF8B912B7DB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                                    • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                                    • API String ID: 3376215315-3573081731
                                                                    • Opcode ID: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                                    • Instruction ID: 11fbc4867e5d0c5e47368550ec46eac845030cb2d24c7b59ab66e3fe4b49405f
                                                                    • Opcode Fuzzy Hash: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                                    • Instruction Fuzzy Hash: 7941DE72A08BD29BE761CF29D18156E7BA0FB84B81B064235DB8953E51DF3CF562DB00
                                                                    Function 00007FF8B91438A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF8B915B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B0
                                                                      • Part of subcall function 00007FF8B915B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B8
                                                                      • Part of subcall function 00007FF8B915B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0C1
                                                                      • Part of subcall function 00007FF8B915B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0DD
                                                                    • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FF8B913A07C), ref: 00007FF8B91438E1
                                                                      • Part of subcall function 00007FF8B912B794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8B9151347,?,?,?,?,?,?,?,?,?,00007FF8B915243E), ref: 00007FF8B912B7BF
                                                                      • Part of subcall function 00007FF8B912B794: memcpy.VCRUNTIME140(?,?,00000000,00007FF8B9151347,?,?,?,?,?,?,?,?,?,00007FF8B915243E), ref: 00007FF8B912B7DB
                                                                      • Part of subcall function 00007FF8B91367B0: _Maklocstr.LIBCPMT ref: 00007FF8B91367E0
                                                                      • Part of subcall function 00007FF8B91367B0: _Maklocstr.LIBCPMT ref: 00007FF8B91367FF
                                                                      • Part of subcall function 00007FF8B91367B0: _Maklocstr.LIBCPMT ref: 00007FF8B913681E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                                    • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                                    • API String ID: 2904694926-3573081731
                                                                    • Opcode ID: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                                    • Instruction ID: 3c7b76735b4c0dd4178b00ed8fa028954fb486d0224f28e20d9b09508e8553d5
                                                                    • Opcode Fuzzy Hash: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                                    • Instruction Fuzzy Hash: D941AC72A08BC297EB24CF29D68056E7BA1FB88781B054235DB8D43B01DB7CF566DB00
                                                                    Function 00007FF8BFB5A714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: NameName::
                                                                    • String ID: %lf
                                                                    • API String ID: 1333004437-2891890143
                                                                    • Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                                    • Instruction ID: fce0bf9505c9128085daf5b85ddfd3cc636036635991b618dfaae9ccb6bd89a7
                                                                    • Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                                    • Instruction Fuzzy Hash: 1E31A63290CA8595EB20CFA8E860279B765FB897C4F448136EB9E97645DF3CE541C740
                                                                    Function 00007FF8B912A4C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: FileFindNext$wcscpy_s
                                                                    • String ID: .
                                                                    • API String ID: 544952861-248832578
                                                                    • Opcode ID: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                                    • Instruction ID: f062d617cfc229e41fd97d7b9e1f8716418621c9510d6b7bfa881379a10cb53e
                                                                    • Opcode Fuzzy Hash: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                                    • Instruction Fuzzy Hash: B1219662A0D6C286FA709F19E8043BE73A0EB45BD4F454131EB9D476D4EF7CD4459B40
                                                                    Function 00007FF8B9126C00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                                    • String ID: ios_base::badbit set
                                                                    • API String ID: 1099746521-3882152299
                                                                    • Opcode ID: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                                    • Instruction ID: 40f100af42a162b4018b666a95ed88b0c2b3a520ab2264bf0d5681b85ce971a3
                                                                    • Opcode Fuzzy Hash: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                                    • Instruction Fuzzy Hash: E701F2A1E2C68751FA18FE2DD4815BD2312EF907C4F648437D71E029EAEE2EE506A240
                                                                    Function 00007FF8BFB52400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF8BFB56710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB5239E), ref: 00007FF8BFB5671E
                                                                    • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB5243E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: abortterminate
                                                                    • String ID: MOC$RCC$csm
                                                                    • API String ID: 661698970-2671469338
