Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.msi

Overview

General Information

Sample name:setup.msi
Analysis ID:1579577
MD5:e6f25573a231abe0101b01998e9726a5
SHA1:53cc9f5f4d5660904cbd6005c6942e305da2080a
SHA256:dd9a35580fb957e710b73bd805da94ea04eaccddc0700e6190cf6c3e1f9ccd8e
Tags:cubermo-comLegionLoadermsiRobotDropperuser-aachum
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
Query firmware table information (likely to detect VMs)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • msiexec.exe (PID: 6784 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 6888 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7160 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding EDEDFC81D2561B5D361B65129421F09D MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 1608 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 1076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5772 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ImporterREDServer.exe (PID: 4248 cmdline: "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" MD5: F67792E08586EA936EBCAE43AAB0388D)
        • conhost.exe (PID: 6216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • createdump.exe (PID: 5776 cmdline: "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)
      • conhost.exe (PID: 5216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding EDEDFC81D2561B5D361B65129421F09D, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7160, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 1608, ProcessName: powershell.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding EDEDFC81D2561B5D361B65129421F09D, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7160, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 1608, ProcessName: powershell.exe
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding EDEDFC81D2561B5D361B65129421F09D, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7160, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 1608, ProcessName: powershell.exe
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.65.145, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7160, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding EDEDFC81D2561B5D361B65129421F09D, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7160, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 1608, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding EDEDFC81D2561B5D361B65129421F09D, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7160, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 1608, ProcessName: powershell.exe
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-23T01:41:11.683187+010028292021A Network Trojan was detected192.168.2.449730104.21.65.145443TCP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 81.8% probability
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{87CA9E75-24E5-41BB-A46A-754C76747E62}Jump to behavior
Source: unknownHTTPS traffic detected: 104.21.65.145:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000006.00000000.1814958283.00007FF604618000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 00000009.00000000.1817009422.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: ucrtbase.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: ImporterREDServer.exe, 00000009.00000002.1820482713.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 00000009.00000002.1819522162.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 00000009.00000000.1817009422.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000006.00000000.1814958283.00007FF604618000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: ucrtbase.pdbUGP source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.msi, MSI3295.tmp.1.dr, 5e2796.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.msi, 5e2796.msi.1.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE013FA330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,9_2_00007FFE013FA330

Networking

barindex
Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49730 -> 104.21.65.145:443
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: cubermo.com
Source: unknownHTTP traffic detected: POST /updater.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: cubermo.comContent-Length: 71Cache-Control: no-cache
Source: setup.msi, 5e2796.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ImporterREDServer.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: ImporterREDServer.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: setup.msi, 5e2796.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: setup.msi, 5e2796.msi.1.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: setup.msi, 5e2796.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ImporterREDServer.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: setup.msi, 5e2796.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ImporterREDServer.exe.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: setup.msi, 5e2796.msi.1.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: setup.msi, 5e2796.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: setup.msi, 5e2796.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ImporterREDServer.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ImporterREDServer.exe.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: setup.msi, 5e2796.msi.1.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
Source: setup.msi, 5e2796.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000003.00000002.1768335843.0000000005AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: setup.msi, 5e2796.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: ImporterREDServer.exe.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: ImporterREDServer.exe.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: setup.msi, 5e2796.msi.1.drString found in binary or memory: http://ocsp.digicert.com0K
Source: setup.msi, 5e2796.msi.1.drString found in binary or memory: http://ocsp.digicert.com0N
Source: setup.msi, 5e2796.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000003.00000002.1765943811.0000000004BE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1769598413.000000000735A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: setup.msi, 5e2796.msi.1.drString found in binary or memory: http://schemas.mick
Source: powershell.exe, 00000003.00000002.1765943811.0000000004A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1765943811.0000000004BE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1769598413.000000000735A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: setup.msi, 5e2796.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: ImporterREDServer.exe.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ImporterREDServer.exe, 00000009.00000002.1819522162.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.drString found in binary or memory: http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-
Source: powershell.exe, 00000003.00000002.1765943811.0000000004A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: setup.msi, 5e2796.msi.1.drString found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
Source: powershell.exe, 00000003.00000002.1768335843.0000000005AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1768335843.0000000005AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1768335843.0000000005AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: setup.msi, 5e2796.msi.1.drString found in binary or memory: https://cubermo.com/updater.phpx
Source: powershell.exe, 00000003.00000002.1765943811.0000000004BE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1769598413.000000000735A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1765943811.0000000005154000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.1768335843.0000000005AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: setup.msi, 5e2796.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownHTTPS traffic detected: 104.21.65.145:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5e2793.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI30EA.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3177.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI31B7.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI31F6.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3265.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3295.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI32D4.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4331.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{87CA9E75-24E5-41BB-A46A-754C76747E62}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4EEA.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4EFA.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5e2796.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5e2796.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI30EA.tmpJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00000001400122209_2_0000000140012220
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00000001400083909_2_0000000140008390
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_0000000140007FC09_2_0000000140007FC0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE013FF9B09_2_00007FFE013FF9B0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE014122089_2_00007FFE01412208
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE0142F9DA9_2_00007FFE0142F9DA
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE014228809_2_00007FFE01422880
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE013FE8B09_2_00007FFE013FE8B0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE014060D09_2_00007FFE014060D0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE0140ABB09_2_00007FFE0140ABB0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE014143409_2_00007FFE01414340
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE0142A27C9_2_00007FFE0142A27C
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE014163389_2_00007FFE01416338
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE0142BDA09_2_00007FFE0142BDA0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE014295A89_2_00007FFE014295A8
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE01422D709_2_00007FFE01422D70
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE0140CDF09_2_00007FFE0140CDF0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE01416C849_2_00007FFE01416C84
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE014064409_2_00007FFE01406440
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE014154709_2_00007FFE01415470
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE014094609_2_00007FFE01409460
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE01410C609_2_00007FFE01410C60
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE0140BCD09_2_00007FFE0140BCD0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE014244E09_2_00007FFE014244E0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE013FC7809_2_00007FFE013FC780
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE014147809_2_00007FFE01414780
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE01408FB09_2_00007FFE01408FB0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE013FD8109_2_00007FFE013FD810
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE0142B6989_2_00007FFE0142B698
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE0140DF109_2_00007FFE0140DF10
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE014107109_2_00007FFE01410710
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE01413F009_2_00007FFE01413F00
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE1A4675089_2_00007FFE1A467508
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: String function: 000000014000BC30 appears 53 times
Source: api-ms-win-core-handle-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: setup.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameDataUploader.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameucrtbase.dllj% vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenamevcruntime140.dllT vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenamemsvcp140.dllT vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs setup.msi
Source: dvacore.dll.1.drBinary string: Win.FileUtils path: Throw file exception with last error (HRESULT): $$$/dvacore/utility/FileUtils_WIN/Unknown=Unknown$$$/dvacore/utility/FileUtils_WIN/Invalid=Invalid$$$/dvacore/utility/FileUtils_WIN/Removable=Removable$$$/dvacore/utility/FileUtils_WIN/Fixed=Local Disk$$$/dvacore/utility/FileUtils_WIN/Network=Network$$$/dvacore/utility/FileUtils_WIN/CDROM=CD-ROM$$$/dvacore/utility/FileUtils_WIN/RAMDisk=RAM Disk_:\Device\Floppy\\?\\\?\UNC (error Unable to delete \/.\\127.0.0.1xt4
Source: classification engineClassification label: mal68.evad.winMSI@17/91@1/1
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_0000000140010BE0 GetLastError,FormatMessageA,9_2_0000000140010BE0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE013FA7B0 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn,9_2_00007FFE013FA7B0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML55A8.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1076:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6216:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5216:120:WilError_03
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF76AB9CCC4883A262.TMPJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EDEDFC81D2561B5D361B65129421F09D
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EDEDFC81D2561B5D361B65129421F09DJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dvacore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: libzip.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_system.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_date_time.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_threads.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_filesystem.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dvaunittesting.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: utest.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{87CA9E75-24E5-41BB-A46A-754C76747E62}Jump to behavior
Source: setup.msiStatic file information: File size 60282097 > 1048576
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000006.00000000.1814958283.00007FF604618000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 00000009.00000000.1817009422.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: ucrtbase.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: ImporterREDServer.exe, 00000009.00000002.1820482713.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 00000009.00000002.1819522162.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 00000009.00000000.1817009422.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000006.00000000.1814958283.00007FF604618000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: ucrtbase.pdbUGP source: setup.msi, 5e2796.msi.1.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.msi, MSI3295.tmp.1.dr, 5e2796.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.msi, 5e2796.msi.1.dr
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]
Source: vcruntime140.dll.1.drStatic PE information: section name: _RDATA
Source: UnRar.exe.1.drStatic PE information: section name: _RDATA
Source: BCUninstaller.exe.1.drStatic PE information: section name: _RDATA
Source: createdump.exe.1.drStatic PE information: section name: _RDATA
Source: MSI4EFA.tmp.1.drStatic PE information: section name: .fptable
Source: MSI30EA.tmp.1.drStatic PE information: section name: .fptable
Source: MSI3177.tmp.1.drStatic PE information: section name: .fptable
Source: MSI31B7.tmp.1.drStatic PE information: section name: .fptable
Source: MSI31F6.tmp.1.drStatic PE information: section name: .fptable
Source: MSI3265.tmp.1.drStatic PE information: section name: .fptable
Source: MSI3295.tmp.1.drStatic PE information: section name: .fptable
Source: MSI32D4.tmp.1.drStatic PE information: section name: .fptable
Source: MSI4331.tmp.1.drStatic PE information: section name: .fptable
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00D20E55 push esi; retf 3_2_00D20E7A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00D2BD82 push esp; ret 3_2_00D2BD93
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4EFA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI31F6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4331.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI32D4.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI30EA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3177.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3295.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI31B7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3265.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3295.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4EFA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI31F6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI32D4.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI31B7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3265.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4331.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI30EA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3177.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE0142C0C0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,9_2_00007FFE0142C0C0
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3396Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2028Jump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI32D4.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI30EA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3177.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3295.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4EFA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI31F6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI31B7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3265.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4331.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeAPI coverage: 8.2 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7056Thread sleep count: 3396 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7056Thread sleep count: 2028 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6788Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6424Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE013FA330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,9_2_00007FFE013FA330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: 5e2796.msi.1.drBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 6_2_00007FF604612ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FF604612ECC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 6_2_00007FF604612984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00007FF604612984
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 6_2_00007FF604613074 SetUnhandledExceptionFilter,6_2_00007FF604613074
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 6_2_00007FF604612ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FF604612ECC
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_0000000140011004 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0000000140011004
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_0000000140011D78 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_0000000140011D78
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_0000000140011F24 SetUnhandledExceptionFilter,9_2_0000000140011F24
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE01442CDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00007FFE01442CDC
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE1A454568 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00007FFE1A454568
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 9_2_00007FFE1A47004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00007FFE1A47004C