                                                                    • Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                                    • Instruction ID: ad5af140d2c6482873b2599f2be068198f6cc161ecdd402b1a88b3c72f427569
                                                                    • Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                                    • Instruction Fuzzy Hash: 49F06D36928646C2EB506FA9E1A106D3BB5FF88B80F099036DB4807652CF3CF4A0CB41
                                                                    Function 00007FF8BFB5E9E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __C_specific_handler.LIBVCRUNTIME ref: 00007FF8BFB5E9F0
                                                                      • Part of subcall function 00007FF8BFB5EC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FF8BFB5ECF0
                                                                      • Part of subcall function 00007FF8BFB5EC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF8BFB5E9F5), ref: 00007FF8BFB5ED3F
                                                                      • Part of subcall function 00007FF8BFB56710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB5239E), ref: 00007FF8BFB5671E
                                                                    • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB5EA1A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
                                                                    • String ID: csm$f
                                                                    • API String ID: 2451123448-629598281
                                                                    • Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                                    • Instruction ID: 806903e8b3fd8e1d05b65eddcaee1b2ba53daa44fab185890f51bb075e0d47cc
                                                                    • Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                                    • Instruction Fuzzy Hash: BCE06D36D2838281EB206FE9B1A113D6BA5BF19BD4F148039DB4807686CE3CF8A08641
                                                                    Function 00007FF8BFB59CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Name::operator+
                                                                    • String ID:
                                                                    • API String ID: 2943138195-0
                                                                    • Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                                    • Instruction ID: 329465c020a0a5351c8f2adce82e8467ecc3bfcd8bae6f367be90faa9ebc9589
                                                                    • Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                                    • Instruction Fuzzy Hash: F1914662E08B6699FB118BE8D8503AC37B2BB15788F54803ADF4D6B695DF7CB845C340
                                                                    Function 00007FF8BFB5A44C Relevance: 6.1, APIs: 4, Instructions: 134COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Name::operator+$NameName::
                                                                    • String ID:
                                                                    • API String ID: 168861036-0
                                                                    • Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                                    • Instruction ID: f4f77bc1088995f2266ae959624e3381f6fdabae87619f5ffe5a9b84499965d5
                                                                    • Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                                    • Instruction Fuzzy Hash: 0D517A72E18A5698EB11CFA8E8607BC77A5BB45B88F548032DB0E67795DF3DE441C340
                                                                    Function 0000000140001ED0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_invalid_parameter_noinfo_noreturnmemmove
                                                                    • String ID:
                                                                    • API String ID: 48703092-0
                                                                    • Opcode ID: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                                    • Instruction ID: 948ad675966271c9991ceaad39470193d7d81f5c1b48440d7dc352eab6ab828f
                                                                    • Opcode Fuzzy Hash: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                                    • Instruction Fuzzy Hash: B431B4B2711A9451EA06DF66F5443EDA291A788BE0F548635AF6C077E5EF38C4E2C300
                                                                    Function 00007FF8B9136DC8 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FF8B91367E5), ref: 00007FF8B9136EA1
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FF8B91367E5), ref: 00007FF8B9136EF2
                                                                    • memcpy.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FF8B91367E5), ref: 00007FF8B9136EFC
                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF8B9136F3D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 1775671525-0
                                                                    • Opcode ID: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                                    • Instruction ID: 5770e7101c62908229442736a9ca629ea91ab6f14dac8d618b88439c37d5e4de
                                                                    • Opcode Fuzzy Hash: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                                    • Instruction Fuzzy Hash: 6F41D262B0C686A1EE14DF1AE6051796365EB48BE4F584631EF6D0BBD8EE3CE045E300
                                                                    Function 00007FF8B9129BE8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 1775671525-0
                                                                    • Opcode ID: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                                    • Instruction ID: 532f8c4bb62773c018a98761f0496e6fa250729a8838e4caa73cd84e69916dc4
                                                                    • Opcode Fuzzy Hash: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                                    • Instruction Fuzzy Hash: A231A361B0878A85EE14AF1EA64426DB355EF04BE4F544631DF7D07BE6EE7CE052A300
                                                                    Function 00007FF8B914FD50 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Xp_movx$Xp_setw_errnoldexpmemcpy