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss4fa0.ps1" -propfile "c:\users\user\appdata\local\temp\msi4f8e.txt" -scriptfile "c:\users\user\appdata\local\temp\scr4f8f.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr4f90.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss4fa0.ps1" -propfile "c:\users\user\appdata\local\temp\msi4f8e.txt" -scriptfile "c:\users\user\appdata\local\temp\scr4f8f.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr4f90.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: ___lc_locale_name_func,GetLocaleInfoEx,9_2_00007FFE0141EFC0
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 6_2_00007FF604612DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_00007FF604612DA0
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting
1
Replication Through Removable Media
1
Command and Scripting Interpreter
1
Scripting
1
DLL Side-Loading
1
Disable or Modify Tools
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
11
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell
1
DLL Side-Loading
1
Windows Service
1
Deobfuscate/Decode Files or Information
LSASS Memory11
Peripheral Device Discovery
Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Windows Service
11
Process Injection
2
Obfuscated Files or Information
Security Account Manager1
File and Directory Discovery
SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Timestomp
NTDS24
System Information Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets111
Security Software Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion
Cached Domain Credentials1
Process Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Masquerading
DCSync121
Virtualization/Sandbox Evasion
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job121
Virtualization/Sandbox Evasion
Proc Filesystem1
Application Window Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
Process Injection
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579577 Sample: setup.msi Startdate: 23/12/2024 Architecture: WINDOWS Score: 68 49 cubermo.com 2->49 57 Suricata IDS alerts for network traffic 2->57 59 AI detected suspicious sample 2->59 61 Sigma detected: Suspicious Script Execution From Temp Folder 2->61 63 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->63 9 msiexec.exe 139 107 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 35 C:\Windows\Installer\MSI4EFA.tmp, PE32 9->35 dropped 37 C:\Windows\Installer\MSI4331.tmp, PE32 9->37 dropped 39 C:\Windows\Installer\MSI32D4.tmp, PE32 9->39 dropped 41 52 other files (none is malicious) 9->41 dropped 14 msiexec.exe 14 9->14         started        19 cmd.exe 1 9->19         started        21 createdump.exe 1 9->21         started        process6 dnsIp7 51 cubermo.com 104.21.65.145, 443, 49730 CLOUDFLARENETUS United States 14->51 43 C:\Users\user\AppData\Local\...\scr4F8F.ps1, Unicode 14->43 dropped 45 C:\Users\user\AppData\Local\...\pss4FA0.ps1, Unicode 14->45 dropped 47 C:\Users\user\AppData\Local\...\msi4F8E.txt, Unicode 14->47 dropped 53 Query firmware table information (likely to detect VMs) 14->53 55 Bypasses PowerShell execution policy 14->55 23 powershell.exe 17 14->23         started        25 ImporterREDServer.exe 1 19->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        file8 signatures9 process10 process11 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dll0%ReversingLabs
C:\Windows\Installer\MSI30EA.tmp0%ReversingLabs
C:\Windows\Installer\MSI3177.tmp0%ReversingLabs
C:\Windows\Installer\MSI31B7.tmp0%ReversingLabs
C:\Windows\Installer\MSI31F6.tmp0%ReversingLabs
C:\Windows\Installer\MSI3265.tmp0%ReversingLabs
C:\Windows\Installer\MSI3295.tmp0%ReversingLabs
C:\Windows\Installer\MSI32D4.tmp0%ReversingLabs
C:\Windows\Installer\MSI4331.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
cubermo.com
104.21.65.145
truefalse
    high
    NameMaliciousAntivirus DetectionReputation
    https://cubermo.com/updater.phptrue
      unknown
      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1768335843.0000000005AF7000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1765943811.0000000004BE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1769598413.000000000735A000.00000004.00000020.00020000.00000000.sdmpfalse
          high
          https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1765943811.0000000004A91000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1765943811.0000000004BE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1769598413.000000000735A000.00000004.00000020.00020000.00000000.sdmpfalse
              high
              https://go.micropowershell.exe, 00000003.00000002.1765943811.0000000005154000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                https://contoso.com/powershell.exe, 00000003.00000002.1768335843.0000000005AF7000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1768335843.0000000005AF7000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://contoso.com/Licensepowershell.exe, 00000003.00000002.1768335843.0000000005AF7000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://contoso.com/Iconpowershell.exe, 00000003.00000002.1768335843.0000000005AF7000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://schemas.micksetup.msi, 5e2796.msi.1.drfalse
                          unknown
                          http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-ImporterREDServer.exe, 00000009.00000002.1819522162.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.drfalse
                            unknown
                            https://aka.ms/winui2/webview2download/Reload():setup.msi, 5e2796.msi.1.drfalse
                              high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1765943811.0000000004A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://cubermo.com/updater.phpxsetup.msi, 5e2796.msi.1.drfalse
                                  unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1765943811.0000000004BE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1769598413.000000000735A000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs
                                    IPDomainCountryFlagASNASN NameMalicious
                                    104.21.65.145
                                    cubermo.comUnited States
                                    13335CLOUDFLARENETUSfalse
                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1579577
                                    Start date and time:2024-12-23 01:40:13 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 7m 29s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:15
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:setup.msi
                                    Detection:MAL
                                    Classification:mal68.evad.winMSI@17/91@1/1
                                    EGA Information:
                                    • Successful, ratio: 33.3%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 14
                                    • Number of non-executed functions: 206
                                    Cookbook Comments:
                                    • Found application associated with file extension: .msi
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                    • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target ImporterREDServer.exe, PID 4248 because there are no executed function
                                    • Execution Graph export aborted for target powershell.exe, PID 1608 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    TimeTypeDescription
                                    19:41:12API Interceptor4x Sleep call for process: powershell.exe modified
                                    No context
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    cubermo.cominstaller.msiGet hashmaliciousUnknownBrowse
                                    • 172.67.164.25
                                    setup.msiGet hashmaliciousUnknownBrowse
                                    • 172.67.164.25
                                    Setup.msiGet hashmaliciousUnknownBrowse
                                    • 172.67.164.25
                                    q9bzWO2X1r.msiGet hashmaliciousUnknownBrowse
                                    • 172.67.164.25
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    CLOUDFLARENETUSbas.exeGet hashmaliciousLummaCBrowse
                                    • 104.21.71.155
                                    Wine.exeGet hashmaliciousLummaCBrowse
                                    • 104.21.50.161
                                    tg.exeGet hashmaliciousBabadedaBrowse
                                    • 172.67.74.152
                                    Launcher_x64.exeGet hashmaliciousLummaCBrowse
                                    • 172.67.157.254
                                    tg.exeGet hashmaliciousBabadedaBrowse
                                    • 104.26.12.205
                                    setup.exeGet hashmaliciousBabadedaBrowse
                                    • 104.26.13.205
                                    AmsterdamCryptoLTD.exeGet hashmaliciousLummaC, DarkComet, LummaC Stealer, VidarBrowse
                                    • 104.21.80.1
                                    WonderHack.exeGet hashmaliciousLummaCBrowse
                                    • 104.21.66.86
                                    installer.msiGet hashmaliciousUnknownBrowse
                                    • 172.67.164.25
                                    external.exeGet hashmaliciousLummaCBrowse
                                    • 104.21.19.35
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    37f463bf4616ecd445d4a1937da06e19Setup.exeGet hashmaliciousUnknownBrowse
                                    • 104.21.65.145
                                    Setup.exeGet hashmaliciousUnknownBrowse
                                    • 104.21.65.145
                                    AmsterdamCryptoLTD.exeGet hashmaliciousLummaC, DarkComet, LummaC Stealer, VidarBrowse
                                    • 104.21.65.145
                                    installer.msiGet hashmaliciousUnknownBrowse
                                    • 104.21.65.145
                                    GoldenContinent.exeGet hashmaliciousVidarBrowse
                                    • 104.21.65.145
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                    • 104.21.65.145
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                    • 104.21.65.145
                                    LightSpoofer.exeGet hashmaliciousUnknownBrowse
                                    • 104.21.65.145
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeinstaller.msiGet hashmaliciousUnknownBrowse
                                      setup.msiGet hashmaliciousUnknownBrowse
                                        Setup.msiGet hashmaliciousUnknownBrowse
                                          q9bzWO2X1r.msiGet hashmaliciousUnknownBrowse
                                            C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exeinstaller.msiGet hashmaliciousUnknownBrowse
                                              setup.msiGet hashmaliciousUnknownBrowse
                                                Setup.msiGet hashmaliciousUnknownBrowse
                                                  q9bzWO2X1r.msiGet hashmaliciousUnknownBrowse
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:modified
                                                    Size (bytes):20965
                                                    Entropy (8bit):5.776441235810277
                                                    Encrypted:false
                                                    SSDEEP:384:aYs8fwNaxXnJFbQC2tNMlXf45tHVqdYYqSqNHOuVAKEDXayj/nHpEXNP4dvNvJ1B:aB8fwNaxXnJFbQC2tNMlXf45tHVqdYYt
                                                    MD5:C840A0AF2AB574E1B0969E4D9162006A
                                                    SHA1:F48DB2AFCF5DEBE8E397467909346F66E3970674
                                                    SHA-256:6BF127E945BC18A0A18BD91D363825465D1E98BB7DAA15E777B0EEFB4C41DB67
                                                    SHA-512:96CB0720278CDF6A583D2BC0FB9A8C53DDCA86A217F757ED2D4809BB8B586750560063FAC9DC6F1138B89C3C3B8A8EEA1E6FBAF94DC5CD2AF93B1F24B1A6E28F
                                                    Malicious:false
                                                    Preview:...@IXOS.@.....@'..Y.@.....@.....@.....@.....@.....@......&.{87CA9E75-24E5-41BB-A46A-754C76747E62}..App x installer..setup.msi.@.....@.....@.....@......icon_22.exe..&.{4F7ACFB3-EB7E-4D07-B834-8DA9E6627AD6}.....@.....@.....@.....@.......@.....@.....@.......@......App x installer......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{87CA9E75-24E5-41BB-A46A-754C76747E62}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{87CA9E75-24E5-41BB-A46A-754C76747E62}.@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}&.{87CA9E75-24E5-41BB-A46A-754C76747E62}.@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}&.{87CA9E75-24E5-41BB-A46A-754C76747E62}.@......&.{DE28A560-E5E1-4035-8CA3-44934686A249}&.{87CA9E75-24E5-41BB-A46A-754C76747E62}.@......&.{03D39B98-E7BB-4062-BD92-307D642A5CF1}&.{87CA9E75-24E5-41BB-A46A-754C76747E62}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{87CA9E
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):1360
                                                    Entropy (8bit):5.413197223328133
                                                    Encrypted:false
                                                    SSDEEP:24:3UWSKco4KmZjKbmOIKoas4RPT6moUP7mZ9t7J0gt/NK3R82ia8HSVbV:EWSU4xympx4RfoUP7mZ9tK8NWR82TVbV
                                                    MD5:F0E4B5549FF78352EBD6448B9429FFA8
                                                    SHA1:149E861BA526D24A16C48AC05AD32AED292D3385
                                                    SHA-256:E71C10CD3B164C6663450EF065EA05E226CA67FF081FE4C83B4A47EDBEFB8404
                                                    SHA-512:05A4FA7D77A88C26DF8B83D62567C3365026728882435AD031114A9875CEBFB41A4A0AEF01DC5985F64F961AE68D62CBCA67A08C3BDF89C2ABC6C0CDFE3348F0
                                                    Malicious:false
                                                    Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                    Process:C:\Windows\SysWOW64\msiexec.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):96
                                                    Entropy (8bit):2.99798449505456
                                                    Encrypted:false
                                                    SSDEEP:3:QmalTuOIAlSRYplflbPRYplf955:Qmalt9lLZiLN
                                                    MD5:F26BF481CA203C7D611850139ACBEF41
                                                    SHA1:EA86C45B436D1B8F5F42F87AE5034332A5BCFEC4
                                                    SHA-256:A6AE6BBFC3486BA26A9A3C67B127D6972D16B8B925BDE4AF20880EE1B1D997CB
                                                    SHA-512:D1D2AE7C30A146AC1A85BDC133CE1F105AFC6F4EC8C5BD21A8EAACD0910929D3A9FCB540AB533A253C296C51DC71D1AE58749F7449DAB1C530E82D78D3544E4E
                                                    Malicious:true
                                                    Preview:..C.e.v.e.r.a.l.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .T.r.i.a.l.N.o.w. .:.<.-.>.:. .0. .<.<.:.>.>. .
                                                    Process:C:\Windows\SysWOW64\msiexec.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):6668
                                                    Entropy (8bit):3.5127462716425657
                                                    Encrypted:false
                                                    SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                    MD5:30C30EF2CB47E35101D13402B5661179
                                                    SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                    SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                    SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                    Malicious:true
                                                    Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .
                                                    Process:C:\Windows\SysWOW64\msiexec.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):250
                                                    Entropy (8bit):3.576902729499699
                                                    Encrypted:false
                                                    SSDEEP:6:QfFok79idK3fclQ9zgltHN+KiVmMXFVrMTlp1LlG7JidK3fpdInO:QfF3IugM/XFVrMTWNvn
                                                    MD5:479FAC6E0C05C5A57698619AFE51DEF2
                                                    SHA1:1AF4A4DB75ACE8324ED7BFF59D711E80A7BDB821
                                                    SHA-256:700080D274E5629A2BFA0D47B9BAF53AD69E67A64A2B04D84115D5851AB3DDBD
                                                    SHA-512:B0B5065C216EBC1124B985F3FF86EE7C7E7E9B994190D1103C454EDD602E0242B7160BFFB202538470254675DFACAC6159F1A459B979DAD563BDED84FCED193E
                                                    Malicious:true
                                                    Preview:..$.o.i.g.n.q.p. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".C.e.v.e.r.a.l.S.e.s.".....$.a.v.o.i.j.g. .=. .[.u.i.n.t.3.2.].(.$.o.i.g.n.q.p. .-.r.e.p.l.a.c.e. .'.b.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".T.r.i.a.l.N.o.w.". .$.a.v.o.i.j.g.
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):310928
                                                    Entropy (8bit):6.001677789306043
                                                    Encrypted:false
                                                    SSDEEP:3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
                                                    MD5:147B71C906F421AC77F534821F80A0C6
                                                    SHA1:3381128CA482A62333E20D0293FDA50DC5893323
                                                    SHA-256:7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
                                                    SHA-512:2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Joe Sandbox View:
                                                    • Filename: installer.msi, Detection: malicious, Browse
                                                    • Filename: setup.msi, Detection: malicious, Browse
                                                    • Filename: Setup.msi, Detection: malicious, Browse
                                                    • Filename: q9bzWO2X1r.msi, Detection: malicious, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}|...|...|....../p....../v....../1...u.a.l....../u...|........./v....../}...Rich|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):117496
                                                    Entropy (8bit):6.136079902481222
                                                    Encrypted:false
                                                    SSDEEP:1536:P4ynPKh5ilvitpOeRZBMZTWTKnSU3hGe+K8b9Ate83CtyxZMPXR0qmOi4:PjoiaUDahe+B92e9tiMPXR0qmOX
                                                    MD5:F67792E08586EA936EBCAE43AAB0388D
                                                    SHA1:4A5B4009DE72DB003D57F8A4416D17F95B3539A8
                                                    SHA-256:4D434BB99C771524C35222E5C65EBEE87FD2F16DDA05BF6191F9723EECE2434D
                                                    SHA-512:F9E69377201E2DC577792F01B71ED3C9AF6C8AD52DD9E139C99EF1D9096F3EB7796F89642242BE8CEE4030EA9CF60EF1AA93D1B0890326A83CB9063E919F1E4A
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Joe Sandbox View:
                                                    • Filename: installer.msi, Detection: malicious, Browse
                                                    • Filename: setup.msi, Detection: malicious, Browse
                                                    • Filename: Setup.msi, Detection: malicious, Browse
                                                    • Filename: q9bzWO2X1r.msi, Detection: malicious, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,|..B/..B/..B/.../..B/.G...B/.F...B/.A...B/.C...B/.C...B/..G...B/<.C...B/..C/..B/<.G...B/<../..B/.../..B/<.@...B/Rich..B/................PE..d.....-a..........#............................@.....................................].... .................................................D...,...............`....................]..T...................P_..(...P^...............0..H............................text............................... ..`.rdata...o...0...p..."..............@..@.data...@...........................@....pdata..`...........................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):506008
                                                    Entropy (8bit):6.4284173495366845
                                                    Encrypted:false
                                                    SSDEEP:6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
                                                    MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
                                                    SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
                                                    SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
                                                    SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12224
                                                    Entropy (8bit):6.596101286914553
                                                    Encrypted:false
                                                    SSDEEP:192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
                                                    MD5:919E653868A3D9F0C9865941573025DF
                                                    SHA1:EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
                                                    SHA-256:2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
                                                    SHA-512:6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12224
                                                    Entropy (8bit):6.640081558424349
                                                    Encrypted:false
                                                    SSDEEP:192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
                                                    MD5:7676560D0E9BC1EE9502D2F920D2892F
                                                    SHA1:4A7A7A99900E41FF8A359CA85949ACD828DDB068
                                                    SHA-256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
                                                    SHA-512:F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11712
                                                    Entropy (8bit):6.6023398138369505
                                                    Encrypted:false
                                                    SSDEEP:192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
                                                    MD5:AC51E3459E8FCE2A646A6AD4A2E220B9
                                                    SHA1:60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
                                                    SHA-256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
                                                    SHA-512:6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11720
                                                    Entropy (8bit):6.614262942006268
                                                    Encrypted:false
                                                    SSDEEP:192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
                                                    MD5:B0E0678DDC403EFFC7CDC69AE6D641FB
                                                    SHA1:C1A4CE4DED47740D3518CD1FF9E9CE277D959335
                                                    SHA-256:45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
                                                    SHA-512:2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11720
                                                    Entropy (8bit):6.654155040985372
                                                    Encrypted:false
                                                    SSDEEP:192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
                                                    MD5:94788729C9E7B9C888F4E323A27AB548
                                                    SHA1:B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
                                                    SHA-256:ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
                                                    SHA-512:AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):15304
                                                    Entropy (8bit):6.548897063441128
                                                    Encrypted:false
                                                    SSDEEP:192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
                                                    MD5:580D9EA2308FC2D2D2054A79EA63227C
                                                    SHA1:04B3F21CBBA6D59A61CD839AE3192EA111856F65
                                                    SHA-256:7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
                                                    SHA-512:97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11712
                                                    Entropy (8bit):6.622041192039296
                                                    Encrypted:false
                                                    SSDEEP:192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
                                                    MD5:35BC1F1C6FBCCEC7EB8819178EF67664
                                                    SHA1:BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
                                                    SHA-256:7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
                                                    SHA-512:9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11720
                                                    Entropy (8bit):6.730719514840594
                                                    Encrypted:false
                                                    SSDEEP:192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
                                                    MD5:3BF4406DE02AA148F460E5D709F4F67D
                                                    SHA1:89B28107C39BB216DA00507FFD8ADB7838D883F6
                                                    SHA-256:349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
                                                    SHA-512:5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11720
                                                    Entropy (8bit):6.626458901834476
                                                    Encrypted:false
                                                    SSDEEP:192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
                                                    MD5:BBAFA10627AF6DFAE5ED6E4AEAE57B2A
                                                    SHA1:3094832B393416F212DB9107ADD80A6E93A37947
                                                    SHA-256:C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
                                                    SHA-512:D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12232
                                                    Entropy (8bit):6.577869728469469
                                                    Encrypted:false
                                                    SSDEEP:192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
                                                    MD5:3A4B6B36470BAD66621542F6D0D153AB
                                                    SHA1:5005454BA8E13BAC64189C7A8416ECC1E3834DC6
                                                    SHA-256:2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
                                                    SHA-512:84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11712
                                                    Entropy (8bit):6.6496318655699795
                                                    Encrypted:false
                                                    SSDEEP:192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
                                                    MD5:A038716D7BBD490378B26642C0C18E94
                                                    SHA1:29CD67219B65339B637A1716A78221915CEB4370
                                                    SHA-256:B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
                                                    SHA-512:43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12736
                                                    Entropy (8bit):6.587452239016064
                                                    Encrypted:false
                                                    SSDEEP:192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
                                                    MD5:D75144FCB3897425A855A270331E38C9
                                                    SHA1:132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
                                                    SHA-256:08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
                                                    SHA-512:295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):14280
                                                    Entropy (8bit):6.658205945107734
                                                    Encrypted:false
                                                    SSDEEP:384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
                                                    MD5:8ACB83D102DABD9A5017A94239A2B0C6
                                                    SHA1:9B43A40A7B498E02F96107E1524FE2F4112D36AE
                                                    SHA-256:059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
                                                    SHA-512:B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12224
                                                    Entropy (8bit):6.621310788423453
                                                    Encrypted:false
                                                    SSDEEP:96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
                                                    MD5:808F1CB8F155E871A33D85510A360E9E
                                                    SHA1:C6251ABFF887789F1F4FC6B9D85705788379D149
                                                    SHA-256:DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
                                                    SHA-512:441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11720
                                                    Entropy (8bit):6.7263193693903345
                                                    Encrypted:false
                                                    SSDEEP:192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
                                                    MD5:CFF476BB11CC50C41D8D3BF5183D07EC
                                                    SHA1:71E0036364FD49E3E535093E665F15E05A3BDE8F
                                                    SHA-256:B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
                                                    SHA-512:7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12744
                                                    Entropy (8bit):6.601327134572443
                                                    Encrypted:false
                                                    SSDEEP:192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
                                                    MD5:F43286B695326FC0C20704F0EEBFDEA6
                                                    SHA1:3E0189D2A1968D7F54E721B1C8949487EF11B871
                                                    SHA-256:AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
                                                    SHA-512:6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):14272
                                                    Entropy (8bit):6.519411559704781
                                                    Encrypted:false
                                                    SSDEEP:192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
                                                    MD5:E173F3AB46096482C4361378F6DCB261
                                                    SHA1:7922932D87D3E32CE708F071C02FB86D33562530
                                                    SHA-256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
                                                    SHA-512:3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12232
                                                    Entropy (8bit):6.659079053710614
                                                    Encrypted:false
                                                    SSDEEP:192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
                                                    MD5:9C9B50B204FCB84265810EF1F3C5D70A
                                                    SHA1:0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
                                                    SHA-256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
                                                    SHA-512:EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11200
                                                    Entropy (8bit):6.7627840671368835
                                                    Encrypted:false
                                                    SSDEEP:192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
                                                    MD5:0233F97324AAAA048F705D999244BC71
                                                    SHA1:5427D57D0354A103D4BB8B655C31E3189192FC6A
                                                    SHA-256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
                                                    SHA-512:8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12224
                                                    Entropy (8bit):6.590253878523919
                                                    Encrypted:false
                                                    SSDEEP:192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
                                                    MD5:E1BA66696901CF9B456559861F92786E
                                                    SHA1:D28266C7EDE971DC875360EB1F5EA8571693603E
                                                    SHA-256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
                                                    SHA-512:08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11720
                                                    Entropy (8bit):6.672720452347989
                                                    Encrypted:false
                                                    SSDEEP:192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
                                                    MD5:7A15B909B6B11A3BE6458604B2FF6F5E
                                                    SHA1:0FEB824D22B6BEEB97BCE58225688CB84AC809C7
                                                    SHA-256:9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
                                                    SHA-512:D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):13760
                                                    Entropy (8bit):6.575688560984027
                                                    Encrypted:false
                                                    SSDEEP:192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
                                                    MD5:6C3FCD71A6A1A39EAB3E5C2FD72172CD
                                                    SHA1:15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
                                                    SHA-256:A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
                                                    SHA-512:EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12232
                                                    Entropy (8bit):6.70261983917014
                                                    Encrypted:false
                                                    SSDEEP:192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
                                                    MD5:D175430EFF058838CEE2E334951F6C9C
                                                    SHA1:7F17FBDCEF12042D215828C1D6675E483A4C62B1
                                                    SHA-256:1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
                                                    SHA-512:6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12744
                                                    Entropy (8bit):6.599515320379107
                                                    Encrypted:false
                                                    SSDEEP:192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
                                                    MD5:9D43B5E3C7C529425EDF1183511C29E4
                                                    SHA1:07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
                                                    SHA-256:19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
                                                    SHA-512:C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12232
                                                    Entropy (8bit):6.690164913578267
                                                    Encrypted:false
                                                    SSDEEP:192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
                                                    MD5:43E1AE2E432EB99AA4427BB68F8826BB
                                                    SHA1:EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
                                                    SHA-256:3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
                                                    SHA-512:40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11720
                                                    Entropy (8bit):6.615761482304143
                                                    Encrypted:false
                                                    SSDEEP:192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
                                                    MD5:735636096B86B761DA49EF26A1C7F779
                                                    SHA1:E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
                                                    SHA-256:5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
                                                    SHA-512:3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12744
                                                    Entropy (8bit):6.627282858694643
                                                    Encrypted:false
                                                    SSDEEP:192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
                                                    MD5:031DC390780AC08F498E82A5604EF1EB
                                                    SHA1:CF23D59674286D3DC7A3B10CD8689490F583F15F
                                                    SHA-256:B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
                                                    SHA-512:1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):15816
                                                    Entropy (8bit):6.435326465651674
                                                    Encrypted:false
                                                    SSDEEP:192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
                                                    MD5:285DCD72D73559678CFD3ED39F81DDAD
                                                    SHA1:DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
                                                    SHA-256:6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
                                                    SHA-512:84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12232
                                                    Entropy (8bit):6.5874576656353145
                                                    Encrypted:false
                                                    SSDEEP:192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
                                                    MD5:5CCE7A5ED4C2EBAF9243B324F6618C0E
                                                    SHA1:FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
                                                    SHA-256:AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
                                                    SHA-512:FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):13768
                                                    Entropy (8bit):6.645869978118917
                                                    Encrypted:false
                                                    SSDEEP:192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
                                                    MD5:41FBBB054AF69F0141E8FC7480D7F122
                                                    SHA1:3613A572B462845D6478A92A94769885DA0843AF
                                                    SHA-256:974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
                                                    SHA-512:97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):61176
                                                    Entropy (8bit):5.850944458899023
                                                    Encrypted:false
                                                    SSDEEP:1536:8dAqjxlblBAeX9cMPqnLQmnSPFCCBXuk9:8d1l59cJbSNZBXuO
                                                    MD5:3B02A4FCAAC283D3C5E082B62F88BE25
                                                    SHA1:C230237FA2BEF46A4C9649871EE46BBA89958C4E
                                                    SHA-256:D02FB06775ED21CE1124C5A9BA42D7E00872C4CAF3933F0852FFD98591EE9790
                                                    SHA-512:9FE3ACDC6CDC51F56AB205A669F3865FB18DA79750A62E896615AF98F4D37B4A5DADB898126B421133CBD86805A1A84D1C92A429F88AA2152D07939BEBEB93B0
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.X.F...F...F...>O..F.......F.......F.......F.......F.......F...F...F..-/...F..-/...F..-/#..F...FK..F..-/...F..Rich.F..........PE..d.....-a.........." .....X...|.......Y.................................................... .....................................................x.......h.......................0...P...T.......................(....................p..X............................text....V.......X.................. ..`.rdata...X...p...Z...\..............@..@.data...............................@....pdata..............................@..@.rsrc...h...........................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):127224
                                                    Entropy (8bit):6.217127607919178
                                                    Encrypted:false
                                                    SSDEEP:1536:KOMFt1bvZ+4WYoIW9YAlqlEO/NiuE0PJmISN10ZpzdUAsSAl9/mEzuEVvHV7Gvru:fMFZ+4azlqlEO/0d0PkIxPYGX6
                                                    MD5:ABDA3CF0D286D6CC5EC2CB1B49DBC180
                                                    SHA1:85CA9C24AD7CF07830E86607723770645D724C28
                                                    SHA-256:5549E8D3C90AFC8A90558529FE0127CE8A36805D853ED2BBD2A832E497D07405
                                                    SHA-512:AF813D4529C7971C6427E84C21275F2D703495E8BCDE72112ED400FCF2BFD64D1E3754E7A8D95A4D1953472C3C9821EF0444CD844F02AE31FA2C5FA8D93E66CF
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'y.fI*.fI*.fI*...*.fI*..M+.fI*..J+.fI*..L+.fI*..H+.fI*..H+.fI*..H+.fI*.fH*.fI*..L+.fI*..I+.fI*...*.fI*.f.*.fI*..K+.fI*Rich.fI*................PE..d.....-a.........." ......................................................... ............ ..........................................x..|B..............p.......@...............D....>..T...................0@..(...0?............... ...............................text...p........................... ..`.rdata....... ......................@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc..D...........................@..B................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):418040
                                                    Entropy (8bit):6.1735291180760505
                                                    Encrypted:false
                                                    SSDEEP:6144:vJXvKtM+eZLmd2Mht6hBj2+1J3Hw2iojntPqbmdv0Pz:vJXvcMRZLmd2Mht6hBj3A2iW8WO
                                                    MD5:1CC74B77B1A0B6F14B19F45412D62227
                                                    SHA1:25C8D5B1DD13C826AC97995E2265E7960877A869
                                                    SHA-256:1314E7F48DCFAA9ED62AD80C19D4EAD856C6D216D6F80B8EFA1A3803087C506A
                                                    SHA-512:CA88D9DB167FEE11DCF88FD365DBAEF9E2704996E622F1523943C5AF54D6AE2546D860DB86B20757C89FA52E4140D474EB0EA4A69042AA4CAAF6125E0D5381D9
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+ ..Es..Es..Es...s..Es..Ar..Es..Fr..Es..@r..Es..Dr..Es..Dr..Es..Ds(.Es..@r..Es..Er..Es..s..Es...s..Es..Gr..EsRich..Es........PE..d.....-a.........." .........:.......................................................4.... .........................................`n...T...........p.......0..d2...D.................T...................0...(...0................ ...............................text...\........................... ..`.rdata..h.... ......................@..@.data....7.......0..................@....pdata..d2...0...4..................@..@.rsrc........p.......8..............@..@.reloc...............>..............@..B................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):698104
                                                    Entropy (8bit):6.463466021766765
                                                    Encrypted:false
                                                    SSDEEP:12288:rtCgw2rHcLfk4heNe39mSOWE64h/5+JLkxBdmmVaSV:JCglHsfb9vzE64h/CAxBdmmVaSV
                                                    MD5:087DAF44CD13B79E4D59068B3A1C6250
                                                    SHA1:653FB242A44C7742764C77D8249D00DDDC1C867E
                                                    SHA-256:7AAFC98B0189C4DB66E03EC69B0DA58E59F5728FA9C37F7A61D1531E4D146FD6
                                                    SHA-512:3BB7494191EDDA18416B425762EA35B1C614CA420E6D0A8BBA5B9749C453F2552435FC97CF4532E088BBEC2B57A7DC9F782F7C7CEC67F96A33511C367F6A5052
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>.B.P.B.P.B.P.K...N.P...T.J.P...S.@.P...U.Z.P...Q.F.P...Q.G.P.B.Q...P..U.P.P..P.C.P...C.P.B...C.P..R.C.P.RichB.P.........................PE..d.....-a.........." ................l................................................s.... ..........................................7..T...4...........X....`...D...................Q..T...................@S..(...@R..................H............................text............................... ..`.rdata...V.......X..................@..@.data...`(...0..."..................@....pdata...D...`...F...6..............@..@.rsrc...X............|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):31480
                                                    Entropy (8bit):5.969706735107452
                                                    Encrypted:false
                                                    SSDEEP:384:rTnmLAtoAmXkI4WW9jLU7gJX5ZGz/5UtxcNPMUyZJKSm/dAgZsHL4DhAm:noxXzI5Z05uqlyEiRUhR
                                                    MD5:CC2C7E9435E8F818F3114AEFCC84E053
                                                    SHA1:F106C5EEAA3545CB85BA1217F40E4AE8F047E69E
                                                    SHA-256:59415F12FF688B58C9180A545F4836A4C2DDF472C232B3BE9FAB7965F9980924
                                                    SHA-512:316D0F0374DA2818CC1A83A6F8BE8E70CCCC2D9F37DB54DF9322FF26FF436EB18532CEB549F286E569E1A6B82BA1345FFE4A7ADC678AE450FC5C3C637F24259D
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{...{...{...r.e.....)...h...)...s...)...y...)....... ...x...{...E......y......z......z...{.a.z......z...Rich{...........PE..d.....-a.........." .....,...4......@0................................................... ..........................................T......tU..x.......`....p.......^..............0F..T....................G..(....F...............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...h....`.......N..............@....pdata.......p.......R..............@..@.rsrc...`............V..............@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):103672
                                                    Entropy (8bit):5.851546804507911
                                                    Encrypted:false
                                                    SSDEEP:1536:DkEZwX0tTbIIJdLJABqKSimO9K64vaO4WpgXyhchiUKcvKXMnVOlVS:QErbXvAxO41yhcBvKXwaVS
                                                    MD5:129051E3B7B8D3CC55559BEDBED09486
                                                    SHA1:E257D69C91594C623A8649AC3F76DC4B0C4D8EDF
                                                    SHA-256:73BFA0700A1C1631483D1ADC79A5225066A28A5CA94D70267DE6B0573BF11BDF
                                                    SHA-512:6DCF486B58A0C8E16CB0A2A0B7C53812275DF7E55CEBE94B645517D2A061A67CA3B9CFDDA4F94E89BE57D3B629540C4A45DD153EF84DB90E46D06257A936831A
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X..............&........................................&.............&......&......&.J.......".....&......Rich............................PE..d.....-a.........." ................4...............................................:..... ..........................................J.......[..........`............x..............`...T.......................(....................................................text............................... ..`.rdata.............................@..@.data........p.......N..............@....pdata...............\..............@..@.rsrc...`............n..............@..@.reloc...............t..............@..B........................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):57488
                                                    Entropy (8bit):6.382541157520703
                                                    Encrypted:false
                                                    SSDEEP:768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
                                                    MD5:71F796B486C7FAF25B9B16233A7CE0CD
                                                    SHA1:21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
                                                    SHA-256:B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
                                                    SHA-512:A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):4664568
                                                    Entropy (8bit):6.259383987199329
                                                    Encrypted:false
                                                    SSDEEP:49152:AroFmAk9nrwChDI061WcO0ABWmIex2MvOGL//VCsHqwApmqamnBObTETCAtdB8n:0tI0OWiVmIek+QpmqtB+9
                                                    MD5:A6A89F55416DB79D9E13B82685A04D60
                                                    SHA1:EDE6DE1377BBE28E1F0D0DEF095367F1E788FE3B
                                                    SHA-256:22D7C730C0092CDE5E339276F45882ACF4E172269153C6A328D83314DBACEF4B
                                                    SHA-512:D2A734AE3ACC3033C050634839E32F90AE29862D77EC28B87945D62D44562ED56AC2A4266BC70F0F42CACCC0A7D93B07E2B42D7FFCEFE2F599A6A9DC2F26C583
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........$n..J=..J=..J=...=..J=..N<..J=..I<..J=..O<..J=..K<..J=..N<..J=..L<..J=..K<..J=..K<..J=..K=i.J=..N<..J=..O<U.J=..J<..J=..=..J=...=..J=..H<..J=Rich..J=................PE..d.....-a.........." ......+..........f(.......................................I.......H... ..........................................7>.8.....A......@I.......G......G......PI..F....1.T...................0.1.(...0.1...............+..............................text.....+.......+................. ..`.rdata.......+.......+.............@..@.data....'...`B......DB.............@....pdata.......G.......E.............@..@.rsrc........@I.......F.............@..@.reloc...F...PI..H....F.............@..B........................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):215288
                                                    Entropy (8bit):6.050529290720027
                                                    Encrypted:false
                                                    SSDEEP:3072:emvBIfdYtwUTAgsHW0Akz0dMtTWYUQ4TyjEXv8pQxI88hw:ekBIATA1z7tTzovXv8Kxzj
                                                    MD5:BF5EE5008353BB5C52DCF8821082CE6B
                                                    SHA1:F85B517F96FE87D953925D05238345A03594C8F8
                                                    SHA-256:9273A49CAC32ACA5358A77D41DE00FEB589ED3285B2B2E07E9CE9CEBF80BAA31
                                                    SHA-512:B5862D1679AB4F44B228C3E52F5CB98616BF089BAD5EC3BBB63ABDCABDDB55C71C36628E2945C7460AA33F836D85A1A320BF2C704072B307A3B719CD3C6A8549
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[..5...5...5......5...1...5...6...5...0...5...4...5...4...5.#.4...5...4.-.5.#.0...5.#.5...5.#....5.......5.#.7...5.Rich..5.........PE..d.....-a.........." .........j...............................................p............ ..............................................!...........P..h....0.......,.......`..........T...........................@................................................text............................... ..`.rdata..............................@..@.data....$..........................@....pdata.......0... ..................@..@.rsrc...h....P......."..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:RAR archive data, v5
                                                    Category:dropped
                                                    Size (bytes):357054
                                                    Entropy (8bit):7.999513517579771
                                                    Encrypted:true
                                                    SSDEEP:6144:Jz39JnVboHjhkiHKsMEr6WxxcMbW/Dk7ffAu7vbUz4mCWyyl:Jz39R6HjCiHKsQWrcMbW4PbUzrzl
                                                    MD5:DF4269BB759C8E13183B09F508F9D2FB
                                                    SHA1:792C91A36891D5544B578FB42D73D111E77771A1
                                                    SHA-256:07D4E4AC8CE99334FEF69442B74C5E5B39BD726DA1474C7B6852088F5AE57BD5
                                                    SHA-512:A06A755210797F97FB427D79F5C3011DEBC6777366AF435E82E18C89636947E7D40424DFF8D0CB9B534FD66F2F6CC52C13270469EED7CD799C0E9ABECE57BCCA
                                                    Malicious:false
                                                    Preview:Rar!.......!.....P.r$.6...W..1A/....sykLW...q...*$-..#.wL.....+:..!_..q.-......\.C.0...z.t..S..*^...M5/.....P....V......U.^..[.;.....iTqP...+z.z.........k}.Q../.`...,a......=.^P.g.....1o...LH.!D/..x).r......zBe..>.0.. .`.j.f\....3M.....m.Ecr......C...o]?............x......T....i/..`._..V>.7..qe..W.g.p...v . c..s..Y..#....+.....i.L..XR......B......v..I..|=....'[3.n..R....N..(.e.d..U....<1...SS..%2..].......h..'2......"s|+............4,...lFGC...W.d.....sn.F.Le...K.@i.-.r.E.,..Y...l.S.W..n...{...=0|j.._.>7. ."..=E^.2'%tq..AX..m.6..:lW[oqQ.z|J..(.-.]..xx.-8......1G...OX..*..}..{*.6|:....;."XM..`...o....38U.c}w..J..R....O....v..../8..D..&g>.#.#(..V.....NfG.Ex..P..Y...7....5.P.....s......+.......7X....>NB....z......... .%..4..C.z...@`|.>E..m:..1.u5 .x.O...h6K.-...9.......v=.K...cP../._..z..Ufh.P.....Y$.A......6.X..2..n...(9...~._.y*........i$S....*:.eT.Vc.....5....;.A.}..v.A..3.....!.{o^....X...Y.+[{N-.G2,...y+s#c."0d4..E.b.DF.I9..0O5..4.
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):566704
                                                    Entropy (8bit):6.494428734965787
                                                    Encrypted:false
                                                    SSDEEP:12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
                                                    MD5:6DA7F4530EDB350CF9D967D969CCECF8
                                                    SHA1:3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
                                                    SHA-256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
                                                    SHA-512:1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):22
                                                    Entropy (8bit):3.879664004902594
                                                    Encrypted:false
                                                    SSDEEP:3:mKDDlR+7H6U:hOD6U
                                                    MD5:D9324699E54DC12B3B207C7433E1711C
                                                    SHA1:864EB0A68C2979DCFF624118C9C0618FF76FA76C
                                                    SHA-256:EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
                                                    SHA-512:E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
                                                    Malicious:false
                                                    Preview:@echo off..Start "" %1
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):12124160
                                                    Entropy (8bit):4.1175508751036585
                                                    Encrypted:false
                                                    SSDEEP:49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
                                                    MD5:8A13CBE402E0BBF3DA56315F0EBA7F8E
                                                    SHA1:EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
                                                    SHA-256:7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
                                                    SHA-512:46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
                                                    Malicious:false
                                                    Preview:.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):12124160
                                                    Entropy (8bit):4.117842215789484
                                                    Encrypted:false
                                                    SSDEEP:49152:lIsY5NLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8v:lYNDUK7k59
                                                    MD5:8DD2CDF8B1702DEE25F4BC2DCE10DA8F
                                                    SHA1:7AE8D142C41159D65C7AB9598C90EC1DF33138D1
                                                    SHA-256:B19E92D742D8989D275BB34FB7828211969997D38FF9250D9561F432D5C5F62C
                                                    SHA-512:6CEBD788559543623A3F54154F6C84E31A9716CFFA19D199087F0704CC9016F54CF0B3CFF6D8DB65428138EEB12553B23EBA7EDAF5B64A050A077DD2951286B0
                                                    Malicious:false
                                                    Preview:....j..L.........*.\.....................................+..............................j..-.....................................!>.............................|<:.......................A.......@...... t...............................".....................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Java jmod module version 1.0
                                                    Category:dropped
                                                    Size (bytes):51389
                                                    Entropy (8bit):7.916683616123071
                                                    Encrypted:false
                                                    SSDEEP:768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
                                                    MD5:8F4C0388762CD566EAE3261FF8E55D14
                                                    SHA1:B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
                                                    SHA-256:AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
                                                    SHA-512:1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
                                                    Malicious:false
                                                    Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^*#.j...R.A..qV.1o...p.....|._.-N$.!.;X....|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be.*.eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.*t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N....*..r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Java jmod module version 1.0
                                                    Category:dropped
                                                    Size (bytes):12133334
                                                    Entropy (8bit):7.944474086295981
                                                    Encrypted:false
                                                    SSDEEP:196608:h6fa1BzmQR9sZTGVq8B4ISiOCC0SabOyigGRA7OtuPZIWeXB:6a1gk+8B4IS8S2OyiJRA7OtYZaB
                                                    MD5:E3705B15388EC3BDFE799AD5DB80B172
                                                    SHA1:0B9B77F028727C73265393A68F37FC69C30205BD
                                                    SHA-256:BE59AC0E673827B731CF5616B41DA11581A5863285FEA1A0696AA4F93796BCC3
                                                    SHA-512:CA44B3E7658232FCC19C9AD223455F326D34B17384E566B8CAF0F7409D71B2B86F4089BF4A35128EC6CFFE080DF84C69C72C22B230FB0F2F8CB345442318F737
                                                    Malicious:false
                                                    Preview:JM..PK.........n/Q................classes/module-info.class.X...e../.l.!..!.#..M..."..g..#.B.........0;{.AAD.EE..QQQ.aG....{.]....7......~.{....k...{....<HD...4.......x%?G.4_St.Z...\..].+c..t.t........iC./...gZ..].8C..D'M...\3.+~5......z.<.f1..2.v./.As.Lv.....`2.M%...d.h..S`....YC.....D.u0-l.V#.5.,.e..)[..[.v..*............d.I...A........A+&."..8g.)"..E..1!.Z.]....Ak..5.......<'..L8bC..V4.U2.~$...i....)."I...O...d:......@..S...w0m...-....2..x....z.....O....k.8.}....P.....=..I/...<../.d..k....43VL.i...........C.S|`..!b.8....3.Ey..S..e..+.../T..j...g..B.@q9.."..>.LU..2-i....-.!....Z....g.BGl.j..R...Z.D.YJ.Kd...9 l.FN4.Rk.22..b..Rn...u..x.,...j.I.aZ.....X[{L.e..Z#..`.Z...*8..[.p..0.(...j..W..-M...V..H7.c.KN...5e.."...t[um..R...UF.c..1.....z|z.EeO..j..k.V..\x.8.....et;.9.^.Pa..+......U....Iu.q.t....HY.g...q.......omK...FKr1.F..F?.i.d../.]....68..L.........W..s.CU.|y.....zE..Q\...82..W.i[.#Q..xm......P..u.<.#...yC...,........~B..|sF.
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Java jmod module version 1.0
                                                    Category:dropped
                                                    Size (bytes):41127
                                                    Entropy (8bit):7.961466748192397
                                                    Encrypted:false
                                                    SSDEEP:768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
                                                    MD5:D039093C051B1D555C8F9B245B3D7FA0
                                                    SHA1:C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
                                                    SHA-256:4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
                                                    SHA-512:334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
                                                    Malicious:false
                                                    Preview:JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...*A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z|*.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Java jmod module version 1.0
                                                    Category:dropped
                                                    Size (bytes):113725
                                                    Entropy (8bit):7.928841651831531
                                                    Encrypted:false
                                                    SSDEEP:3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
                                                    MD5:3A03EF8F05A2D0472AE865D9457DAB32
                                                    SHA1:7204170A08115A16A50D5A06C3DE7B0ADB6113B1
                                                    SHA-256:584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
                                                    SHA-512:1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
                                                    Malicious:false
                                                    Preview:JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm......*..Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h.*.^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz|..^.........8q..{...}.*G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j*..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Java jmod module version 1.0
                                                    Category:dropped
                                                    Size (bytes):896846
                                                    Entropy (8bit):7.923431656723031
                                                    Encrypted:false
                                                    SSDEEP:12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
                                                    MD5:C6FBB7D49CAA027010C2A817D80CA77C
                                                    SHA1:4191E275E1154271ABF1E54E85A4FF94F59E7223
                                                    SHA-256:1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
                                                    SHA-512:FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
                                                    Malicious:false
                                                    Preview:JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..|..]{.........S|...(cu/..i.d.z...[....'.M|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):639224
                                                    Entropy (8bit):6.219852228773659
                                                    Encrypted:false
                                                    SSDEEP:12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
                                                    MD5:01DACEA3CBE5F2557D0816FC64FAE363
                                                    SHA1:566064A9CB1E33DB10681189A45B105CDD504FD4
                                                    SHA-256:B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
                                                    SHA-512:C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):98224
                                                    Entropy (8bit):6.452201564717313
                                                    Encrypted:false
                                                    SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                    MD5:F34EB034AA4A9735218686590CBA2E8B
                                                    SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                    SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                    SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):37256
                                                    Entropy (8bit):6.297533243519742
                                                    Encrypted:false
                                                    SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
                                                    MD5:135359D350F72AD4BF716B764D39E749
                                                    SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
                                                    SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
                                                    SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:MS Windows icon resource - 7 icons, 256x256, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                    Category:dropped
                                                    Size (bytes):372526
                                                    Entropy (8bit):4.467275942115759
                                                    Encrypted:false
                                                    SSDEEP:3072:aAVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOzzCIhZ:LCANx6xPZX9mBW
                                                    MD5:B52B2D1D4C9E56CA24AB0CD0730CC5AD
                                                    SHA1:C70A3683DF57DE3096CA58F314C0B649035392CC
                                                    SHA-256:73CDA59B9158F5DCA967A6EC24A3608C672DCA63F714BFD7B7B5F81C1303F457
                                                    SHA-512:CDCAB1C415B87948AD45C967D6C50EA24935D7E58CFC30717E2943D9CE9F5DDEFCB5E60BCE58F9F387635EA30E1A0399DBA644316CC53F1802BAE73B76CB1BFA
                                                    Malicious:false
                                                    Preview:............ .( ..v......... .(.... ..@@.... .(B...(..00.... ..%...j.. .... ............... .....>......... .h......(............. ...... ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {4F7ACFB3-EB7E-4D07-B834-8DA9E6627AD6}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Dec 22 12:36:21 2024, Last Saved Time/Date: Sun Dec 22 12:36:21 2024, Last Printed: Sun Dec 22 12:36:21 2024, Number of Pages: 450
                                                    Category:dropped
                                                    Size (bytes):60282097
                                                    Entropy (8bit):7.201433257761182
                                                    Encrypted:false
                                                    SSDEEP:786432:kWZbjVmrjV7eIAtehOTZhoZ4sdUuzt/NCaY2ksCCb:kWdVmrjV7eIvhOTZyRjVCa1tNb
                                                    MD5:E6F25573A231ABE0101B01998E9726A5
                                                    SHA1:53CC9F5F4D5660904CBD6005C6942E305DA2080A
                                                    SHA-256:DD9A35580FB957E710B73BD805DA94EA04EACCDDC0700E6190CF6C3E1F9CCD8E
                                                    SHA-512:D4594F59FA3B1396D2912FFA3F871F39C94F1170896144D76645BE660DE13F8449128FEC12B72F45D2BB8EA132B97241757D9695E914F274AFB7578B35645CD5
                                                    Malicious:false
                                                    Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...N...:...;...<...=...>...?...@...A...D...C...K...E...F...G...H...I...J...""..L...M...e...O...P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {4F7ACFB3-EB7E-4D07-B834-8DA9E6627AD6}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Dec 22 12:36:21 2024, Last Saved Time/Date: Sun Dec 22 12:36:21 2024, Last Printed: Sun Dec 22 12:36:21 2024, Number of Pages: 450
                                                    Category:dropped
                                                    Size (bytes):60282097
                                                    Entropy (8bit):7.201433257761182
                                                    Encrypted:false
                                                    SSDEEP:786432:kWZbjVmrjV7eIAtehOTZhoZ4sdUuzt/NCaY2ksCCb:kWdVmrjV7eIvhOTZyRjVCa1tNb
                                                    MD5:E6F25573A231ABE0101B01998E9726A5
                                                    SHA1:53CC9F5F4D5660904CBD6005C6942E305DA2080A
                                                    SHA-256:DD9A35580FB957E710B73BD805DA94EA04EACCDDC0700E6190CF6C3E1F9CCD8E
                                                    SHA-512:D4594F59FA3B1396D2912FFA3F871F39C94F1170896144D76645BE660DE13F8449128FEC12B72F45D2BB8EA132B97241757D9695E914F274AFB7578B35645CD5
                                                    Malicious:false
                                                    Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...N...:...;...<...=...>...?...@...A...D...C...K...E...F...G...H...I...J...""..L...M...e...O...P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1021792
                                                    Entropy (8bit):6.608727172078022
                                                    Encrypted:false
                                                    SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                    MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                    SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                    SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                    SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1021792
                                                    Entropy (8bit):6.608727172078022
                                                    Encrypted:false
                                                    SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                    MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                    SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                    SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                    SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1021792
                                                    Entropy (8bit):6.608727172078022
                                                    Encrypted:false
                                                    SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                    MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                    SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                    SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                    SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1021792
                                                    Entropy (8bit):6.608727172078022
                                                    Encrypted:false
                                                    SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                    MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                    SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                    SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                    SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1201504
                                                    Entropy (8bit):6.4557937684843365
                                                    Encrypted:false
                                                    SSDEEP:24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
                                                    MD5:E83D774F643972B8ECCDB3A34DA135C5
                                                    SHA1:A58ECCFB12D723C3460563C5191D604DEF235D15
                                                    SHA-256:D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
                                                    SHA-512:CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.|CF..@G.|DF..@G.|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1021792
                                                    Entropy (8bit):6.608727172078022
                                                    Encrypted:false
                                                    SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                    MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                    SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                    SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                    SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1021792
                                                    Entropy (8bit):6.608727172078022
                                                    Encrypted:false
                                                    SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                    MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                    SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                    SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                    SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):380520
                                                    Entropy (8bit):6.512348002260683
                                                    Encrypted:false
                                                    SSDEEP:6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
                                                    MD5:FFDAACB43C074A8CB9A608C612D7540B
                                                    SHA1:8F054A7F77853DE365A7763D93933660E6E1A890
                                                    SHA-256:7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
                                                    SHA-512:A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):393109
                                                    Entropy (8bit):4.736504422485608
                                                    Encrypted:false
                                                    SSDEEP:3072:Fh9qAVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOzzd:Fh97CANx6xPZX9mBA
                                                    MD5:83479DD1DE51191EEB710834999F56B5
                                                    SHA1:718724C917234E0E25EABBAA13266C7E1082FAF1
                                                    SHA-256:2E011897956430E8D986F832173E16C30E38001FFD3D703412D1B82F49FE8F3B
                                                    SHA-512:93ACC4DC6F2C90A5DB88C6CA59F679140685D51CFC0D663CB07D278DB9C6C8342B7A46DEECBADE8D37AD6D78213F9BE4B2D0D917E2EFF7E16E64E3CDB8C74796
                                                    Malicious:false
                                                    Preview:...@IXOS.@.....@&..Y.@.....@.....@.....@.....@.....@......&.{87CA9E75-24E5-41BB-A46A-754C76747E62}..App x installer..setup.msi.@.....@.....@.....@......icon_22.exe..&.{4F7ACFB3-EB7E-4D07-B834-8DA9E6627AD6}.....@.....@.....@.....@.......@.....@.....@.......@......App x installer......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@4....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F}C.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}8.21:\Software\Coors Q Corporation\App x installer\Version.@.......@.....@.....@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}N.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll.@.......@.....@.....@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}U.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dll.@.
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):787808
                                                    Entropy (8bit):6.693392695195763
                                                    Encrypted:false
                                                    SSDEEP:24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
                                                    MD5:8CF47242B5DF6A7F6D2D7AF9CC3A7921
                                                    SHA1:B51595A8A113CF889B0D1DD4B04DF16B3E18F318
                                                    SHA-256:CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
                                                    SHA-512:748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
                                                    Malicious:false
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):1.1625952635885217
                                                    Encrypted:false
                                                    SSDEEP:12:JSbX72FjhaAGiLIlHVRpMh/7777777777777777777777777vDHFKDhCp3Xl0i8Q:JjaQI5c56F
                                                    MD5:8B1E3D675A61D13E27D51396CF186B55
                                                    SHA1:4412EA56D3F522B9C42FF8B0FD26795E930D9272
                                                    SHA-256:9CA524A3327D4AE0A947E1A3ACB819DAD389F458D99BDD0BEEC76A6419F9369F
                                                    SHA-512:DC8D3D2B05D22565637F337C93A43F90613DD38AAE38A45D843A2204076299D377DA5AA72778D525213E93D7A077EEBBD56A5E6CE2C2BC82FBC1873E85ECC6FA
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):1.58256542649673
                                                    Encrypted:false
                                                    SSDEEP:48:4k8PhuuRc06WXOCFT5hd4SwIGAAECiCyVSCvobMUX2ySCOTst:47hu1UFTHfwIWECeGXj
                                                    MD5:4321DD00119EDD44B9B93B4E1DA07C25
                                                    SHA1:0B608604FB9CE375051A7DE144D3FE0BD3D09364
                                                    SHA-256:81C8DE63BCD3D69973204BB4F7FD7BE34F9C8A670F51241BE1FA47706BC4404A
                                                    SHA-512:93550CB7C9F67A13DCEF696BBAABC1CDFB5DC4E93F3AB2D24D81A58703944068F12A46D9E97C8791F6AA8845AAD088F28631D17F5C2F12DE1AF13ACE9F637B61
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):432221
                                                    Entropy (8bit):5.375180105884747
                                                    Encrypted:false
                                                    SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauw:zTtbmkExhMJCIpErJ
                                                    MD5:C027DD553503B1C5225D84CC6AA4648E
                                                    SHA1:76599A4F7FB4A5515EAD8602BFD3F52159DE3584
                                                    SHA-256:860E7CC39EAEBD9A692F87CB032CF37F3CB228F99CF7B5039EF29BC85B02C469
                                                    SHA-512:7991EC66864A19EC40D96CE185DE5E8D1CAB47515E7735D600F1BF8276EA2A2E6CF5F5899C6370A768DCFA4A993C14A2D495345DC5AA604B39F6686AA5AE6BB1
                                                    Malicious:false
                                                    Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):512
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                    Malicious:false
                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):32768
                                                    Entropy (8bit):1.267015011485186
                                                    Encrypted:false
                                                    SSDEEP:48:UgmmuaPvcFXOTT5Pd4SwIGAAECiCyVSCvobMUX2ySCOTst:WmAOTBfwIWECeGXj
                                                    MD5:189AC682E6286C1FC68B1DA9BB5FF228
                                                    SHA1:C807B8B743CA1740F646E81554888B2F372680BE
                                                    SHA-256:16B00022F5A0703C204C80EABA86A6AF834DE7D047CF04980192B9394BCB0239
                                                    SHA-512:8D051D694299A4743C53DF8D1FEF1D041A7D3804252E316667FF1EFCAE64F4D907E3BDBBD6E06C0128B15AAEA05E7B89C22448169FCF9AA623682B8402AC5946
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):512
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                    Malicious:false
                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):32768
                                                    Entropy (8bit):1.267015011485186
                                                    Encrypted:false
                                                    SSDEEP:48:UgmmuaPvcFXOTT5Pd4SwIGAAECiCyVSCvobMUX2ySCOTst:WmAOTBfwIWECeGXj
                                                    MD5:189AC682E6286C1FC68B1DA9BB5FF228
                                                    SHA1:C807B8B743CA1740F646E81554888B2F372680BE
                                                    SHA-256:16B00022F5A0703C204C80EABA86A6AF834DE7D047CF04980192B9394BCB0239
                                                    SHA-512:8D051D694299A4743C53DF8D1FEF1D041A7D3804252E316667FF1EFCAE64F4D907E3BDBBD6E06C0128B15AAEA05E7B89C22448169FCF9AA623682B8402AC5946
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):73728
                                                    Entropy (8bit):0.14438474266910797
                                                    Encrypted:false
                                                    SSDEEP:24:utZ/PTxkrMvxipVkrMvvkrMvPAEVkryjCyH1ipVkrMvIV2BwGPZMU80QrF8+/Qun:utJTeySCTAAECiCyVSCvobMUXW8w44Z
                                                    MD5:BF80A01F7FB7060F03B4E7FE7553C5E6
                                                    SHA1:0187D4520E43A40200DBE84D406207F426ACF532
                                                    SHA-256:E36199478D305061DFDAA4C3CE85D13FF2CF2FD95D14B272F5DA6BEF029C0AE2
                                                    SHA-512:DA2F2E6C84B9D807977A3D1E8CF3AD064DFB23DBFB0646C1515FEC5D4E48ABE7A018FDC122EEB454419892FCCE81A9368E220457ACD850D1BF72DA719128F68F
                                                    Malicious:false
                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):1.58256542649673
                                                    Encrypted:false
                                                    SSDEEP:48:4k8PhuuRc06WXOCFT5hd4SwIGAAECiCyVSCvobMUX2ySCOTst:47hu1UFTHfwIWECeGXj
                                                    MD5:4321DD00119EDD44B9B93B4E1DA07C25
                                                    SHA1:0B608604FB9CE375051A7DE144D3FE0BD3D09364
                                                    SHA-256:81C8DE63BCD3D69973204BB4F7FD7BE34F9C8A670F51241BE1FA47706BC4404A
                                                    SHA-512:93550CB7C9F67A13DCEF696BBAABC1CDFB5DC4E93F3AB2D24D81A58703944068F12A46D9E97C8791F6AA8845AAD088F28631D17F5C2F12DE1AF13ACE9F637B61
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):32768
                                                    Entropy (8bit):1.267015011485186
                                                    Encrypted:false
                                                    SSDEEP:48:UgmmuaPvcFXOTT5Pd4SwIGAAECiCyVSCvobMUX2ySCOTst:WmAOTBfwIWECeGXj
                                                    MD5:189AC682E6286C1FC68B1DA9BB5FF228
                                                    SHA1:C807B8B743CA1740F646E81554888B2F372680BE
                                                    SHA-256:16B00022F5A0703C204C80EABA86A6AF834DE7D047CF04980192B9394BCB0239
                                                    SHA-512:8D051D694299A4743C53DF8D1FEF1D041A7D3804252E316667FF1EFCAE64F4D907E3BDBBD6E06C0128B15AAEA05E7B89C22448169FCF9AA623682B8402AC5946
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):512
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                    Malicious:false
                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):512
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                    Malicious:false
                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):1.58256542649673
                                                    Encrypted:false
                                                    SSDEEP:48:4k8PhuuRc06WXOCFT5hd4SwIGAAECiCyVSCvobMUX2ySCOTst:47hu1UFTHfwIWECeGXj
                                                    MD5:4321DD00119EDD44B9B93B4E1DA07C25
                                                    SHA1:0B608604FB9CE375051A7DE144D3FE0BD3D09364
                                                    SHA-256:81C8DE63BCD3D69973204BB4F7FD7BE34F9C8A670F51241BE1FA47706BC4404A
                                                    SHA-512:93550CB7C9F67A13DCEF696BBAABC1CDFB5DC4E93F3AB2D24D81A58703944068F12A46D9E97C8791F6AA8845AAD088F28631D17F5C2F12DE1AF13ACE9F637B61
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):32768
                                                    Entropy (8bit):0.06906582059698972
                                                    Encrypted:false
                                                    SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOKONODhlHyVky6l3X:2F0i8n0itFzDHFKDh33X
                                                    MD5:C73FA6BB593AD15309415455D8A0FA65
                                                    SHA1:0BD428B78413313EC60568B618287E16E71254EF
                                                    SHA-256:AFF96EC14E7D103BF1271EEDDB975EFF5F86B46C0E6C919DAA2A961A580DA69B
                                                    SHA-512:4452C231955178AE752D66A35AE7EB8E00C2996D4EE8751A245DAE2DFDB0A982FBD55CCFF40FF15113F67FD8565EA711D8C867EB80CF70C72F2280764449A43C
                                                    Malicious:false
                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):512
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                    Malicious:false
                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):638
                                                    Entropy (8bit):4.751962275036146
                                                    Encrypted:false
                                                    SSDEEP:12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
                                                    MD5:15CA959638E74EEC47E0830B90D0696E
                                                    SHA1:E836936738DCB6C551B6B76054F834CFB8CC53E5
                                                    SHA-256:57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
                                                    SHA-512:101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
                                                    Malicious:false
                                                    Preview:[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...
                                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {4F7ACFB3-EB7E-4D07-B834-8DA9E6627AD6}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Dec 22 12:36:21 2024, Last Saved Time/Date: Sun Dec 22 12:36:21 2024, Last Printed: Sun Dec 22 12:36:21 2024, Number of Pages: 450
                                                    Entropy (8bit):7.201433257761182
                                                    TrID:
                                                    • Windows SDK Setup Transform Script (63028/2) 88.73%
                                                    • Generic OLE2 / Multistream Compound File (8008/1) 11.27%
                                                    File name:setup.msi
                                                    File size:60'282'097 bytes
                                                    MD5:e6f25573a231abe0101b01998e9726a5
                                                    SHA1:53cc9f5f4d5660904cbd6005c6942e305da2080a
                                                    SHA256:dd9a35580fb957e710b73bd805da94ea04eaccddc0700e6190cf6c3e1f9ccd8e
                                                    SHA512:d4594f59fa3b1396d2912ffa3f871f39c94f1170896144d76645be660de13f8449128fec12b72f45d2bb8ea132b97241757d9695e914f274afb7578b35645cd5
                                                    SSDEEP:786432:kWZbjVmrjV7eIAtehOTZhoZ4sdUuzt/NCaY2ksCCb:kWdVmrjV7eIvhOTZyRjVCa1tNb
                                                    TLSH:51D76C01B3FA4148F2F75EB17EBA45A594BABD521B30C0EF1204A60E1B71BC25BB5763
                                                    File Content Preview:........................>............................................2..................................................................x......................................................................................................................
                                                    Icon Hash:2d2e3797b32b2b99
                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-12-23T01:41:11.683187+01002829202ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA1192.168.2.449730104.21.65.145443TCP
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 23, 2024 01:41:10.397581100 CET49730443192.168.2.4104.21.65.145
                                                    Dec 23, 2024 01:41:10.397624016 CET44349730104.21.65.145192.168.2.4
                                                    Dec 23, 2024 01:41:10.397699118 CET49730443192.168.2.4104.21.65.145
                                                    Dec 23, 2024 01:41:10.401156902 CET49730443192.168.2.4104.21.65.145
                                                    Dec 23, 2024 01:41:10.401170015 CET44349730104.21.65.145192.168.2.4
                                                    Dec 23, 2024 01:41:11.626880884 CET44349730104.21.65.145192.168.2.4
                                                    Dec 23, 2024 01:41:11.626967907 CET49730443192.168.2.4104.21.65.145
                                                    Dec 23, 2024 01:41:11.677958012 CET49730443192.168.2.4104.21.65.145
                                                    Dec 23, 2024 01:41:11.677989960 CET44349730104.21.65.145192.168.2.4
                                                    Dec 23, 2024 01:41:11.678452969 CET44349730104.21.65.145192.168.2.4
                                                    Dec 23, 2024 01:41:11.678514957 CET49730443192.168.2.4104.21.65.145
                                                    Dec 23, 2024 01:41:11.683010101 CET49730443192.168.2.4104.21.65.145
                                                    Dec 23, 2024 01:41:11.683128119 CET49730443192.168.2.4104.21.65.145
                                                    Dec 23, 2024 01:41:11.683166981 CET44349730104.21.65.145192.168.2.4
                                                    Dec 23, 2024 01:41:12.413048029 CET44349730104.21.65.145192.168.2.4
                                                    Dec 23, 2024 01:41:12.413134098 CET44349730104.21.65.145192.168.2.4
                                                    Dec 23, 2024 01:41:12.413216114 CET49730443192.168.2.4104.21.65.145
                                                    Dec 23, 2024 01:41:12.469840050 CET49730443192.168.2.4104.21.65.145
                                                    Dec 23, 2024 01:41:12.469868898 CET44349730104.21.65.145192.168.2.4
                                                    Dec 23, 2024 01:41:12.469878912 CET49730443192.168.2.4104.21.65.145
                                                    Dec 23, 2024 01:41:12.469929934 CET49730443192.168.2.4104.21.65.145
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 23, 2024 01:41:10.164323092 CET5643153192.168.2.41.1.1.1
                                                    Dec 23, 2024 01:41:10.393208981 CET53564311.1.1.1192.168.2.4
                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Dec 23, 2024 01:41:10.164323092 CET192.168.2.41.1.1.10x16fbStandard query (0)cubermo.comA (IP address)IN (0x0001)false
                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Dec 23, 2024 01:41:10.393208981 CET1.1.1.1192.168.2.40x16fbNo error (0)cubermo.com104.21.65.145A (IP address)IN (0x0001)false
                                                    Dec 23, 2024 01:41:10.393208981 CET1.1.1.1192.168.2.40x16fbNo error (0)cubermo.com172.67.164.25A (IP address)IN (0x0001)false
                                                    • cubermo.com
                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.449730104.21.65.1454437160C:\Windows\SysWOW64\msiexec.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-23 00:41:11 UTC189OUTPOST /updater.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                    User-Agent: AdvancedInstaller
                                                    Host: cubermo.com
                                                    Content-Length: 71
                                                    Cache-Control: no-cache
                                                    2024-12-23 00:41:11 UTC71OUTData Raw: 44 61 74 65 3d 32 32 25 32 46 31 32 25 32 46 32 30 32 34 26 54 69 6d 65 3d 31 39 25 33 41 34 31 25 33 41 30 39 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 38 2e 39 2e 39 26 53 6f 72 6f 71 56 69 6e 73 3d 54 72 75 65
                                                    Data Ascii: Date=22%2F12%2F2024&Time=19%3A41%3A09&BuildVersion=8.9.9&SoroqVins=True
                                                    2024-12-23 00:41:12 UTC829INHTTP/1.1 500 Internal Server Error
                                                    Date: Mon, 23 Dec 2024 00:41:12 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Cache-Control: no-store
                                                    cf-cache-status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tvMSmnt8%2FeYSghIniPSvMjZHjf05f37edxFAvnJotgc8CuhjmeujNm1%2BkdCgB%2FM4XrgzQNZ8ViKiiqFky1n1f59ZR0W3GCGvEH3a8CjQ7Ueh2MBMgVEmEJvQiEkdkA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8f644df95ff932e8-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2041&min_rtt=2030&rtt_var=784&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2827&recv_bytes=920&delivery_rate=1376709&cwnd=246&unsent_bytes=0&cid=3edfcd3089ee2e20&ts=804&x=0"
                                                    2024-12-23 00:41:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Click to jump to process