                                                                    • String ID:
                                                                    • API String ID: 2233944734-0
                                                                    • Opcode ID: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                                    • Instruction ID: 484891651f28d28864f9875bcf868f33cef1819924d99583f027aa4b11445b4e
                                                                    • Opcode Fuzzy Hash: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                                    • Instruction Fuzzy Hash: 9241E622A1CAC7C6F2519F6D94412BA6360AF8D7C0F654631DB8D13396DF3CF90AAA00
                                                                    Function 00007FF8B9123160 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcislower
                                                                    • String ID:
                                                                    • API String ID: 2234106055-0
                                                                    • Opcode ID: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                                    • Instruction ID: 62c3159f845bbfa1482b6ffdeb46a62b74290f982267d1d377c90b0084aafe69
                                                                    • Opcode Fuzzy Hash: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                                    • Instruction Fuzzy Hash: 62319362A0C7C283F7255F1AA45427DBAA1EB90FD1F184035DB8A0779DEE3CE446E710
                                                                    Function 00007FF8B9123020 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcisupper
                                                                    • String ID:
                                                                    • API String ID: 3857474680-0
                                                                    • Opcode ID: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                                    • Instruction ID: 2a438c7a7b8abb67b6fbc48d2027bdd9d67315fcfc63aabd63a8b1e08b3f8e3c
                                                                    • Opcode Fuzzy Hash: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                                    • Instruction Fuzzy Hash: FF31E462A0C6C287F7155F19945427DBA51EB90FC1F144035DB8A07789EE3CE486E724
                                                                    Function 00007FF8BFB5C87C Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Name::operator+
                                                                    • String ID:
                                                                    • API String ID: 2943138195-0
                                                                    • Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                                    • Instruction ID: 06aeda7d7135e9f06e4bc5800ea5106f8d214560e3e57b8383689a353015a35d
                                                                    • Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                                    • Instruction Fuzzy Hash: D04145B2A08B9589FB02CFA8D8513AC77B0BB44B88F548039DB8D5B759DF7CA481C750
                                                                    Function 00007FF8B915AF70 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,00000000,?,?,?,00007FF8B914E921), ref: 00007FF8B915AFB7
                                                                    • memcpy.VCRUNTIME140(?,00000000,?,?,?,00007FF8B914E921), ref: 00007FF8B915AFDB
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FF8B914E921), ref: 00007FF8B915AFE8
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FF8B914E921), ref: 00007FF8B915B05B
                                                                      • Part of subcall function 00007FF8B9122E30: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B9122E5A
                                                                      • Part of subcall function 00007FF8B9122E30: LCMapStringEx.KERNEL32 ref: 00007FF8B9122E9E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: String___lc_locale_name_funcfreemallocmemcpywcsnlen
                                                                    • String ID:
                                                                    • API String ID: 2888714520-0
                                                                    • Opcode ID: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                                    • Instruction ID: 66fc0ad2b0a08c32407d2b3b35a569afede25c90a0efb15f011681b20d5061fa
                                                                    • Opcode Fuzzy Hash: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                                    • Instruction Fuzzy Hash: 62212861B09BD286E6209F1BA40043AAAA0FB44FE4F594632DF7D17BD4DF3CE0029300
                                                                    Function 00007FF8B912AAA0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: _fsopen$fclosefseek
                                                                    • String ID:
                                                                    • API String ID: 410343947-0
                                                                    • Opcode ID: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                                    • Instruction ID: c02c15e3395830fa7107d92da57259e75ac9093ced3e6f9b4594235b37211071
                                                                    • Opcode Fuzzy Hash: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                                    • Instruction Fuzzy Hash: E831BF21B2A6C681EB689F1AA8556797792EF84FC5F094134CF4E43BD0EE3CE941D700
                                                                    Function 00007FF8B912ABB4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: _wfsopen$fclosefseek
                                                                    • String ID:
                                                                    • API String ID: 1261181034-0
                                                                    • Opcode ID: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                                    • Instruction ID: f1b9266d3fc3c9ad7bdbefa75cebca9383a9c728db22d913ce5062faf0db56cd
                                                                    • Opcode Fuzzy Hash: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                                    • Instruction Fuzzy Hash: B631DF21B1A68642FB69DF1AA48467A7399EF84FC4F094134CF1E43BD4EE3CE8529340
                                                                    Function 0000000140010660 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$FormatFreeLibraryMessage
                                                                    • String ID:
                                                                    • API String ID: 4174221723-0
                                                                    • Opcode ID: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                                    • Instruction ID: 329cc6dd5267e1a20a6fc7da630ad77381380cdf8f0f417e816be49fa379c834
                                                                    • Opcode Fuzzy Hash: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                                    • Instruction Fuzzy Hash: F4315072A18B8441EB128B26E4453AE6751E79DBF4F249301F7FD0B6F9DBB9D5C08600
                                                                    Function 00007FF8B915A5D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FF8B915576B), ref: 00007FF8B915A604
                                                                    • ___lc_collate_cp_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FF8B915576B), ref: 00007FF8B915A60E
                                                                      • Part of subcall function 00007FF8B91226E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B9122728
                                                                      • Part of subcall function 00007FF8B91226E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B912274E
                                                                      • Part of subcall function 00007FF8B91226E0: GetCPInfo.KERNEL32 ref: 00007FF8B9122792
                                                                    • memcmp.VCRUNTIME140(?,?,?,?,?,?,?,00007FF8B915576B), ref: 00007FF8B915A631
                                                                    • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FF8B915576B), ref: 00007FF8B915A66F
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: __strncnt$Info___lc_collate_cp_func___lc_locale_name_func_errnomemcmp
                                                                    • String ID:
                                                                    • API String ID: 3421985146-0
                                                                    • Opcode ID: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                                    • Instruction ID: 6f9d9d22b11ea5f949e74355dd8adf73caa030525eb818ec85249c859e545428
                                                                    • Opcode Fuzzy Hash: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                                    • Instruction Fuzzy Hash: 64215E72A087C286EB108F2AA54002DBBA5FB84FD4B964236DF5D57795DF3CF8019700
                                                                    Function 000000014000FAA0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                                      • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                                      • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: __acrt_iob_func__stdio_common_vfprintfmemset
                                                                    • String ID: [FINALIZE ] %08X %s$[UNLOAD LIB]$[UNLOAD LIB] %08X %s
                                                                    • API String ID: 1351999747-1487749591
                                                                    • Opcode ID: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                                    • Instruction ID: 71482a23b425682d2a021b79c21f529c824127a60a25d7ce3ea3483a94a8a675
                                                                    • Opcode Fuzzy Hash: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                                    • Instruction Fuzzy Hash: 42213972215B8485E352DF22E5503DE37A4F74CF88F588129EB890BB69CF39C662D750
                                                                    Function 00007FF8B9158620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: memmove$FormatFreeLocalMessage
                                                                    • String ID: unknown error
                                                                    • API String ID: 725469203-3078798498
                                                                    • Opcode ID: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                                    • Instruction ID: 07f2226944019c335a19a915a6316f9f8f9a76939086a46fbcc57553ae5ca544
                                                                    • Opcode Fuzzy Hash: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                                    • Instruction Fuzzy Hash: 76116D226087C586E7219F29E14136DBBA0FB89BCCF488174DB8C0B79ADF7CD5509740
                                                                    Function 00007FF8B915B090 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B0
                                                                    • ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B8
                                                                    • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0C1
                                                                    • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0DD
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_func
                                                                    • String ID:
                                                                    • API String ID: 3203701943-0
                                                                    • Opcode ID: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                                    • Instruction ID: 78b9462c3ea3fe9a8e1f977668c2666cda324bb78012bf43bf51512f0573e176
                                                                    • Opcode Fuzzy Hash: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                                    • Instruction Fuzzy Hash: ED01C8A2E1979586EB458F7ED444168B7A0FB58BC4B15D235DB5F87714EB3CD0C18700
                                                                    Function 00007FF8B9122468 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: malloc
                                                                    • String ID: MOC$RCC$csm