                                                    Click to jump to process

                                                    Click to dive into process behavior distribution

                                                    Click to jump to process

                                                    Target ID:0
                                                    Start time:19:41:01
                                                    Start date:22/12/2024
                                                    Path:C:\Windows\System32\msiexec.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
                                                    Imagebase:0x7ff625530000
                                                    File size:69'632 bytes
                                                    MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:1
                                                    Start time:19:41:01
                                                    Start date:22/12/2024
                                                    Path:C:\Windows\System32\msiexec.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\msiexec.exe /V
                                                    Imagebase:0x7ff625530000
                                                    File size:69'632 bytes
                                                    MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:false

                                                    Target ID:2
                                                    Start time:19:41:04
                                                    Start date:22/12/2024
                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding EDEDFC81D2561B5D361B65129421F09D
                                                    Imagebase:0xda0000
                                                    File size:59'904 bytes
                                                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:3
                                                    Start time:19:41:12
                                                    Start date:22/12/2024
                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):true
                                                    Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss4FA0.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi4F8E.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr4F8F.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr4F90.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                    Imagebase:0xf00000
                                                    File size:433'152 bytes
                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:4
                                                    Start time:19:41:12
                                                    Start date:22/12/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:5
                                                    Start time:19:41:17
                                                    Start date:22/12/2024
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
                                                    Imagebase:0x7ff7c1240000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:6
                                                    Start time:19:41:17
                                                    Start date:22/12/2024
                                                    Path:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"
                                                    Imagebase:0x7ff604610000
                                                    File size:57'488 bytes
                                                    MD5 hash:71F796B486C7FAF25B9B16233A7CE0CD
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 0%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:true

                                                    Target ID:7
                                                    Start time:19:41:17
                                                    Start date:22/12/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:8
                                                    Start time:19:41:17
                                                    Start date:22/12/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:9
                                                    Start time:19:41:18
                                                    Start date:22/12/2024
                                                    Path:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"
                                                    Imagebase:0x140000000
                                                    File size:117'496 bytes
                                                    MD5 hash:F67792E08586EA936EBCAE43AAB0388D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 0%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:true