                                                                    • API String ID: 2803490479-2671469338
                                                                    • Opcode ID: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                                    • Instruction ID: 4affcfe70b546b714476aee0ab9745b45dffc0278cdee7692602c40329162524
                                                                    • Opcode Fuzzy Hash: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                                    • Instruction Fuzzy Hash: C3018421E0C1C286FB6EAF1D954417D32A1EF48BC4F184831DB1D07789EE2CA881D702
                                                                    Function 00007FF8B914C9A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                                    • String ID: 0123456789-
                                                                    • API String ID: 4032823789-3850129594
                                                                    • Opcode ID: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                                    • Instruction ID: 15d82ac54fafd5b7ef6135ae26f918309e17e0ed5ed1d4566fc16ee01641c60e
                                                                    • Opcode Fuzzy Hash: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                                    • Instruction Fuzzy Hash: 0B713762B09B96C9EB00CFA9D4542AC2371EB48BD8F544136EF4E17B99EE3CD44AD340
                                                                    Function 00007FF8B914CC30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                                    • String ID: %.0Lf
                                                                    • API String ID: 296878162-1402515088
                                                                    • Opcode ID: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                                    • Instruction ID: e44a365587023515720d9699a1b2cfb6c45262bacdcdb54bfdcffccca9f98b24
                                                                    • Opcode Fuzzy Hash: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                                    • Instruction Fuzzy Hash: 86714C62B08B8685EB01CF6AE8402ED67A1EF98BD8F504136EF5D27B69DE3CD045D740
                                                                    Function 00007FF8B914C710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                                    • String ID: %.0Lf
                                                                    • API String ID: 296878162-1402515088
                                                                    • Opcode ID: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                                    • Instruction ID: 2f6046ff8647d8eac322f382512c7933c46323301e5e1e0a070421475a73c21c
                                                                    • Opcode Fuzzy Hash: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                                    • Instruction Fuzzy Hash: 1B717962B08B8685EB01CF69E8402AD67A1EF88BD8F504132EF5D27B69EF3CD055D700
                                                                    Function 00007FF8B9158F00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: rand_s
                                                                    • String ID: invalid random_device value
                                                                    • API String ID: 863162693-3926945683
                                                                    • Opcode ID: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                                    • Instruction ID: 4181aa3a87523930afda57d726467b3d6010b6232a2c8bb973deb7f4206cec61
                                                                    • Opcode Fuzzy Hash: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                                    • Instruction Fuzzy Hash: A3512912D18EC686F3429F3C84511BA6368FF153C5F554B32E71E365A6DF2DF492A201
                                                                    Function 00007FF8BFB54710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: abort$CreateFrameInfo
                                                                    • String ID: csm
                                                                    • API String ID: 2697087660-1018135373
                                                                    • Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                                    • Instruction ID: efea80786c5f39a6be099733e8cf47c1ce9f2e1a5e914d7a00fb5fd3f4b6727a
                                                                    • Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                                    • Instruction Fuzzy Hash: 16514A36A1978186E620AF69E06126E7BB5FB89BD0F141539EF8D07B55CF3CE461CB00
                                                                    Function 00007FF8B9157330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Strftime_invalid_parameter_noinfo_noreturn
                                                                    • String ID: !%x
                                                                    • API String ID: 1195835417-1893981228
                                                                    • Opcode ID: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                                    • Instruction ID: b10641af18e2f73815f961b9e3e8f7660e39df4787e4cb6178cb6ecb205a2213
                                                                    • Opcode Fuzzy Hash: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                                    • Instruction Fuzzy Hash: 44419A62F18A9289FB01CFA9D8417EC2B30BB48798F444531EF5D17B99DF3CA5859310
                                                                    Function 00007FF8B91232D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF8B9123305
                                                                      • Part of subcall function 00007FF8B91725AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8B9125AF8), ref: 00007FF8B91725C6
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8B91257FA,?,?,?,00007FF8B9124438), ref: 00007FF8B91232FE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                                    • String ID: ios_base::failbit set
                                                                    • API String ID: 1934640635-3924258884
                                                                    • Opcode ID: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                                    • Instruction ID: cf957f51a28363eb4f841571910d9b6a687f492439939330deddaab0ba9f773c
                                                                    • Opcode Fuzzy Hash: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                                    • Instruction Fuzzy Hash: 61218121B09BC286DA609F15A4402AEB2A4FB48BE0F644631EB9C43B99FF3CD5469700
                                                                    Function 00007FF8BFB59BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: Name::operator+
                                                                    • String ID: void$void
                                                                    • API String ID: 2943138195-3746155364
                                                                    • Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                                    • Instruction ID: 7a191622b1345e5f51c6dca53844be0803448d041c377c77471cfeccab878226
                                                                    • Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                                    • Instruction Fuzzy Hash: ED310462E28B5998FB11CBA8E8510FC37B4BB58788F44013AEF4E66B59DF3CA144C750
                                                                    Function 000000014000E370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 000000014000FAA0: memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000E441
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                                    • String ID: [FAIL LOAD ] %s$[LOAD LIB ] %s
                                                                    • API String ID: 1654775311-1428855073
                                                                    • Opcode ID: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                                    • Instruction ID: e1e0474e3a99f30cd742c56738cdfbd4506b2c38850e860c1e011aff6007d584
                                                                    • Opcode Fuzzy Hash: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                                    • Instruction Fuzzy Hash: EC218EB2714B8481FA16CB1AF44439A6362E78DBE4F544321BBA94BAF9DF38C181C740
                                                                    Function 00007FF8B912F1B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF8B912C744), ref: 00007FF8B912F1D4
                                                                      • Part of subcall function 00007FF8B915B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B0
                                                                      • Part of subcall function 00007FF8B915B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0B8
                                                                      • Part of subcall function 00007FF8B915B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0C1
                                                                      • Part of subcall function 00007FF8B915B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8B9126093), ref: 00007FF8B915B0DD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                                    • String ID: false$true
                                                                    • API String ID: 2502581279-2658103896
                                                                    • Opcode ID: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                                    • Instruction ID: bebee89fb25c64d1a84c32d638da289114f993f6b1a2c7c5a5be12634a129ad9
                                                                    • Opcode Fuzzy Hash: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                                    • Instruction Fuzzy Hash: 41216D66608B8681E720DF29E4403AA37A0FB98BE8F944536DB8C07359EF3CD155D790
                                                                    Function 00007FF8BFB5604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: FileHeader$ExceptionRaise
                                                                    • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                                    • API String ID: 3685223789-3176238549
                                                                    • Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                                    • Instruction ID: 496eb874a3fbf633a6eff4bd88adb95b14331acc875ed49346b0e27dbbdd2633
                                                                    • Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                                    • Instruction Fuzzy Hash: 3D017161A39A46A2EE409B9CE4A1178B321FF90BD4F446431D70E076A5EF6CE509C700
                                                                    Function 00007FF8BFB563F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFileHeaderRaise
                                                                    • String ID: csm
                                                                    • API String ID: 2573137834-1018135373
                                                                    • Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                                    • Instruction ID: 0d60ede2826aa13833294e470ad5a6c625a1db08d483e1a769d18e3cbbf4327b
                                                                    • Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                                    • Instruction Fuzzy Hash: E2115E32A18B8182EB618F29F450269BBA5FB88BC4F188235DF8C07B58DF3CD551CB00
                                                                    Function 00007FF8B9126A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8B9126A3D
                                                                      • Part of subcall function 00007FF8B9124DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8B9136AB5,?,?,?,?,?,?,?,?,?,00007FF8B913A96E), ref: 00007FF8B9124DF9
                                                                      • Part of subcall function 00007FF8B9124DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8B9136AB5,?,?,?,?,?,?,?,?,?,00007FF8B913A96E), ref: 00007FF8B9124E28
                                                                      • Part of subcall function 00007FF8B9124DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FF8B9136AB5,?,?,?,?,?,?,?,?,?,00007FF8B913A96E), ref: 00007FF8B9124E3F
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8B9126A5A
                                                                    Strings