                                                    Target ID:11
                                                    Start time:19:41:18
                                                    Start date:22/12/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    Reset < >
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1770449804.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_75e0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $^q$$^q$$^q
                                                      • API String ID: 0-831282457
                                                      • Opcode ID: a6f8a3573d384c5aa361e389c9614808a49d8d3e3ca40405feffbafaa52bf678
                                                      • Instruction ID: 223aeaf9af18987fadce428bbe4f5db8ab6cea24acbd5c1aa1c5b961a62188c7
                                                      • Opcode Fuzzy Hash: a6f8a3573d384c5aa361e389c9614808a49d8d3e3ca40405feffbafaa52bf678
                                                      • Instruction Fuzzy Hash: 926126B070461D9FCB189F69D9406EA7BFABF85210F14846BE449CB251DB35CC85C7A1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1770449804.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_75e0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $^q$$^q
                                                      • API String ID: 0-355816377
                                                      • Opcode ID: d8b171490acfec73e0f6c4820af6c7f526a54d5d05d63f04e9f96951980d7051
                                                      • Instruction ID: a9811ab6ae33ff9f18a0f1713ad101fe06c38662b12e5d46a3ba461526e82376
                                                      • Opcode Fuzzy Hash: d8b171490acfec73e0f6c4820af6c7f526a54d5d05d63f04e9f96951980d7051
                                                      • Instruction Fuzzy Hash: E63178F0A04A0ECFCB2C8F55C584AE97BF9BB41210F1884A7D449CB252E734DD85CB91
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1765487433.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_d20000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cca620b425ba48b38e34450327b6048fdd7c0d566d5738126c9e7695b9857e17
                                                      • Instruction ID: 7fe321fd9996884a7e8fca89eb3c03eb20d76e68b9bb50683b04627aa413dfa3
                                                      • Opcode Fuzzy Hash: cca620b425ba48b38e34450327b6048fdd7c0d566d5738126c9e7695b9857e17
                                                      • Instruction Fuzzy Hash: 96A1B035E012589FCB14DFA4E944AADBBF2FF94304F258118E406AB365CF74AD89DB90
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1765487433.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_d20000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 622d3b67e884735ab926a2838dee2472ca309f77a31ea149ef319720c3aee057
                                                      • Instruction ID: 368067fe22a0bf721a129f3fe4599276f4f14ba06a03e52e101f971fc8868b33
                                                      • Opcode Fuzzy Hash: 622d3b67e884735ab926a2838dee2472ca309f77a31ea149ef319720c3aee057
                                                      • Instruction Fuzzy Hash: 8471F330A012588FCB14DF68D884A9EFBF2FF85304F288569E415DB262DB71EC46CB90
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1765487433.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_d20000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 603d6a59788ce884664c3816a56d792255be75e7ec26e1fa3637e7db3e88c113
                                                      • Instruction ID: d38142dac26826d7b499527dccda8667cd382c093f2c751fb327477eaa69539a
                                                      • Opcode Fuzzy Hash: 603d6a59788ce884664c3816a56d792255be75e7ec26e1fa3637e7db3e88c113
                                                      • Instruction Fuzzy Hash: 1E719230E01258DFDB14DFA4E484BADBBF6BF84308F298429E411AB2A1DF75AC45DB50
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1765487433.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_d20000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 927b55f8d3c252fc2b5aaaaab8166f93bd1332255b51716c1c35c75c441d1e7d
                                                      • Instruction ID: e1e5a8d964c17a861938f25620f1f637704306c8c3b0b52e94c4444bd0f6393e
                                                      • Opcode Fuzzy Hash: 927b55f8d3c252fc2b5aaaaab8166f93bd1332255b51716c1c35c75c441d1e7d
                                                      • Instruction Fuzzy Hash: F0419C716012508FDB14DF64D898BAD7BF2EF89754F184169E402EB3A2CF749C81DBA0
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1765487433.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_d20000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a81850b602955eb4f24e1afd5cbe32abf72578225139b434b559e86ee5d6fbd1
                                                      • Instruction ID: 02c658c7a220b39ce6168c38c9d7ae4064b9d683eb6bdccb91d51f5aa9af6453
                                                      • Opcode Fuzzy Hash: a81850b602955eb4f24e1afd5cbe32abf72578225139b434b559e86ee5d6fbd1
                                                      • Instruction Fuzzy Hash: DC419070A012589FDB18DFA9D8847ADBBF2FF84304F188429D005AB7A1DF75AC85DB90
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1765487433.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_d20000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d006120c8922d0a3ca13d48ab4ca2c373bb033b858d57e614c432ccd085847c5
                                                      • Instruction ID: 3efb0391c2c5e73ec27c41860c5a491264130f9e23b4ab5cb7761e4e6e3af619
                                                      • Opcode Fuzzy Hash: d006120c8922d0a3ca13d48ab4ca2c373bb033b858d57e614c432ccd085847c5
                                                      • Instruction Fuzzy Hash: FD41C2203082519FC3A5DE28D8A0569BFF3FF97340396C56DE08ACBB51C929FD4A9761
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1765324447.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_cbd000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7868787667f12ca4355a30e70543ce643fa06f6c5a734ea29f2fc7d9de8ff0d1
                                                      • Instruction ID: 582af9f03e6815f1f7cf8bc9b4878e8062c01bbd4542ac592f1f3f827dcce649
                                                      • Opcode Fuzzy Hash: 7868787667f12ca4355a30e70543ce643fa06f6c5a734ea29f2fc7d9de8ff0d1
                                                      • Instruction Fuzzy Hash: 5601806100E3C05FD7128B258894792BFB4DF53224F0DC0DBD8988F1A3D2695848C772
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1765324447.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_cbd000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8eb4e5e826a045f64f1b5ffbe30aa2f1c86428cf96b4ed016b8b8f0f12e6df49
                                                      • Instruction ID: f850784f6dc42a5306fac35964180847785ae29329f444be4783c932240df928
                                                      • Opcode Fuzzy Hash: 8eb4e5e826a045f64f1b5ffbe30aa2f1c86428cf96b4ed016b8b8f0f12e6df49
                                                      • Instruction Fuzzy Hash: 9D012B311093409AE7109B26DDC47A7BFD8DF45365F18C429ED1A0B146D679D981CAB1
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1765487433.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_d20000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e87afbbb97c235e19eb05c2a401eedd28237ea471d07ae1830a3c64361f854c7
                                                      • Instruction ID: 4d5deeb9bb467016f41893c1d1123d8520df876d31e9b039dd98131691f88411
                                                      • Opcode Fuzzy Hash: e87afbbb97c235e19eb05c2a401eedd28237ea471d07ae1830a3c64361f854c7
                                                      • Instruction Fuzzy Hash: F6F03774A402469FDB04DBA4D595BAE7BB1EF40344F104414D1019F364DB78DD889FD0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1770449804.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_75e0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 84Xk$84Xk$tP^q$tP^q$tP^q$tP^q$$^q$$^q$$^q$$^q$Pk$Pk
                                                      • API String ID: 0-925860617
                                                      • Opcode ID: 7510930eed9430020ecf819bd08106986c0ffdc8c928f2590b2d2637ea34daee
                                                      • Instruction ID: 81f6b5ae6c4104113e7d883b9806f4e11e912a7df9340ad3f2c01075f4ac3d7a
                                                      • Opcode Fuzzy Hash: 7510930eed9430020ecf819bd08106986c0ffdc8c928f2590b2d2637ea34daee
                                                      • Instruction Fuzzy Hash: 67815BB17087599FD7184B6998006EABFEABFC5620F1884ABE445CF351CE31DC45C7A1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1770449804.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_75e0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                      • API String ID: 0-3732357466
                                                      • Opcode ID: ca21e32ce00492535c8e696a5e3bd0bc3a660183cc0189232bb949b6b8c9e453
                                                      • Instruction ID: 5a94918124645fcb1c67f6b8652142bf868684ea18f844c83f0cec0b1652bd23
                                                      • Opcode Fuzzy Hash: ca21e32ce00492535c8e696a5e3bd0bc3a660183cc0189232bb949b6b8c9e453
                                                      • Instruction Fuzzy Hash: 945128B570435A8FDB294E6998006EBBBFABFC2210F34846BD449CB285DE75C845C761
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1770449804.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_75e0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q
                                                      • API String ID: 0-1041444323
                                                      • Opcode ID: d2c524f9520de7d64614ff53098261e2a44577cc084e4252144dca340fd98477
                                                      • Instruction ID: 99a19118c7498654ad4e4af883e0715b3dc0063606f32bc8820c0d85cd982d05
                                                      • Opcode Fuzzy Hash: d2c524f9520de7d64614ff53098261e2a44577cc084e4252144dca340fd98477
                                                      • Instruction Fuzzy Hash: BD110672F4831A4FC72D256C38241FAAAEF7BC1560739086BC049DB399DEA58C454392
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1770449804.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_75e0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4Wk$4Wk$$^q$$^q$$^q
                                                      • API String ID: 0-3095741987
                                                      • Opcode ID: 472d7638f0e8b9dc355a88d180cc76438f6f73ef8411a41e44e04ebc73b40d13
                                                      • Instruction ID: 05f7565cb0d4d8a9cf3f4415da169b9e3a5a6e892d2191d7bdfcbef6139e2cd9
                                                      • Opcode Fuzzy Hash: 472d7638f0e8b9dc355a88d180cc76438f6f73ef8411a41e44e04ebc73b40d13
                                                      • Instruction Fuzzy Hash: 651135B131021A8BD63C1569A8106FB7ADEABC0610B24843FD519CB3C6DEB6C812C2A1

                                                      Execution Graph

                                                      Execution Coverage:3.4%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:1.7%
                                                      Total number of Nodes:700
                                                      Total number of Limit Nodes:1
                                                      execution_graph 2489 7ff6046174a7 2492 7ff604615cc0 2489->2492 2497 7ff604615c38 2492->2497 2495 7ff604615ce0 2498 7ff604615c5a 2497->2498 2500 7ff604615ca3 2497->2500 2499 7ff6046143d0 ExFilterRethrow 10 API calls 2498->2499 2498->2500 2499->2500 2500->2495 2501 7ff6046143d0 2500->2501 2504 7ff6046143ec 2501->2504 2503 7ff6046143d9 2503->2495 2505 7ff60461440b GetLastError 2504->2505 2506 7ff604614404 2504->2506 2518 7ff604616678 2505->2518 2506->2503 2519 7ff604616498 __vcrt_FlsAlloc 5 API calls 2518->2519 2520 7ff60461669f TlsGetValue 2519->2520 2243 7ff6046127ec 2266 7ff604612b8c 2243->2266 2246 7ff60461280d 2249 7ff60461294d 2246->2249 2254 7ff60461282b __scrt_release_startup_lock 2246->2254 2247 7ff604612943 2306 7ff604612ecc IsProcessorFeaturePresent 2247->2306 2250 7ff604612ecc 7 API calls 2249->2250 2251 7ff604612958 2250->2251 2253 7ff604612960 _exit 2251->2253 2252 7ff604612850 2254->2252 2255 7ff6046128d6 _get_initial_narrow_environment __p___argv __p___argc 2254->2255 2259 7ff6046128ce _register_thread_local_exe_atexit_callback 2254->2259 2272 7ff604611060 2255->2272 2259->2255 2261 7ff604612903 2262 7ff604612908 _cexit 2261->2262 2263 7ff60461290d 2261->2263 2262->2263 2302 7ff604612d20 2263->2302 2313 7ff60461316c 2266->2313 2269 7ff604612805 2269->2246 2269->2247 2270 7ff604612bbb __scrt_initialize_crt 2270->2269 2315 7ff60461404c 2270->2315 2273 7ff604611386 2272->2273 2297 7ff6046110b4 2272->2297 2342 7ff604611450 __acrt_iob_func 2273->2342 2275 7ff604611399 2300 7ff604613020 GetModuleHandleW 2275->2300 2276 7ff604611289 2276->2273 2277 7ff60461129f 2276->2277 2347 7ff604612688 2277->2347 2279 7ff6046112a9 2281 7ff6046112b9 GetTempPathA 2279->2281 2282 7ff604611325 2279->2282 2280 7ff604611125 strcmp 2280->2297 2283 7ff6046112e9 strcat_s 2281->2283 2284 7ff6046112cb GetLastError 2281->2284 2356 7ff6046123c0 2282->2356 2283->2282 2288 7ff604611304 2283->2288 2287 7ff604611450 6 API calls 2284->2287 2285 7ff604611151 strcmp 2285->2297 2292 7ff6046112df GetLastError 2287->2292 2293 7ff604611450 6 API calls 2288->2293 2290 7ff604611344 __acrt_iob_func fflush __acrt_iob_func fflush 2296 7ff604611312 2290->2296 2291 7ff60461117d strcmp 2291->2297 2292->2296 2293->2296 2296->2275 2297->2276 2297->2280 2297->2285 2297->2291 2298 7ff604611226 strcmp 2297->2298 2298->2297 2299 7ff604611239 atoi 2298->2299 2299->2297 2301 7ff6046128ff 2300->2301 2301->2251 2301->2261 2304 7ff604612d31 __scrt_initialize_crt 2302->2304 2303 7ff604612916 2303->2252 2304->2303 2305 7ff60461404c __scrt_initialize_crt 7 API calls 2304->2305 2305->2303 2307 7ff604612ef2 2306->2307 2308 7ff604612f11 RtlCaptureContext RtlLookupFunctionEntry 2307->2308 2309 7ff604612f76 2308->2309 2310 7ff604612f3a RtlVirtualUnwind 2308->2310 2311 7ff604612fa8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2309->2311 2310->2309 2312 7ff604612ffa 2311->2312 2312->2249 2314 7ff604612bae __scrt_dllmain_crt_thread_attach 2313->2314 2314->2269 2314->2270 2316 7ff60461405e 2315->2316 2317 7ff604614054 2315->2317 2316->2269 2321 7ff6046144f4 2317->2321 2322 7ff604614503 2321->2322 2324 7ff604614059 2321->2324 2329 7ff604616630 2322->2329 2325 7ff604616460 2324->2325 2326 7ff60461648b 2325->2326 2327 7ff60461646e DeleteCriticalSection 2326->2327 2328 7ff60461648f 2326->2328 2327->2326 2328->2316 2333 7ff604616498 2329->2333 2334 7ff6046165b2 TlsFree 2333->2334 2339 7ff6046164dc 2333->2339 2335 7ff60461650a LoadLibraryExW 2336 7ff60461652b GetLastError 2335->2336 2337 7ff604616581 2335->2337 2336->2339 2338 7ff6046165a1 GetProcAddress 2337->2338 2340 7ff604616598 FreeLibrary 2337->2340 2338->2334 2339->2334 2339->2335 2339->2338 2341 7ff60461654d LoadLibraryExW 2339->2341 2340->2338 2341->2337 2341->2339 2392 7ff604611010 2342->2392 2344 7ff60461148a __acrt_iob_func 2395 7ff604611000 2344->2395 2346 7ff6046114a2 __stdio_common_vfprintf __acrt_iob_func fflush 2346->2275 2350 7ff604612690 2347->2350 2348 7ff6046126aa malloc 2349 7ff6046126b4 2348->2349 2348->2350 2349->2279 2350->2348 2351 7ff6046126ba 2350->2351 2354 7ff6046126c5 2351->2354 2397 7ff604612b30 2351->2397 2401 7ff604611720 2354->2401 2355 7ff6046126cb 2355->2279 2357 7ff604612688 5 API calls 2356->2357 2358 7ff6046123f5 OpenProcess 2357->2358 2359 7ff604612458 K32GetModuleBaseNameA 2358->2359 2360 7ff60461243b GetLastError 2358->2360 2362 7ff604612470 GetLastError 2359->2362 2363 7ff604612492 2359->2363 2361 7ff604611450 6 API calls 2360->2361 2372 7ff604612453 2361->2372 2365 7ff604611450 6 API calls 2362->2365 2418 7ff604611800 2363->2418 2367 7ff604612484 CloseHandle 2365->2367 2367->2372 2368 7ff6046124ae 2371 7ff6046113c0 6 API calls 2368->2371 2369 7ff6046125b3 CloseHandle 2369->2372 2370 7ff6046125fa 2429 7ff604612660 2370->2429 2373 7ff6046124cf CreateFileA 2371->2373 2372->2370 2374 7ff6046125f3 _invalid_parameter_noinfo_noreturn 2372->2374 2375 7ff60461250f GetLastError 2373->2375 2385 7ff604612543 2373->2385 2374->2370 2377 7ff604611450 6 API calls 2375->2377 2380 7ff604612538 CloseHandle 2377->2380 2378 7ff604612550 MiniDumpWriteDump 2381 7ff604612576 GetLastError 2378->2381 2382 7ff60461258a CloseHandle CloseHandle 2378->2382 2380->2372 2384 7ff60461258c 2381->2384 2381->2385 2382->2372 2386 7ff604611450 6 API calls 2384->2386 2385->2378 2385->2382 2386->2382 2387 7ff6046113c0 __acrt_iob_func 2388 7ff604611010 fprintf __stdio_common_vfprintf 2387->2388 2389 7ff6046113fa __acrt_iob_func 2388->2389 2488 7ff604611000 2389->2488 2391 7ff604611412 __stdio_common_vfprintf __acrt_iob_func fflush 2391->2290 2396 7ff604611000 2392->2396 2394 7ff604611036 __stdio_common_vfprintf 2394->2344 2395->2346 2396->2394 2398 7ff604612b3e std::bad_alloc::bad_alloc 2397->2398 2407 7ff604613f84 2398->2407 2400 7ff604612b4f 2402 7ff60461172e Concurrency::cancel_current_task 2401->2402 2403 7ff604613f84 Concurrency::cancel_current_task 2 API calls 2402->2403 2404 7ff60461173f 2403->2404 2412 7ff604613cc0 2404->2412 2408 7ff604613fc0 RtlPcToFileHeader 2407->2408 2409 7ff604613fa3 2407->2409 2410 7ff604613fe7 RaiseException 2408->2410 2411 7ff604613fd8 2408->2411 2409->2408 2410->2400 2411->2410 2413 7ff60461176d 2412->2413 2414 7ff604613ce1 2412->2414 2413->2355 2414->2413 2414->2414 2415 7ff604613cf6 malloc 2414->2415 2416 7ff604613d07 2415->2416 2417 7ff604613d23 free 2415->2417 2416->2417 2417->2413 2419 7ff604611850 2418->2419 2420 7ff604611863 WSAStartup 2418->2420 2421 7ff604611450 6 API calls 2419->2421 2422 7ff60461185c 2420->2422 2428 7ff60461187f 2420->2428 2421->2422 2423 7ff604612660 __GSHandlerCheck_EH 8 API calls 2422->2423 2424 7ff604611d87 2423->2424 2424->2368 2424->2369 2425 7ff604611dd0 2427 7ff604611450 6 API calls 2425->2427 2427->2422 2428->2422 2428->2425 2438 7ff6046120c0 2428->2438 2430 7ff604612669 2429->2430 2431 7ff6046129c0 IsProcessorFeaturePresent 2430->2431 2432 7ff604611334 2430->2432 2433 7ff6046129d8 2431->2433 2432->2290 2432->2387 2483 7ff604612a94 RtlCaptureContext 2433->2483 2439 7ff604612218 2438->2439 2440 7ff6046120e9 2438->2440 2462 7ff6046117e0 2439->2462 2442 7ff604612144 2440->2442 2444 7ff604612137 2440->2444 2445 7ff60461216c 2440->2445 2453 7ff604612690 2442->2453 2443 7ff60461221d 2447 7ff604611720 Concurrency::cancel_current_task 4 API calls 2443->2447 2444->2442 2444->2443 2448 7ff604612690 5 API calls 2445->2448 2452 7ff604612155 BuildCatchObjectHelperInternal 2445->2452 2449 7ff604612223 2447->2449 2448->2452 2450 7ff6046121e0 _invalid_parameter_noinfo_noreturn 2451 7ff6046121d3 BuildCatchObjectHelperInternal 2450->2451 2451->2428 2452->2450 2452->2451 2454 7ff6046126aa malloc 2453->2454 2455 7ff60461269b 2454->2455 2456 7ff6046126b4 2454->2456 2455->2454 2457 7ff6046126ba 2455->2457 2456->2452 2458 7ff6046126c5 2457->2458 2459 7ff604612b30 Concurrency::cancel_current_task 2 API calls 2457->2459 2460 7ff604611720 Concurrency::cancel_current_task 4 API calls 2458->2460 2459->2458 2461 7ff6046126cb 2460->2461 2461->2452 2475 7ff6046134d4 2462->2475 2480 7ff6046133f8 2475->2480 2478 7ff604613f84 Concurrency::cancel_current_task 2 API calls 2479 7ff6046134f6 2478->2479 2481 7ff604613cc0 __std_exception_copy 2 API calls 2480->2481 2482 7ff60461342c 2481->2482 2482->2478 2484 7ff604612aae RtlLookupFunctionEntry 2483->2484 2485 7ff6046129eb 2484->2485 2486 7ff604612ac4 RtlVirtualUnwind 2484->2486 2487 7ff604612984 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2485->2487 2486->2484 2486->2485 2488->2391 2522 7ff6046159ad 2523 7ff6046143d0 ExFilterRethrow 10 API calls 2522->2523 2524 7ff6046159ba 2523->2524 2525 7ff6046143d0 ExFilterRethrow 10 API calls 2524->2525 2527 7ff6046159c3 __GSHandlerCheck_EH 2525->2527 2526 7ff604615a0a RaiseException 2528 7ff604615a29 2526->2528 2527->2526 2541 7ff604613b54 2528->2541 2530 7ff604615a5a __GSHandlerCheck_EH 2531 7ff6046143d0 ExFilterRethrow 10 API calls 2530->2531 2532 7ff604615a6d 2531->2532 2534 7ff6046143d0 ExFilterRethrow 10 API calls 2532->2534 2536 7ff604615a76 2534->2536 2537 7ff6046143d0 ExFilterRethrow 10 API calls 2536->2537 2538 7ff604615a7f 2537->2538 2539 7ff6046143d0 ExFilterRethrow 10 API calls 2538->2539 2540 7ff604615a8e 2539->2540 2542 7ff6046143d0 ExFilterRethrow 10 API calls 2541->2542 2543 7ff604613b66 2542->2543 2544 7ff604613ba1 abort 2543->2544 2545 7ff6046143d0 ExFilterRethrow 10 API calls 2543->2545 2546 7ff604613b71 2545->2546 2546->2544 2547 7ff604613b8d 2546->2547 2548 7ff6046143d0 ExFilterRethrow 10 API calls 2547->2548 2549 7ff604613b92 2548->2549 2549->2530 2550 7ff604614104 2549->2550 2551 7ff6046143d0 ExFilterRethrow 10 API calls 2550->2551 2552 7ff604614112 2551->2552 2552->2530 2948 7ff60461756f 2949 7ff6046143d0 ExFilterRethrow 10 API calls 2948->2949 2950 7ff60461757d 2949->2950 2951 7ff6046143d0 ExFilterRethrow 10 API calls 2950->2951 2952 7ff604617588 2950->2952 2951->2952 2553 7ff6046143b0 2554 7ff6046143b9 2553->2554 2555 7ff6046143ca 2553->2555 2554->2555 2556 7ff6046143c5 free 2554->2556 2556->2555 2557 7ff604611630 2560 7ff604613d50 2557->2560 2561 7ff60461164c 2560->2561 2562 7ff604613d5f free 2560->2562 2562->2561 2563 7ff604617130 2564 7ff604617168 __GSHandlerCheckCommon 2563->2564 2565 7ff604617194 2564->2565 2567 7ff604613c00 2564->2567 2568 7ff6046143d0 ExFilterRethrow 10 API calls 2567->2568 2569 7ff604613c42 2568->2569 2570 7ff6046143d0 ExFilterRethrow 10 API calls 2569->2570 2571 7ff604613c4f 2570->2571 2572 7ff6046143d0 ExFilterRethrow 10 API calls 2571->2572 2573 7ff604613c58 __GSHandlerCheck_EH 2572->2573 2576 7ff604615414 2573->2576 2577 7ff604615443 __except_validate_context_record 2576->2577 2578 7ff6046143d0 ExFilterRethrow 10 API calls 2577->2578 2579 7ff604615448 2578->2579 2580 7ff604615498 2579->2580 2585 7ff6046155b2 __GSHandlerCheck_EH 2579->2585 2591 7ff604613ca9 2579->2591 2581 7ff60461559f 2580->2581 2584 7ff6046154f3 __GSHandlerCheck_EH 2580->2584 2580->2591 2616 7ff604613678 2581->2616 2586 7ff6046156a2 abort 2584->2586 2588 7ff604615543 2584->2588 2589 7ff6046155f7 2585->2589 2585->2591 2620 7ff604613bbc 2585->2620 2592 7ff604615cf0 2588->2592 2589->2591 2623 7ff6046149a4 2589->2623 2591->2565 2676 7ff604613ba8 2592->2676 2594 7ff604615d40 __GSHandlerCheck_EH 2595 7ff604615d5b 2594->2595 2596 7ff604615d72 2594->2596 2598 7ff6046143d0 ExFilterRethrow 10 API calls 2595->2598 2597 7ff6046143d0 ExFilterRethrow 10 API calls 2596->2597 2600 7ff604615d77 2597->2600 2599 7ff604615d60 2598->2599 2601 7ff604615d6a 2599->2601 2602 7ff604615fd0 abort 2599->2602 2600->2601 2603 7ff6046143d0 ExFilterRethrow 10 API calls 2600->2603 2604 7ff6046143d0 ExFilterRethrow 10 API calls 2601->2604 2605 7ff604615d82 2603->2605 2614 7ff604615d96 __GSHandlerCheck_EH 2604->2614 2606 7ff6046143d0 ExFilterRethrow 10 API calls 2605->2606 2606->2601 2607 7ff604615f92 2608 7ff6046143d0 ExFilterRethrow 10 API calls 2607->2608 2609 7ff604615f97 2608->2609 2610 7ff604615fa2 2609->2610 2611 7ff6046143d0 ExFilterRethrow 10 API calls 2609->2611 2612 7ff604612660 __GSHandlerCheck_EH 8 API calls 2610->2612 2611->2610 2613 7ff604615fb5 2612->2613 2613->2591 2614->2607 2679 7ff604613bd0 2614->2679 2617 7ff60461368a 2616->2617 2618 7ff604615cf0 __GSHandlerCheck_EH 19 API calls 2617->2618 2619 7ff6046136a5 2618->2619 2619->2591 2621 7ff6046143d0 ExFilterRethrow 10 API calls 2620->2621 2622 7ff604613bc5 2621->2622 2622->2589 2624 7ff604614a01 __GSHandlerCheck_EH 2623->2624 2625 7ff604614a09 2624->2625 2626 7ff604614a20 2624->2626 2628 7ff6046143d0 ExFilterRethrow 10 API calls 2625->2628 2627 7ff6046143d0 ExFilterRethrow 10 API calls 2626->2627 2629 7ff604614a25 2627->2629 2636 7ff604614a0e 2628->2636 2631 7ff6046143d0 ExFilterRethrow 10 API calls 2629->2631 2629->2636 2630 7ff604614e99 abort 2632 7ff604614a30 2631->2632 2633 7ff6046143d0 ExFilterRethrow 10 API calls 2632->2633 2633->2636 2634 7ff604614b54 __GSHandlerCheck_EH 2635 7ff604614def 2634->2635 2661 7ff604614b90 __GSHandlerCheck_EH 2634->2661 2635->2630 2638 7ff604614ded 2635->2638 2718 7ff604614ea0 2635->2718 2636->2630 2636->2634 2637 7ff6046143d0 ExFilterRethrow 10 API calls 2636->2637 2639 7ff604614ac0 2637->2639 2640 7ff6046143d0 ExFilterRethrow 10 API calls 2638->2640 2642 7ff604614e37 2639->2642 2645 7ff6046143d0 ExFilterRethrow 10 API calls 2639->2645 2644 7ff604614e30 2640->2644 2641 7ff604614dd4 __GSHandlerCheck_EH 2641->2638 2650 7ff604614e81 2641->2650 2646 7ff604612660 __GSHandlerCheck_EH 8 API calls 2642->2646 2644->2630 2644->2642 2647 7ff604614ad0 2645->2647 2648 7ff604614e43 2646->2648 2649 7ff6046143d0 ExFilterRethrow 10 API calls 2647->2649 2648->2591 2651 7ff604614ad9 2649->2651 2652 7ff6046143d0 ExFilterRethrow 10 API calls 2650->2652 2682 7ff604613be8 2651->2682 2654 7ff604614e86 2652->2654 2656 7ff6046143d0 ExFilterRethrow 10 API calls 2654->2656 2658 7ff604614e8f terminate 2656->2658 2657 7ff6046143d0 ExFilterRethrow 10 API calls 2659 7ff604614b16 2657->2659 2658->2630 2659->2634 2660 7ff6046143d0 ExFilterRethrow 10 API calls 2659->2660 2662 7ff604614b22 2660->2662 2661->2641 2665 7ff604613bbc 10 API calls BuildCatchObjectHelperInternal 2661->2665 2696 7ff6046152d0 2661->2696 2710 7ff6046148d0 2661->2710 2663 7ff6046143d0 ExFilterRethrow 10 API calls 2662->2663 2664 7ff604614b2b 2663->2664 2685 7ff604615fd8 2664->2685 2665->2661 2669 7ff604614b3f 2692 7ff6046160c8 2669->2692 2671 7ff604614e7b terminate 2671->2650 2673 7ff604614b47 std::bad_alloc::bad_alloc __GSHandlerCheck_EH 2673->2671 2674 7ff604613f84 Concurrency::cancel_current_task 2 API calls 2673->2674 2675 7ff604614e7a 2674->2675 2675->2671 2677 7ff6046143d0 ExFilterRethrow 10 API calls 2676->2677 2678 7ff604613bb1 2677->2678 2678->2594 2680 7ff6046143d0 ExFilterRethrow 10 API calls 2679->2680 2681 7ff604613bde 2680->2681 2681->2614 2683 7ff6046143d0 ExFilterRethrow 10 API calls 2682->2683 2684 7ff604613bf6 2683->2684 2684->2630 2684->2657 2686 7ff6046160bf abort 2685->2686 2688 7ff604616003 2685->2688 2687 7ff604614b3b 2687->2634 2687->2669 2688->2687 2689 7ff604613bbc 10 API calls BuildCatchObjectHelperInternal 2688->2689 2690 7ff604613ba8 BuildCatchObjectHelperInternal 10 API calls 2688->2690 2734 7ff604615190 2688->2734 2689->2688 2690->2688 2694 7ff6046160e5 Is_bad_exception_allowed 2692->2694 2695 7ff604616135 2692->2695 2693 7ff604613ba8 10 API calls BuildCatchObjectHelperInternal 2693->2694 2694->2693 2694->2695 2695->2673 2697 7ff6046152fd 2696->2697 2698 7ff60461538d 2696->2698 2699 7ff604613ba8 BuildCatchObjectHelperInternal 10 API calls 2697->2699 2698->2661 2700 7ff604615306 2699->2700 2700->2698 2701 7ff604613ba8 BuildCatchObjectHelperInternal 10 API calls 2700->2701 2702 7ff60461531f 2700->2702 2701->2702 2702->2698 2703 7ff604613ba8 BuildCatchObjectHelperInternal 10 API calls 2702->2703 2704 7ff60461534c 2702->2704 2703->2704 2705 7ff604613bbc BuildCatchObjectHelperInternal 10 API calls 2704->2705 2706 7ff604615360 2705->2706 2706->2698 2707 7ff604615379 2706->2707 2708 7ff604613ba8 BuildCatchObjectHelperInternal 10 API calls 2706->2708 2709 7ff604613bbc BuildCatchObjectHelperInternal 10 API calls 2707->2709 2708->2707 2709->2698 2711 7ff60461490d __GSHandlerCheck_EH 2710->2711 2712 7ff604614933 2711->2712 2748 7ff60461480c 2711->2748 2714 7ff604613ba8 BuildCatchObjectHelperInternal 10 API calls 2712->2714 2715 7ff604614945 2714->2715 2757 7ff604613838 RtlUnwindEx 2715->2757 2719 7ff604615169 2718->2719 2720 7ff604614ef4 2718->2720 2721 7ff604612660 __GSHandlerCheck_EH 8 API calls 2719->2721 2722 7ff6046143d0 ExFilterRethrow 10 API calls 2720->2722 2723 7ff604615175 2721->2723 2724 7ff604614ef9 2722->2724 2723->2638 2725 7ff604614f60 __GSHandlerCheck_EH 2724->2725 2726 7ff604614f0e EncodePointer 2724->2726 2725->2719 2728 7ff604615189 abort 2725->2728 2732 7ff604614f82 __GSHandlerCheck_EH 2725->2732 2727 7ff6046143d0 ExFilterRethrow 10 API calls 2726->2727 2729 7ff604614f1e 2727->2729 2729->2725 2781 7ff6046134f8 2729->2781 2731 7ff6046148d0 __GSHandlerCheck_EH 21 API calls 2731->2732 2732->2719 2732->2731 2733 7ff604613ba8 10 API calls BuildCatchObjectHelperInternal 2732->2733 2733->2732 2735 7ff6046151bd 2734->2735 2746 7ff60461524c 2734->2746 2736 7ff604613ba8 BuildCatchObjectHelperInternal 10 API calls 2735->2736 2737 7ff6046151c6 2736->2737 2738 7ff604613ba8 BuildCatchObjectHelperInternal 10 API calls 2737->2738 2739 7ff6046151df 2737->2739 2737->2746 2738->2739 2740 7ff60461520b 2739->2740 2741 7ff604613ba8 BuildCatchObjectHelperInternal 10 API calls 2739->2741 2739->2746 2742 7ff604613bbc BuildCatchObjectHelperInternal 10 API calls 2740->2742 2741->2740 2743 7ff60461521f 2742->2743 2744 7ff604615238 2743->2744 2745 7ff604613ba8 BuildCatchObjectHelperInternal 10 API calls 2743->2745 2743->2746 2747 7ff604613bbc BuildCatchObjectHelperInternal 10 API calls 2744->2747 2745->2744 2746->2688 2747->2746 2749 7ff60461482f 2748->2749 2760 7ff604614608 2749->2760 2751 7ff604614840 2752 7ff604614881 __AdjustPointer 2751->2752 2753 7ff604614845 __AdjustPointer 2751->2753 2754 7ff604613bbc BuildCatchObjectHelperInternal 10 API calls 2752->2754 2756 7ff604614864 BuildCatchObjectHelperInternal 2752->2756 2755 7ff604613bbc BuildCatchObjectHelperInternal 10 API calls 2753->2755 2753->2756 2754->2756 2755->2756 2756->2712 2758 7ff604612660 __GSHandlerCheck_EH 8 API calls 2757->2758 2759 7ff60461394e 2758->2759 2759->2661 2761 7ff604614635 2760->2761 2763 7ff60461463e 2760->2763 2762 7ff604613ba8 BuildCatchObjectHelperInternal 10 API calls 2761->2762 2762->2763 2764 7ff604613ba8 BuildCatchObjectHelperInternal 10 API calls 2763->2764 2765 7ff60461465d 2763->2765 2772 7ff6046146c2 __AdjustPointer BuildCatchObjectHelperInternal 2763->2772 2764->2765 2766 7ff6046146aa 2765->2766 2767 7ff6046146ca 2765->2767 2765->2772 2769 7ff6046147e9 abort abort 2766->2769 2766->2772 2768 7ff604613bbc BuildCatchObjectHelperInternal 10 API calls 2767->2768 2771 7ff60461474a 2767->2771 2767->2772 2768->2771 2770 7ff60461480c 2769->2770 2773 7ff604614608 BuildCatchObjectHelperInternal 10 API calls 2770->2773 2771->2772 2774 7ff604613bbc BuildCatchObjectHelperInternal 10 API calls 2771->2774 2772->2751 2775 7ff604614840 2773->2775 2774->2772 2776 7ff604614881 __AdjustPointer 2775->2776 2777 7ff604614845 __AdjustPointer 2775->2777 2778 7ff604613bbc BuildCatchObjectHelperInternal 10 API calls 2776->2778 2780 7ff604614864 BuildCatchObjectHelperInternal 2776->2780 2779 7ff604613bbc BuildCatchObjectHelperInternal 10 API calls 2777->2779 2777->2780 2778->2780 2779->2780 2780->2751 2782 7ff6046143d0 ExFilterRethrow 10 API calls 2781->2782 2783 7ff604613524 2782->2783 2783->2725 2953 7ff604612970 2956 7ff604612da0 2953->2956 2957 7ff604612979 2956->2957 2958 7ff604612dc3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 2956->2958 2958->2957 2966 7ff604617372 2967 7ff6046143d0 ExFilterRethrow 10 API calls 2966->2967 2968 7ff604617389 2967->2968 2969 7ff6046143d0 ExFilterRethrow 10 API calls 2968->2969 2970 7ff6046173a4 2969->2970 2971 7ff6046143d0 ExFilterRethrow 10 API calls 2970->2971 2972 7ff6046173ad 2971->2972 2973 7ff604615414 __GSHandlerCheck_EH 31 API calls 2972->2973 2974 7ff6046173f3 2973->2974 2975 7ff6046143d0 ExFilterRethrow 10 API calls 2974->2975 2976 7ff6046173f8 2975->2976 2977 7ff604615f75 2985 7ff604615e35 __GSHandlerCheck_EH 2977->2985 2978 7ff604615f92 2979 7ff6046143d0 ExFilterRethrow 10 API calls 2978->2979 2980 7ff604615f97 2979->2980 2981 7ff604615fa2 2980->2981 2982 7ff6046143d0 ExFilterRethrow 10 API calls 2980->2982 2983 7ff604612660 __GSHandlerCheck_EH 8 API calls 2981->2983 2982->2981 2984 7ff604615fb5 2983->2984 2985->2978 2986 7ff604613bd0 __GSHandlerCheck_EH 10 API calls 2985->2986 2986->2985 2987 7ff6046174d6 2988 7ff604613b54 11 API calls 2987->2988 2992 7ff6046174e9 2988->2992 2989 7ff60461751a __GSHandlerCheck_EH 2990 7ff6046143d0 ExFilterRethrow 10 API calls 2989->2990 2991 7ff60461752e 2990->2991 2993 7ff6046143d0 ExFilterRethrow 10 API calls 2991->2993 2992->2989 2994 7ff604614104 10 API calls 2992->2994 2995 7ff60461753b 2993->2995 2994->2989 2996 7ff6046143d0 ExFilterRethrow 10 API calls 2995->2996 2997 7ff604617548 2996->2997 2784 7ff604611b18 _time64 2785 7ff604611b34 2784->2785 2785->2785 2786 7ff604611bf1 2785->2786 2800 7ff604611ee0 2785->2800 2789 7ff604611c34 BuildCatchObjectHelperInternal 2786->2789 2814 7ff604612230 2786->2814 2790 7ff6046118a0 2789->2790 2791 7ff604611da2 _invalid_parameter_noinfo_noreturn 2789->2791 2795 7ff604611d76 2790->2795 2796 7ff604611dd0 2790->2796 2798 7ff6046120c0 21 API calls 2790->2798 2792 7ff604611da9 WSAGetLastError 2791->2792 2793 7ff604611450 6 API calls 2792->2793 2793->2795 2794 7ff604612660 __GSHandlerCheck_EH 8 API calls 2797 7ff604611d87 2794->2797 2795->2794 2799 7ff604611450 6 API calls 2796->2799 2798->2790 2799->2795 2801 7ff604611f04 BuildCatchObjectHelperInternal 2800->2801 2804 7ff604611f25 2800->2804 2801->2786 2802 7ff604612031 2803 7ff6046117e0 21 API calls 2802->2803 2806 7ff604612036 2803->2806 2804->2802 2807 7ff604611f74 2804->2807 2808 7ff604611fa9 2804->2808 2805 7ff604612690 5 API calls 2813 7ff604611f92 BuildCatchObjectHelperInternal 2805->2813 2809 7ff604611720 Concurrency::cancel_current_task 4 API calls 2806->2809 2807->2805 2807->2806 2811 7ff604612690 5 API calls 2808->2811 2808->2813 2812 7ff60461203c 2809->2812 2810 7ff60461202a _invalid_parameter_noinfo_noreturn 2810->2802 2811->2813 2813->2801 2813->2810 2815 7ff6046123ab 2814->2815 2816 7ff60461225e 2814->2816 2818 7ff6046117e0 21 API calls 2815->2818 2817 7ff6046122be 2816->2817 2821 7ff6046122e6 2816->2821 2822 7ff6046122b1 2816->2822 2820 7ff604612690 5 API calls 2817->2820 2819 7ff6046123b0 2818->2819 2823 7ff604611720 Concurrency::cancel_current_task 4 API calls 2819->2823 2827 7ff6046122cf BuildCatchObjectHelperInternal 2820->2827 2826 7ff604612690 5 API calls 2821->2826 2821->2827 2822->2817 2822->2819 2824 7ff6046123b6 2823->2824 2825 7ff604612364 _invalid_parameter_noinfo_noreturn 2828 7ff604612357 BuildCatchObjectHelperInternal 2825->2828 2826->2827 2827->2825 2827->2828 2828->2789 2998 7ff604617559 3001 7ff604614158 2998->3001 3002 7ff604614170 3001->3002 3003 7ff604614182 3001->3003 3002->3003 3004 7ff604614178 3002->3004 3005 7ff6046143d0 ExFilterRethrow 10 API calls 3003->3005 3007 7ff6046143d0 ExFilterRethrow 10 API calls 3004->3007 3010 7ff604614180 3004->3010 3006 7ff604614187 3005->3006 3008 7ff6046143d0 ExFilterRethrow 10 API calls 3006->3008 3006->3010 3009 7ff6046141a7 3007->3009 3008->3010 3011 7ff6046143d0 ExFilterRethrow 10 API calls 3009->3011 3012 7ff6046141b4 terminate 3011->3012 2829 7ff60461191a 2830 7ff60461194d 2829->2830 2833 7ff6046118a0 2829->2833 2831 7ff6046120c0 21 API calls 2830->2831 2831->2833 2832 7ff604611d76 2834 7ff604612660 __GSHandlerCheck_EH 8 API calls 2832->2834 2833->2832 2835 7ff604611dd0 2833->2835 2837 7ff6046120c0 21 API calls 2833->2837 2836 7ff604611d87 2834->2836 2838 7ff604611450 6 API calls 2835->2838 2837->2833 2838->2832 2839 7ff60461291a 2840 7ff604613020 __scrt_is_managed_app GetModuleHandleW 2839->2840 2841 7ff604612921 2840->2841 2842 7ff604612960 _exit 2841->2842 2843 7ff604612925 2841->2843 3013 7ff60461195f 3014 7ff60461196d 3013->3014 3015 7ff604611a23 3014->3015 3016 7ff604611ee0 22 API calls 3014->3016 3017 7ff604612230 22 API calls 3015->3017 3018 7ff604611a67 BuildCatchObjectHelperInternal 3015->3018 3016->3015 3017->3018 3019 7ff604611da2 _invalid_parameter_noinfo_noreturn 3018->3019 3020 7ff6046118a0 3018->3020 3021 7ff604611da9 WSAGetLastError 3019->3021 3024 7ff604611d76 3020->3024 3025 7ff604611dd0 3020->3025 3027 7ff6046120c0 21 API calls 3020->3027 3022 7ff604611450 6 API calls 3021->3022 3022->3024 3023 7ff604612660 __GSHandlerCheck_EH 8 API calls 3026 7ff604611d87 3023->3026 3024->3023 3028 7ff604611450 6 API calls 3025->3028 3027->3020 3028->3024 3032 7ff604615860 3033 7ff6046143d0 ExFilterRethrow 10 API calls 3032->3033 3034 7ff6046158ad 3033->3034 3035 7ff6046143d0 ExFilterRethrow 10 API calls 3034->3035 3036 7ff6046158bb __except_validate_context_record 3035->3036 3037 7ff6046143d0 ExFilterRethrow 10 API calls 3036->3037 3038 7ff604615914 3037->3038 3039 7ff6046143d0 ExFilterRethrow 10 API calls 3038->3039 3040 7ff60461591d 3039->3040 3041 7ff6046143d0 ExFilterRethrow 10 API calls 3040->3041 3042 7ff604615926 3041->3042 3061 7ff604613b18 3042->3061 3045 7ff6046143d0 ExFilterRethrow 10 API calls 3046 7ff604615959 3045->3046 3047 7ff604615aa9 abort 3046->3047 3048 7ff604615991 3046->3048 3049 7ff604613b54 11 API calls 3048->3049 3053 7ff604615a31 3049->3053 3050 7ff604615a5a __GSHandlerCheck_EH 3051 7ff6046143d0 ExFilterRethrow 10 API calls 3050->3051 3052 7ff604615a6d 3051->3052 3054 7ff6046143d0 ExFilterRethrow 10 API calls 3052->3054 3053->3050 3055 7ff604614104 10 API calls 3053->3055 3056 7ff604615a76 3054->3056 3055->3050 3057 7ff6046143d0 ExFilterRethrow 10 API calls 3056->3057 3058 7ff604615a7f 3057->3058 3059 7ff6046143d0 ExFilterRethrow 10 API calls 3058->3059 3060 7ff604615a8e 3059->3060 3062 7ff6046143d0 ExFilterRethrow 10 API calls 3061->3062 3063 7ff604613b29 3062->3063 3064 7ff6046143d0 ExFilterRethrow 10 API calls 3063->3064 3065 7ff604613b34 3063->3065 3064->3065 3066 7ff6046143d0 ExFilterRethrow 10 API calls 3065->3066 3067 7ff604613b45 3066->3067 3067->3045 3067->3046 3068 7ff604617260 3069 7ff604617280 3068->3069 3070 7ff604617273 3068->3070 3071 7ff604611e80 _invalid_parameter_noinfo_noreturn 3070->3071 3071->3069 3072 7ff604611ce0 3073 7ff604612688 5 API calls 3072->3073 3074 7ff604611cea gethostname 3073->3074 3075 7ff604611d08 3074->3075 3076 7ff604611da9 WSAGetLastError 3074->3076 3086 7ff604612040 3075->3086 3077 7ff604611450 6 API calls 3076->3077 3079 7ff604611d76 3077->3079 3080 7ff604612660 __GSHandlerCheck_EH 8 API calls 3079->3080 3081 7ff604611d87 3080->3081 3082 7ff6046118a0 3082->3079 3083 7ff604611dd0 3082->3083 3084 7ff6046120c0 21 API calls 3082->3084 3085 7ff604611450 6 API calls 3083->3085 3084->3082 3085->3079 3087 7ff6046120a2 3086->3087 3090 7ff604612063 BuildCatchObjectHelperInternal 3086->3090 3088 7ff604612230 22 API calls 3087->3088 3089 7ff6046120b5 3088->3089 3089->3082 3090->3082 2847 7ff604614024 2854 7ff60461642c 2847->2854 2850 7ff604614031 2866 7ff604616714 2854->2866 2856 7ff60461402d 2856->2850 2859 7ff6046144ac 2856->2859 2858 7ff604616460 __vcrt_uninitialize_locks DeleteCriticalSection 2858->2856 2871 7ff6046165e8 2859->2871 2867 7ff604616498 __vcrt_FlsAlloc 5 API calls 2866->2867 2868 7ff60461674a 2867->2868 2869 7ff60461675f InitializeCriticalSectionAndSpinCount 2868->2869 2870 7ff604616444 2868->2870 2869->2870 2870->2856 2870->2858 2872 7ff604616498 __vcrt_FlsAlloc 5 API calls 2871->2872 2874 7ff60461660d TlsAlloc 2872->2874 3091 7ff6046148c7 abort 2884 7ff604613090 2885 7ff6046130a8 2884->2885 2886 7ff6046130c4 2884->2886 2885->2886 2891 7ff6046141c0 2885->2891 2890 7ff6046130e2 2892 7ff6046143d0 ExFilterRethrow 10 API calls 2891->2892 2893 7ff6046130d6 2892->2893 2894 7ff6046141d4 2893->2894 2895 7ff6046143d0 ExFilterRethrow 10 API calls 2894->2895 2896 7ff6046141dd 2895->2896 2896->2890 2897 7ff604617290 2898 7ff6046172b0 2897->2898 2899 7ff6046172a3 2897->2899 2901 7ff604611e80 2899->2901 2902 7ff604611e93 2901->2902 2903 7ff604611eb7 2901->2903 2902->2903 2904 7ff604611ed8 _invalid_parameter_noinfo_noreturn 2902->2904 2903->2898 2905 7ff604617090 2906 7ff6046170d2 __GSHandlerCheckCommon 2905->2906 2907 7ff6046170fa 2906->2907 2909 7ff604613d78 2906->2909 2910 7ff604613da8 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 2909->2910 2911 7ff604613e99 2910->2911 2912 7ff604613e64 RtlUnwindEx 2910->2912 2911->2907 2912->2910 2913 7ff604611510 2914 7ff604613cc0 __std_exception_copy 2 API calls 2913->2914 2915 7ff604611539 2914->2915 3092 7ff604611550 3093 7ff604613d50 __std_exception_destroy free 3092->3093 3094 7ff604611567 3093->3094 3095 7ff6046127d0 3099 7ff604613074 SetUnhandledExceptionFilter 3095->3099 2916 7ff604617411 2917 7ff604617495 2916->2917 2918 7ff604617429 2916->2918 2918->2917 2919 7ff6046143d0 ExFilterRethrow 10 API calls 2918->2919 2920 7ff604617476 2919->2920 2921 7ff6046143d0 ExFilterRethrow 10 API calls 2920->2921 2922 7ff60461748b terminate 2921->2922 2922->2917 3100 7ff604611d39 3101 7ff604611d40 3100->3101 3101->3101 3102 7ff604612040 22 API calls 3101->3102 3104 7ff6046118a0 3101->3104 3102->3104 3103 7ff604611d76 3105 7ff604612660 __GSHandlerCheck_EH 8 API calls 3103->3105 3104->3103 3106 7ff604611dd0 3104->3106 3108 7ff6046120c0 21 API calls 3104->3108 3107 7ff604611d87 3105->3107 3109 7ff604611450 6 API calls 3106->3109 3108->3104 3109->3103 3110 7ff60461733c _seh_filter_exe 2926 7ff604612700 2927 7ff604612710 2926->2927 2939 7ff604612bd8 2927->2939 2929 7ff604612ecc 7 API calls 2930 7ff6046127b5 2929->2930 2931 7ff604612734 _RTC_Initialize 2936 7ff604612797 2931->2936 2947 7ff604612e64 InitializeSListHead 2931->2947 2936->2929 2938 7ff6046127a5 2936->2938 2940 7ff604612be9 2939->2940 2941 7ff604612c1b 2939->2941 2942 7ff604612c58 2940->2942 2945 7ff604612bee __scrt_release_startup_lock 2940->2945 2941->2931 2943 7ff604612ecc 7 API calls 2942->2943 2944 7ff604612c62 2943->2944 2945->2941 2946 7ff604612c0b _initialize_onexit_table 2945->2946 2946->2941