                                                                    • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FF8B9126A65
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: free$Getmonthsmallocmemcpy
                                                                    • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece
                                                                    • API String ID: 1628830074-2030377133
                                                                    • Opcode ID: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                                    • Instruction ID: bc9cf341307c15a4e5ca52b57076787646211d828dbe231b203ca3bf1242e87c
                                                                    • Opcode Fuzzy Hash: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                                    • Instruction Fuzzy Hash: 38E03922A04B8292EA409F06F58426863A0FB48BC4F845034DB0E02B90EF3CE4A49300
                                                                    Function 00007FF8B91262C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8B91262CD
                                                                      • Part of subcall function 00007FF8B9124D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8B9132124,?,?,?,00007FF8B91243DB,?,?,?,00007FF8B9125B31), ref: 00007FF8B9124D72
                                                                      • Part of subcall function 00007FF8B9124D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8B9132124,?,?,?,00007FF8B91243DB,?,?,?,00007FF8B9125B31), ref: 00007FF8B9124D98
                                                                      • Part of subcall function 00007FF8B9124D50: memcpy.VCRUNTIME140(?,?,?,00007FF8B9132124,?,?,?,00007FF8B91243DB,?,?,?,00007FF8B9125B31), ref: 00007FF8B9124DB0
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8B91262EA
                                                                    Strings
                                                                    • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FF8B91262F5
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: free$Getdaysmallocmemcpy
                                                                    • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                    • API String ID: 1347072587-3283725177
                                                                    • Opcode ID: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                                    • Instruction ID: 6a6c76170e7b26df8b970f5def7efc4dceda909fc40cfbf7581d22eb1041a0b3
                                                                    • Opcode Fuzzy Hash: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                                    • Instruction Fuzzy Hash: 19E0ED61B14BC292EA049F16F594369A3A0FF48BC0F848435DB2D077A5EF3CE4A49710
                                                                    Function 00007FF8B91269E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8B91269ED
                                                                      • Part of subcall function 00007FF8B9124DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8B9136AB5,?,?,?,?,?,?,?,?,?,00007FF8B913A96E), ref: 00007FF8B9124DF9
                                                                      • Part of subcall function 00007FF8B9124DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8B9136AB5,?,?,?,?,?,?,?,?,?,00007FF8B913A96E), ref: 00007FF8B9124E28
                                                                      • Part of subcall function 00007FF8B9124DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FF8B9136AB5,?,?,?,?,?,?,?,?,?,00007FF8B913A96E), ref: 00007FF8B9124E3F
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8B9126A0A
                                                                    Strings
                                                                    • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FF8B9126A15
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: free$Getdaysmallocmemcpy
                                                                    • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                    • API String ID: 1347072587-3283725177
                                                                    • Opcode ID: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                                    • Instruction ID: c1f06a5363953545f3573b7f0c33f97dc3a0be293b70dd4ab01d791f4f2000b0
                                                                    • Opcode Fuzzy Hash: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                                    • Instruction Fuzzy Hash: 78E0ED22B15B8292EE109F1AF58436963A0EF48BD4F944135DB1D07B95EF3CE4E49710
                                                                    Function 00007FF8B9126330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8B912633D
                                                                      • Part of subcall function 00007FF8B9124D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8B9132124,?,?,?,00007FF8B91243DB,?,?,?,00007FF8B9125B31), ref: 00007FF8B9124D72
                                                                      • Part of subcall function 00007FF8B9124D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8B9132124,?,?,?,00007FF8B91243DB,?,?,?,00007FF8B9125B31), ref: 00007FF8B9124D98
                                                                      • Part of subcall function 00007FF8B9124D50: memcpy.VCRUNTIME140(?,?,?,00007FF8B9132124,?,?,?,00007FF8B91243DB,?,?,?,00007FF8B9125B31), ref: 00007FF8B9124DB0
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8B912635A
                                                                    Strings
                                                                    • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FF8B9126365
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: free$Getmonthsmallocmemcpy
                                                                    • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
                                                                    • API String ID: 1628830074-4232081075
                                                                    • Opcode ID: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                                    • Instruction ID: 96133e852ee2f3a88fb621baeca2401da4596426fb9c0624b270cfe1e97df4a7