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 7ff604611060-7ff6046110ae 1 7ff604611386-7ff604611394 call 7ff604611450 0->1 2 7ff6046110b4-7ff6046110c6 0->2 7 7ff604611399 1->7 3 7ff6046110d0-7ff6046110d6 2->3 5 7ff6046110dc-7ff6046110df 3->5 6 7ff60461127f-7ff604611283 3->6 8 7ff6046110ed 5->8 9 7ff6046110e1-7ff6046110e5 5->9 6->3 11 7ff604611289-7ff604611299 6->11 10 7ff60461139e-7ff6046113b7 7->10 13 7ff6046110f0-7ff6046110fc 8->13 9->8 12 7ff6046110e7-7ff6046110eb 9->12 11->1 14 7ff60461129f-7ff6046112b7 call 7ff604612688 11->14 12->8 15 7ff604611104-7ff60461110b 12->15 16 7ff6046110fe-7ff604611102 13->16 17 7ff604611110-7ff604611113 13->17 23 7ff6046112b9-7ff6046112c9 GetTempPathA 14->23 24 7ff60461132a-7ff604611336 call 7ff6046123c0 14->24 20 7ff60461127b 15->20 16->13 16->15 21 7ff604611125-7ff604611136 strcmp 17->21 22 7ff604611115-7ff604611119 17->22 20->6 26 7ff604611267-7ff60461126e 21->26 27 7ff60461113c-7ff60461113f 21->27 22->21 25 7ff60461111b-7ff60461111f 22->25 28 7ff6046112e9-7ff604611302 strcat_s 23->28 29 7ff6046112cb-7ff6046112e7 GetLastError call 7ff604611450 GetLastError 23->29 41 7ff604611346 24->41 42 7ff604611338-7ff604611344 call 7ff6046113c0 24->42 25->21 25->26 30 7ff604611276 26->30 31 7ff604611151-7ff604611162 strcmp 27->31 32 7ff604611141-7ff604611145 27->32 37 7ff604611304-7ff604611312 call 7ff604611450 28->37 38 7ff604611325 28->38 52 7ff604611313-7ff604611323 call 7ff604612680 29->52 30->20 34 7ff604611258-7ff604611265 31->34 35 7ff604611168-7ff60461116b 31->35 32->31 39 7ff604611147-7ff60461114b 32->39 34->20 43 7ff60461117d-7ff60461118e strcmp 35->43 44 7ff60461116d-7ff604611171 35->44 37->52 38->24 39->31 39->34 49 7ff60461134b-7ff604611384 __acrt_iob_func fflush __acrt_iob_func fflush call 7ff604612680 41->49 42->49 50 7ff604611247-7ff604611256 43->50 51 7ff604611194-7ff604611197 43->51 44->43 48 7ff604611173-7ff604611177 44->48 48->43 48->50 49->10 50->30 56 7ff604611199-7ff60461119d 51->56 57 7ff6046111a5-7ff6046111af 51->57 52->10 56->57 60 7ff60461119f-7ff6046111a3 56->60 61 7ff6046111b0-7ff6046111bb 57->61 60->57 63 7ff6046111c3-7ff6046111d2 60->63 64 7ff6046111d7-7ff6046111da 61->64 65 7ff6046111bd-7ff6046111c1 61->65 63->30 66 7ff6046111ec-7ff6046111f6 64->66 67 7ff6046111dc-7ff6046111e0 64->67 65->61 65->63 69 7ff604611200-7ff60461120b 66->69 67->66 68 7ff6046111e2-7ff6046111e6 67->68 68->20 68->66 70 7ff60461120d-7ff604611211 69->70 71 7ff604611215-7ff604611218 69->71 70->69 72 7ff604611213 70->72 73 7ff604611226-7ff604611237 strcmp 71->73 74 7ff60461121a-7ff60461121e 71->74 72->20 73->20 76 7ff604611239-7ff604611245 atoi 73->76 74->73 75 7ff604611220-7ff604611224 74->75 75->20 75->73 76->20
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
                                                      • String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
                                                      • API String ID: 2647627392-2367407095
                                                      • Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                      • Instruction ID: b861518e5bda36d671f56cc901878c0aa8db7b01d54d579c92a5762a2d137650
                                                      • Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                      • Instruction Fuzzy Hash: 9AA16161D2C78255FB719F20A4912F966A4AF4B754F2C4131EB8EC26B5FE7CE488E301

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                      • String ID:
                                                      • API String ID: 2308368977-0
                                                      • Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                      • Instruction ID: 10030189f64bd1790af5ca6f0028d5b4a0b22db786d72d2445c83c341640e807
                                                      • Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                      • Instruction Fuzzy Hash: 56315E21E2C28341FA74AB25A4E13B96291AF41784F6C5475FA4ED73F3FE2CA844A354

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                      • String ID: [createdump]
                                                      • API String ID: 3735572767-2657508301
                                                      • Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                      • Instruction ID: 31b794ab64632489eaa5eb8e01a4ae98b20f5cc05b5b41373d6b6830f1d48d9c
                                                      • Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                      • Instruction Fuzzy Hash: 2B018B61A28B8182E720AB50F8441AAA364EB88BD1F284538EE8D83779EF7CD455D740

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                      • String ID:
                                                      • API String ID: 3140674995-0
                                                      • Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                      • Instruction ID: a9dec9d908ccdc900d6613d56df474af80b91de7ed904f0e1ef5eb4507cd1d42
                                                      • Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                      • Instruction Fuzzy Hash: B6316072618A818AEB70DF60E8903EE7361FB44745F584039EA4E87BA4EF3CC648C710
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                      • Instruction ID: 0bdb267d66e90e2e6ebc543691a3550aca934b68c272c134c6bb79f6da5a3645
                                                      • Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                      • Instruction Fuzzy Hash: A4A0022192CC06D0F664DF10E8D41312370FB50302B680531F40EC21B0BF3CA584E310

                                                      Control-flow Graph

                                                      APIs
                                                      • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF60461242D
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF60461243B
                                                        • Part of subcall function 00007FF604611450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF604611475
                                                        • Part of subcall function 00007FF604611450: fprintf.MSPDB140-MSVCRT ref: 00007FF604611485
                                                        • Part of subcall function 00007FF604611450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF604611494
                                                        • Part of subcall function 00007FF604611450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6046114B3
                                                        • Part of subcall function 00007FF604611450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6046114BE
                                                        • Part of subcall function 00007FF604611450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6046114C7
                                                      • K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF604612466
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF604612470
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF604612487
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6046125F3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
                                                      • String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
                                                      • API String ID: 3971781330-1292085346
                                                      • Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                      • Instruction ID: 261ce1f0bdcb2b5e92fd394eff0e50e965b122c1d2644d295bb86a5bdde07cd7
                                                      • Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                      • Instruction Fuzzy Hash: EA61853162864182E730DB15E4E067A7761FB85790F684130FE9E93AB5EF3DE445E740

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 177 7ff6046149a4-7ff604614a07 call 7ff604614518 180 7ff604614a09-7ff604614a12 call 7ff6046143d0 177->180 181 7ff604614a20-7ff604614a29 call 7ff6046143d0 177->181 186 7ff604614a18-7ff604614a1e 180->186 187 7ff604614e99-7ff604614e9f abort 180->187 188 7ff604614a2b-7ff604614a38 call 7ff6046143d0 * 2 181->188 189 7ff604614a3f-7ff604614a42 181->189 186->189 188->189 189->187 191 7ff604614a48-7ff604614a54 189->191 193 7ff604614a56-7ff604614a7d 191->193 194 7ff604614a7f 191->194 196 7ff604614a81-7ff604614a83 193->196 194->196 196->187 198 7ff604614a89-7ff604614a8f 196->198 199 7ff604614b59-7ff604614b6f call 7ff604615724 198->199 200 7ff604614a95-7ff604614a99 198->200 205 7ff604614def-7ff604614df3 199->205 206 7ff604614b75-7ff604614b79 199->206 200->199 201 7ff604614a9f-7ff604614aaa 200->201 201->199 204 7ff604614ab0-7ff604614ab5 201->204 204->199 207 7ff604614abb-7ff604614ac5 call 7ff6046143d0 204->207 210 7ff604614e2b-7ff604614e35 call 7ff6046143d0 205->210 211 7ff604614df5-7ff604614dfc 205->211 206->205 208 7ff604614b7f-7ff604614b8a 206->208 218 7ff604614e37-7ff604614e56 call 7ff604612660 207->218 219 7ff604614acb-7ff604614af1 call 7ff6046143d0 * 2 call 7ff604613be8 207->219 208->205 212 7ff604614b90-7ff604614b94 208->212 210->187 210->218 211->187 214 7ff604614e02-7ff604614e26 call 7ff604614ea0 211->214 216 7ff604614b9a-7ff604614bd1 call 7ff6046136d0 212->216 217 7ff604614dd4-7ff604614dd8 212->217 214->210 216->217 231 7ff604614bd7-7ff604614be2 216->231 217->210 222 7ff604614dda-7ff604614de7 call 7ff604613670 217->222 246 7ff604614b11-7ff604614b1b call 7ff6046143d0 219->246 247 7ff604614af3-7ff604614af7 219->247 233 7ff604614ded 222->233 234 7ff604614e81-7ff604614e98 call 7ff6046143d0 * 2 terminate 222->234 235 7ff604614be6-7ff604614bf6 231->235 233->210 234->187 238 7ff604614bfc-7ff604614c02 235->238 239 7ff604614d2f-7ff604614dce 235->239 238->239 242 7ff604614c08-7ff604614c31 call 7ff6046156a8 238->242 239->217 239->235 242->239 253 7ff604614c37-7ff604614c7e call 7ff604613bbc * 2 242->253 246->199 255 7ff604614b1d-7ff604614b3d call 7ff6046143d0 * 2 call 7ff604615fd8 246->255 247->246 251 7ff604614af9-7ff604614b04 247->251 251->246 254 7ff604614b06-7ff604614b0b 251->254 263 7ff604614cba-7ff604614cd0 call 7ff604615ab0 253->263 264 7ff604614c80-7ff604614ca5 call 7ff604613bbc call 7ff6046152d0 253->264 254->187 254->246 273 7ff604614b3f-7ff604614b49 call 7ff6046160c8 255->273 274 7ff604614b54 255->274 275 7ff604614d2b 263->275 276 7ff604614cd2 263->276 279 7ff604614cd7-7ff604614d26 call 7ff6046148d0 264->279 280 7ff604614ca7-7ff604614cb3 264->280 283 7ff604614e7b-7ff604614e80 terminate 273->283 284 7ff604614b4f-7ff604614e7a call 7ff604614090 call 7ff604615838 call 7ff604613f84 273->284 274->199 275->239 276->253 279->275 280->264 282 7ff604614cb5 280->282 282->263 283->234 284->283
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                      • String ID: csm$csm$csm
                                                      • API String ID: 695522112-393685449
                                                      • Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                      • Instruction ID: b4fae7ddcd5c8b6107d8946a3cf76c576890eb145f7af75615b86fabb8ade81e
                                                      • Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                      • Instruction Fuzzy Hash: 1DE182729286828AE730DF35D4C03AD77A0FB54798F284135EA8D877A5EF38E585D740

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                      • String ID: [createdump]
                                                      • API String ID: 3735572767-2657508301
                                                      • Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                      • Instruction ID: 670e1f8c9596dfb2527979c3d0578b814dc2e1c0d51b1858253a1632a39d2bb9
                                                      • Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                      • Instruction Fuzzy Hash: 75018F71A18B8182E710AB50F8541AAA360EB84BD1F244134EE8D83775EF7CD495D740

                                                      Control-flow Graph

                                                      APIs
                                                      • WSAStartup.WS2_32 ref: 00007FF60461186C
                                                        • Part of subcall function 00007FF604611450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF604611475
                                                        • Part of subcall function 00007FF604611450: fprintf.MSPDB140-MSVCRT ref: 00007FF604611485
                                                        • Part of subcall function 00007FF604611450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF604611494
                                                        • Part of subcall function 00007FF604611450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6046114B3
                                                        • Part of subcall function 00007FF604611450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6046114BE
                                                        • Part of subcall function 00007FF604611450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6046114C7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
                                                      • String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
                                                      • API String ID: 3378602911-3973674938
                                                      • Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                      • Instruction ID: 0a8a654b5a897e18ebaa018a4260a69997b97464f918ab878c2a6908c5152ce7
                                                      • Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                      • Instruction Fuzzy Hash: AC31C262E286C146E7A58F1598957F93761BB4A784F684032FE4D832A1EE3CE145E700

                                                      Control-flow Graph

                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF60461669F,?,?,?,00007FF60461441E,?,?,?,00007FF6046143D9), ref: 00007FF60461651D
                                                      • GetLastError.KERNEL32(?,00000000,00007FF60461669F,?,?,?,00007FF60461441E,?,?,?,00007FF6046143D9,?,?,?,?,00007FF604613524), ref: 00007FF60461652B
                                                      • LoadLibraryExW.KERNEL32(?,00000000,00007FF60461669F,?,?,?,00007FF60461441E,?,?,?,00007FF6046143D9,?,?,?,?,00007FF604613524), ref: 00007FF604616555
                                                      • FreeLibrary.KERNEL32(?,00000000,00007FF60461669F,?,?,?,00007FF60461441E,?,?,?,00007FF6046143D9,?,?,?,?,00007FF604613524), ref: 00007FF60461659B
                                                      • GetProcAddress.KERNEL32(?,00000000,00007FF60461669F,?,?,?,00007FF60461441E,?,?,?,00007FF6046143D9,?,?,?,?,00007FF604613524), ref: 00007FF6046165A7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                      • String ID: api-ms-
                                                      • API String ID: 2559590344-2084034818
                                                      • Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                      • Instruction ID: 9ec5218fbd5c47b1b37cde92fd53d343bc6c4b773e98351618ee1c90198b1ff1
                                                      • Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                      • Instruction Fuzzy Hash: 36319225A2A64292FE31EB12D8805752294FF58BA4F6D4634FD1EC77A8FF3CE8449300

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 360 7ff604611b18-7ff604611b32 _time64 361 7ff604611b80-7ff604611ba8 360->361 362 7ff604611b34-7ff604611b37 360->362 361->361 364 7ff604611baa-7ff604611bd8 361->364 363 7ff604611b40-7ff604611b68 362->363 363->363 365 7ff604611b6a-7ff604611b71 363->365 366 7ff604611bfa-7ff604611c32 364->366 367 7ff604611bda-7ff604611bf5 call 7ff604611ee0 364->367 365->364 368 7ff604611c64-7ff604611c78 call 7ff604612230 366->368 369 7ff604611c34-7ff604611c43 366->369 367->366 378 7ff604611c7d-7ff604611c88 368->378 371 7ff604611c48-7ff604611c62 call 7ff6046168c0 369->371 372 7ff604611c45 369->372 371->378 372->371 379 7ff604611c8a-7ff604611c98 378->379 380 7ff604611cbb-7ff604611cde 378->380 381 7ff604611c9a-7ff604611cad 379->381 382 7ff604611cb3-7ff604611cb6 call 7ff604612680 379->382 383 7ff604611d55-7ff604611d70 380->383 381->382 385 7ff604611da2-7ff604611dce _invalid_parameter_noinfo_noreturn WSAGetLastError call 7ff604611450 call 7ff604612680 381->385 382->380 387 7ff604611d76 383->387 388 7ff6046118a0-7ff6046118a3 383->388 392 7ff604611d78-7ff604611da1 call 7ff604612660 385->392 387->392 390 7ff6046118f3-7ff6046118fe 388->390 391 7ff6046118a5-7ff6046118b7 388->391 398 7ff604611dd0-7ff604611dde call 7ff604611450 390->398 399 7ff604611904-7ff604611915 390->399 394 7ff6046118b9-7ff6046118c8 391->394 395 7ff6046118e2-7ff6046118ee call 7ff6046120c0 391->395 400 7ff6046118ca 394->400 401 7ff6046118cd-7ff6046118dd 394->401 395->383 398->392 399->383 400->401 401->383
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID: _time64
                                                      • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                      • API String ID: 1670930206-4114407318
                                                      • Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                      • Instruction ID: 6e8b13109b68e68ae8332bc250e828ac29b64a84ca4cbc4ba77f3d5d7f9683a6
                                                      • Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                      • Instruction Fuzzy Hash: 6551C362A28B8146EB20CB28E4907ED67A1EB467D0F640136EB5D57BB9EF3CD041E740