                                                                    • Opcode Fuzzy Hash: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                                    • Instruction Fuzzy Hash: 33E0C961B15B8692EE009F1AF58436963A0EB58BC0F984035EB1D067A5EF3CE4E4D790
                                                                    Function 0000000140012990 Relevance: 5.1, APIs: 4, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionThrow
                                                                    • String ID:
                                                                    • API String ID: 432778473-0
                                                                    • Opcode ID: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                                    • Instruction ID: 3f6ef9a8942bd25f1c030384d86529519749b139d31aef7b6ed3ba5bf9942206
                                                                    • Opcode Fuzzy Hash: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                                    • Instruction Fuzzy Hash: 582153B6610A8489E729EE37E8523E92311F78C7D8F149426BF4D4FBAECE31C4518340
                                                                    Function 00000001400124D0 Relevance: 5.1, APIs: 4, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2265682303.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2265643139.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265705951.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265742555.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2265766261.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_140000000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionThrow$_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 2822070131-0
                                                                    • Opcode ID: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                                    • Instruction ID: fb8aed582c15149af4c4f009e579fb1eee3dc1aedb4e9a74b926e9b9865ab3f7
                                                                    • Opcode Fuzzy Hash: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                                    • Instruction Fuzzy Hash: 331151B5710A40C9E71DEB73A8423EA1211EB887C4F149536BF480BA6ECE76C4518740
                                                                    Function 00007FF8BFB5672C Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,?,00007FF8BFB565B9,?,?,?,?,00007FF8BFB5FB22,?,?,?,?,?), ref: 00007FF8BFB5674B
                                                                    • SetLastError.KERNEL32(?,?,?,00007FF8BFB565B9,?,?,?,?,00007FF8BFB5FB22,?,?,?,?,?), ref: 00007FF8BFB567D4
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267266509.00007FF8BFB51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8BFB50000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267242414.00007FF8BFB50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267293769.00007FF8BFB61000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267332878.00007FF8BFB66000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267350261.00007FF8BFB67000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8bfb50000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 1452528299-0
                                                                    • Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                                    • Instruction ID: 0f316b3ddc17d20a9136edbe4253cd6c3dcf0af2a4e995e5e263b499be007de8
                                                                    • Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                                    • Instruction Fuzzy Hash: 44111F24E2D65292FA649BA9A87413573A2AF48BE0F14463CDF6E477D5DE3CF8418700
                                                                    Function 00007FF8B9138C60 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                                    • Instruction ID: c68a9c6ec983e679c4d3d9eeb5a74d0b97dca6ecc61cb9f9bdadb679f41ed448
                                                                    • Opcode Fuzzy Hash: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                                    • Instruction Fuzzy Hash: 36F0E776B19B8296EB449F1AE9A41687760FF88BD0F144031CB5D43B70DF7CE4A5A310
                                                                    Function 00007FF8B9138CD0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                                    • Instruction ID: 6430aeae72ba16b5e3f0c202d9762489bac3fae6b22b905fa15342a16effecf5
                                                                    • Opcode Fuzzy Hash: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                                    • Instruction Fuzzy Hash: 1EF0E762B18B8292EB449F1AE9A416867A0FB8CBD0F144031CB5D43B74DF7CE4A5A310
                                                                    Function 00007FF8B9151DB0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                                    • Instruction ID: edcf0a811f872bae91d122bb0e79a2e330cbbaa1d3a42616b82fe5cd86f0f0ae
                                                                    • Opcode Fuzzy Hash: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                                    • Instruction Fuzzy Hash: DAF03766B18B8292EB059F1AEAA41286760FB88FD0F144031CB5D03B30DF3CE4A5A300
                                                                    Function 00007FF8B9138A08 Relevance: 5.0, APIs: 4, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.2267083270.00007FF8B9121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9120000, based on PE: true
                                                                    • Associated: 0000000B.00000002.2267064771.00007FF8B9120000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267122071.00007FF8B9175000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267171149.00007FF8B91A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267188894.00007FF8B91A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 0000000B.00000002.2267208944.00007FF8B91A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_7ff8b9120000_ImporterREDServer.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                                    • Instruction ID: 587f5d397b59df949467ed1ccb93ff1faa87a2d4cf19a70dd7f7775727029095
                                                                    • Opcode Fuzzy Hash: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                                    • Instruction Fuzzy Hash: EAE02FA6F15A8282FF149F25D8A40386774FF9CF95B181032CF1E46274DE7CD495A310