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID: EncodePointerabort
                                                      • String ID: MOC$RCC
                                                      • API String ID: 1188231555-2084237596
                                                      • Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                      • Instruction ID: 2e0568c8470cfda4799f3adcb681a4525d89d3cf3b484c65f3aeb808c450eb27
                                                      • Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                      • Instruction Fuzzy Hash: 7A91C473A18B869AE720CF65D8802AD7BB0F744788F284129FE8D97765EF38D195D700

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 459 7ff604615414-7ff604615461 call 7ff6046163f4 call 7ff6046143d0 464 7ff60461548e-7ff604615492 459->464 465 7ff604615463-7ff604615469 459->465 467 7ff604615498-7ff60461549b 464->467 468 7ff6046155b2-7ff6046155c7 call 7ff604615724 464->468 465->464 466 7ff60461546b-7ff60461546e 465->466 470 7ff604615480-7ff604615483 466->470 471 7ff604615470-7ff604615474 466->471 472 7ff604615680 467->472 473 7ff6046154a1-7ff6046154d1 467->473 479 7ff6046155c9-7ff6046155cc 468->479 480 7ff6046155d2-7ff6046155d8 468->480 470->464 477 7ff604615485-7ff604615488 470->477 476 7ff604615476-7ff60461547e 471->476 471->477 474 7ff604615685-7ff6046156a1 472->474 473->472 478 7ff6046154d7-7ff6046154de 473->478 476->464 476->470 477->464 477->472 478->472 481 7ff6046154e4-7ff6046154e8 478->481 479->472 479->480 484 7ff604615647-7ff60461567b call 7ff6046149a4 480->484 485 7ff6046155da-7ff6046155de 480->485 482 7ff6046154ee-7ff6046154f1 481->482 483 7ff60461559f-7ff6046155ad call 7ff604613678 481->483 487 7ff604615556-7ff604615559 482->487 488 7ff6046154f3-7ff604615508 call 7ff604614520 482->488 483->472 484->472 485->484 490 7ff6046155e0-7ff6046155e7 485->490 487->483 494 7ff60461555b-7ff604615563 487->494 498 7ff6046156a2-7ff6046156a7 abort 488->498 499 7ff60461550e-7ff604615511 488->499 490->484 493 7ff6046155e9-7ff6046155f0 490->493 493->484 496 7ff6046155f2-7ff604615605 call 7ff604613bbc 493->496 497 7ff604615569-7ff604615593 494->497 494->498 496->484 508 7ff604615607-7ff604615645 496->508 497->498 501 7ff604615599-7ff60461559d 497->501 502 7ff60461553a-7ff60461553d 499->502 503 7ff604615513-7ff604615538 499->503 505 7ff604615546-7ff604615551 call 7ff604615cf0 501->505 502->498 506 7ff604615543 502->506 503->502 505->472 506->505 508->474
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID: __except_validate_context_recordabort
                                                      • String ID: csm$csm
                                                      • API String ID: 746414643-3733052814
                                                      • Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                      • Instruction ID: f3c351d475aa32dc3b0a68fddd2707c71c951d1bf657e0c34c10be8965b9eec4
                                                      • Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                      • Instruction Fuzzy Hash: 9971E8726186919AD7308F21D090779B7A0FB80BC5F288135EE4E87BA5EF3CD451E781

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                      • API String ID: 0-4114407318
                                                      • Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                      • Instruction ID: e8fa7314ed0e2c229748894cf7eedfac60e2bb0d1af65a4dee96bb317c2b8566
                                                      • Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                      • Instruction Fuzzy Hash: 4C51E722A28B8546D720CB29E4907EA6761EB867D0F640136FB9D53BF9DF3DD041E740

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID: CreateFrameInfo__except_validate_context_record
                                                      • String ID: csm
                                                      • API String ID: 2558813199-1018135373
                                                      • Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                      • Instruction ID: 4d67f075692d48c559e814042232f8a67ea6f8a3cc03820aac9f059a2a3c730e
                                                      • Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                      • Instruction Fuzzy Hash: 2751527762974286D630DB16E48026EB7B4F788B94F280135EB8E87B65EF7CD461DB00
                                                      APIs
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 00007FF6046117EB
                                                      • WSAStartup.WS2_32 ref: 00007FF60461186C
                                                        • Part of subcall function 00007FF604611450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF604611475
                                                        • Part of subcall function 00007FF604611450: fprintf.MSPDB140-MSVCRT ref: 00007FF604611485
                                                        • Part of subcall function 00007FF604611450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF604611494
                                                        • Part of subcall function 00007FF604611450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6046114B3
                                                        • Part of subcall function 00007FF604611450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6046114BE
                                                        • Part of subcall function 00007FF604611450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6046114C7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
                                                      • String ID: --name$Pipe syntax in dump name not supported$string too long
                                                      • API String ID: 1412700758-3183687674
                                                      • Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                      • Instruction ID: e4e582c4299c4e5e3fbb9246a3fa3d2e4306f36eb3f227919cecda4c1198f2ad
                                                      • Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                      • Instruction Fuzzy Hash: B201B522A289C195F7719F52ECD17EA6350BB49798F280036FE0D46661DE3CD496D700
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastgethostname
                                                      • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                      • API String ID: 3782448640-4114407318
                                                      • Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                      • Instruction ID: 83a8e258a38e1b527f5df8c825ee33f0add694c0bd9f9437fadc14f1347b4cc8
                                                      • Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                      • Instruction Fuzzy Hash: D711A711E2864246EB699B21B8E17FA22519F877A4F281135FA5F972F6FD3CD042B340
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID: terminate
                                                      • String ID: MOC$RCC$csm
                                                      • API String ID: 1821763600-2671469338
                                                      • Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                      • Instruction ID: 5bf589dbc6e600622fc9f8d15cc49a045485f0f58cdce1e2c017a47012fccabb
                                                      • Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                      • Instruction Fuzzy Hash: F0F08C3692825681E3345B52E1C20BC7264EF58B84F2C5031E7088B2A2EF7CE4A0A602
                                                      APIs
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF6046118EE), ref: 00007FF6046121E0
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF60461221E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                      • String ID: Invalid process id '%d' error %d
                                                      • API String ID: 73155330-4244389950
                                                      • Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                      • Instruction ID: 7d472fb4a06f9cac6e8aa795585510e5feae3ec051261f6a7b76bf82f67d6e18
                                                      • Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                      • Instruction Fuzzy Hash: 9731272272978186EE20CF52D5942BD63A1EB05BD0F2C0671EF5D57BE5EE7CE090A300
                                                      APIs
                                                      • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF60461173F), ref: 00007FF604613FC8
                                                      • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF60461173F), ref: 00007FF60461400E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1817270993.00007FF604611000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF604610000, based on PE: true
                                                      • Associated: 00000006.00000002.1817204765.00007FF604610000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817299192.00007FF604618000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817322215.00007FF60461C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000006.00000002.1817342467.00007FF60461D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ff604610000_createdump.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFileHeaderRaise
                                                      • String ID: csm
                                                      • API String ID: 2573137834-1018135373
                                                      • Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                      • Instruction ID: 0682295f531498413fed3eb9c22a9c2075c24b65f485f62da7c3fa80fe14a7b6
                                                      • Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                      • Instruction Fuzzy Hash: 4C115132628B4582EB218F15F48026977A0FB88B84F2C4230EF8D47B68EF3DD555C700
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$HandleModule
                                                      • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                      • API String ID: 667068680-295688737
                                                      • Opcode ID: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                      • Instruction ID: 4df6ef6dd908e9ac89a443b0c3abb15ee60056be3b2d22db3c816af3f1eb7920
                                                      • Opcode Fuzzy Hash: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                      • Instruction Fuzzy Hash: FFA187A8A09F0793FF049B55B8A816423A7FF49B85BA49035C84F4F634EF7CA159C390
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID: /$[thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
                                                      • API String ID: 2943138195-2884338863
                                                      • Opcode ID: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
                                                      • Instruction ID: 780b453f52162d50776e86fdb9a6b21e9e0f56df543413105e53639c75e2c265
                                                      • Opcode Fuzzy Hash: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
                                                      • Instruction Fuzzy Hash: FE929472B18A8286E741CB55E4802BEB7B0FB84764F5011B7FA9D43AA9EF7CD554CB00
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 2003779279-1866435925
                                                      • Opcode ID: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
                                                      • Instruction ID: 557ba268821e123c69060fa1a0f4507362ed80d941e526980e5042449c03dd89
                                                      • Opcode Fuzzy Hash: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
                                                      • Instruction Fuzzy Hash: 12A26A22609B8982EF24CF19E4903A9B760FB89F91F548136DA8D4BB75DF7DD489C700
                                                      APIs
                                                      • memchr.VCRUNTIME140 ref: 00007FFE014230AA
                                                      • memchr.VCRUNTIME140 ref: 00007FFE01423470
                                                      • memchr.VCRUNTIME140 ref: 00007FFE014236A5
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0142410D
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01424114
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0142411B
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01424122
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01424129
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01424130
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01424137
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0142413E
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01424145
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0142414C
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014242D3
                                                        • Part of subcall function 00007FFE01401DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE013FC320), ref: 00007FFE01401DFB
                                                        • Part of subcall function 00007FFE01401DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE013FC320), ref: 00007FFE01401E08
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$memchr$memmovememset
                                                      • String ID: 0123456789-
                                                      • API String ID: 3572500260-3850129594
                                                      • Opcode ID: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
                                                      • Instruction ID: 5dceff8b9885f9c8b9cb75c0bd9ae5eaa65d60152c9edb4773cd540e3e34e2ce
                                                      • Opcode Fuzzy Hash: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
                                                      • Instruction Fuzzy Hash: D2E2CB22A09A858AEB008F6AD4543BC37B1FB69B98F958131DA5E0B7F5CF7DD485C301
                                                      APIs
                                                        • Part of subcall function 00000001400078C0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                        • Part of subcall function 00000001400078C0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                        • Part of subcall function 00000001400078C0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                        • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                        • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                        • Part of subcall function 00000001400078C0: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                        • Part of subcall function 00000001400078C0: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                      • OpenEventA.KERNEL32 ref: 00000001400083D0
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008411
                                                      • OpenEventA.KERNEL32 ref: 0000000140008454
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008495
                                                      • CloseHandle.KERNEL32 ref: 00000001400084B4
                                                        • Part of subcall function 0000000140007A80: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                        • Part of subcall function 0000000140007A80: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                        • Part of subcall function 0000000140007A80: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                        • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                        • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                        • Part of subcall function 0000000140007A80: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                        • Part of subcall function 0000000140007A80: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                      • OpenFileMappingA.KERNEL32 ref: 00000001400084F4
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008535
                                                      • CloseHandle.KERNEL32 ref: 0000000140008554
                                                      • CloseHandle.KERNEL32 ref: 0000000140008561
                                                      • MapViewOfFile.KERNEL32 ref: 0000000140008592
                                                      • CloseHandle.KERNEL32 ref: 00000001400085AB
                                                      • CloseHandle.KERNEL32 ref: 00000001400085B8
                                                      • CloseHandle.KERNEL32 ref: 00000001400085C5
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: U?$char_traits@$D@std@@@std@@$CloseHandle$??6?$basic_ostream@V01@$Open_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@D@std@@@1@_EventFileV?$basic_streambuf@$MappingView
                                                      • String ID:
                                                      • API String ID: 1089015687-0
                                                      • Opcode ID: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                      • Instruction ID: fd742db5588232a2ef73a73be7c7ffe6f8b637fdc8693f60d02eba1a373aa13c
                                                      • Opcode Fuzzy Hash: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                      • Instruction Fuzzy Hash: 93613DB1210A4482FB17DB27F85539963A2BB8EBE4F404215FB9E4B7B6DE3DC1818700
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: File$CloseCreateHandleMappingView_invalid_parameter_noinfo_noreturnmemcpymemset$Unmap
                                                      • String ID:
                                                      • API String ID: 2074253140-0
                                                      • Opcode ID: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                      • Instruction ID: c383ff2e5a2ae1bd4c41fba5bb50c967b221784ccd91ddafc61d096c64d59825
                                                      • Opcode Fuzzy Hash: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                      • Instruction Fuzzy Hash: F471AA71305A4185FB22CB56F8907E973A2FB8DBD4F404225ABAD4B7B9DE3DC0818704
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: iswdigit$btowclocaleconv
                                                      • String ID: 0$0
                                                      • API String ID: 240710166-203156872
                                                      • Opcode ID: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                      • Instruction ID: 4fdc607cc9020e3c6bcd55aa2cf4d305a6edeff264e7ee3c7d70554d3ce17969
                                                      • Opcode Fuzzy Hash: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                      • Instruction Fuzzy Hash: E6811672A1854687E7219F25E85037E73A1FFA0B49F884135DB8E4A2B0EF7CE885C701
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0123456789-+Ee
                                                      • API String ID: 0-1347306980
                                                      • Opcode ID: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
                                                      • Instruction ID: f68a261bd852d8f837c0e19ed4911de76981db4691d01db98844451a9c533627
                                                      • Opcode Fuzzy Hash: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
                                                      • Instruction Fuzzy Hash: 2FC2CE26A09AC58AEB51AF69D05427C37A1FB01F84F559039DA5E2F7B1CF3DE866C300
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memchr$isdigit$localeconv
                                                      • String ID: 0$0123456789abcdefABCDEF
                                                      • API String ID: 1981154758-1185640306
                                                      • Opcode ID: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                      • Instruction ID: 294fd90076718d61af4f632cad438c69aeb58fcfc34e97b1e8f6545b4ebef35b
                                                      • Opcode Fuzzy Hash: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                      • Instruction Fuzzy Hash: 94914C22A0C5A647FB258F24E81037E7B91FB55B48F989034DE8E4BA75DA3CE885C741
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memchr$_invalid_parameter_noinfo_noreturn$localeconv
                                                      • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                      • API String ID: 2141594249-3606100449
                                                      • Opcode ID: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
                                                      • Instruction ID: db4e984a9c263695f3a8ba49362045eedbc53c1fd2a1040ae74319e0a808f2bd
                                                      • Opcode Fuzzy Hash: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
                                                      • Instruction Fuzzy Hash: 2DD29D22A09AC58AEB51AF6AD19417C3761FB41F84B568039DB5E2F7B1CF3DE856C300
                                                      APIs
                                                      • _Find_elem.LIBCPMT ref: 00007FFE01412C08
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014135B9
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014135C0
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014135C7
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01413776
                                                        • Part of subcall function 00007FFE01401DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE013FC320), ref: 00007FFE01401DFB
                                                        • Part of subcall function 00007FFE01401DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE013FC320), ref: 00007FFE01401E08
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
                                                      • String ID: 0123456789-
                                                      • API String ID: 2779821303-3850129594
                                                      • Opcode ID: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
                                                      • Instruction ID: 79c48f54706bb3c3d8fe017bab2531652ffed459b54e8975a928d315b9107b19
                                                      • Opcode Fuzzy Hash: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
                                                      • Instruction Fuzzy Hash: 27E2BD26A19A958AEB508F29D09067D3BB5FF44B94F649036EE4E4B7B4CF7CD881C700
                                                      APIs
                                                      • _Find_elem.LIBCPMT ref: 00007FFE01411660
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01412011
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01412018
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0141201F
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014121CE
                                                        • Part of subcall function 00007FFE01401DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE013FC320), ref: 00007FFE01401DFB
                                                        • Part of subcall function 00007FFE01401DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE013FC320), ref: 00007FFE01401E08
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
                                                      • String ID: 0123456789-
                                                      • API String ID: 2779821303-3850129594
                                                      • Opcode ID: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
                                                      • Instruction ID: 5c694c9f278c5933c7cdab3e7e0cb9f3f1712e437ee6d40e25514ed737c9c78a
                                                      • Opcode Fuzzy Hash: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
                                                      • Instruction Fuzzy Hash: DCE25B26A19A9586EB508F29D0906BD3BA5FB44F84F549036EF4E4BBB5CF3DD881C700
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: iswdigit$localeconv
                                                      • String ID: 0$0$0123456789abcdefABCDEF
                                                      • API String ID: 2634821343-613610638
                                                      • Opcode ID: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                      • Instruction ID: a36eb8b20c31605d4ec5c381886602c534c567d89fe72b762ea0012c6a386fe2
                                                      • Opcode Fuzzy Hash: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                      • Instruction Fuzzy Hash: C9810662E0855687EB258F24D85067E77A1FB64B44F888131DF8E4B6B4EB3CE885C781
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Findmemmove$CloseFileFirst_invalid_parameter_noinfo_noreturnwcscpy_s
                                                      • String ID: .$.
                                                      • API String ID: 479945582-3769392785
                                                      • Opcode ID: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                      • Instruction ID: 8275e18b30337a806bee0acb97c89ac6f28bcb3c1c654e6afb6dbbf6f28341cc
                                                      • Opcode Fuzzy Hash: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                      • Instruction Fuzzy Hash: 3641A222A1868186EB20EF65E8447B97361FB847A4F514235EBAD2B7E4DF7CD485CB00
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0123456789-+Ee
                                                      • API String ID: 0-1347306980
                                                      • Opcode ID: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
                                                      • Instruction ID: 8d055d28b228897768d62d149e83ee2d30a5676b3d6d8254119562ae02dcef01
                                                      • Opcode Fuzzy Hash: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
                                                      • Instruction Fuzzy Hash: C9C26D2AA09A4686EB668F5AD05017D37A1FB54F84B948439DE4E0F7B0CF3DECA5D304
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0123456789-+Ee
                                                      • API String ID: 0-1347306980
                                                      • Opcode ID: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
                                                      • Instruction ID: 8c56d474226868440dbefd95ca10d49721b9bd82947f2d71860e8869346fa0f2
                                                      • Opcode Fuzzy Hash: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
                                                      • Instruction Fuzzy Hash: 68C26C36A09A42C6EB628F9AD19017D3761FB44B84B949179DE4E0B7B0CF3DECA5D700
                                                      APIs
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014165AB
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0141663D
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014166E0
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01416B9C
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01416BEE
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01416C35
                                                        • Part of subcall function 00007FFE0141EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0140923E), ref: 00007FFE0141EC08
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                      • String ID:
                                                      • API String ID: 15630516-0
                                                      • Opcode ID: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
                                                      • Instruction ID: 78d0c767cc6aef04b28ef4b82da5f093593601aaf8168ed9f3edc2fd46092fe2
                                                      • Opcode Fuzzy Hash: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
                                                      • Instruction Fuzzy Hash: FF529162A18B8586EB10CF29D4442BD6761FB84B98F519131EF8D1BBB9EF7CE584C340
                                                      APIs
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01416EF7
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01416F89
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0141702C
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014174E8
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0141753A
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01417581
                                                        • Part of subcall function 00007FFE0141EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0140923E), ref: 00007FFE0141EC08
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                      • String ID:
                                                      • API String ID: 15630516-0
                                                      • Opcode ID: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
                                                      • Instruction ID: 748e48816144f59f553dfeed9376feca39e37365202c8ee98ff7e6f20934d904
                                                      • Opcode Fuzzy Hash: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
                                                      • Instruction Fuzzy Hash: AE527062A18B8586EB10CF29D4442BD7761FB84B99F519132EB8D0BBB5EF3CE585C340
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrow$MemoryRecycle@Recycler@allocator@dvacore@@$_invalid_parameter_noinfo_noreturn
                                                      • String ID:
                                                      • API String ID: 1799700165-0
                                                      • Opcode ID: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                      • Instruction ID: 3a6b280c2881091f38a62e61b74d670a019ca3ad59059a788fa850ef2ffa55ac
                                                      • Opcode Fuzzy Hash: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                      • Instruction Fuzzy Hash: D52112B5611A80CAE71DEE37A8523EA1362E79C7C4F149536BF594FAAEDE31C4218340
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$localeconv
                                                      • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                      • API String ID: 1825414929-3606100449
                                                      • Opcode ID: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
                                                      • Instruction ID: 267eae5ab12513735773ca69f8d10b63c73a63b502ed64d25f08d25bbd7a9c0d
                                                      • Opcode Fuzzy Hash: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
                                                      • Instruction Fuzzy Hash: 4FD23826A09A8686EB568FDAD09017C3361FB54F84B549039DE5E0B7B4CF3DEC9AD310
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$localeconv
                                                      • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                      • API String ID: 1825414929-3606100449
                                                      • Opcode ID: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
                                                      • Instruction ID: a0691aeee1927ac17dff4f9d2aaff7f225d043045f6fb6d4fc975eee95b5f54d
                                                      • Opcode Fuzzy Hash: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
                                                      • Instruction Fuzzy Hash: 30D25926A09A4686EB528F9AD19017C3761FB40F84B549839DF5E1B7B0CF3DECA6D310
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                      • String ID:
                                                      • API String ID: 1326169664-0
                                                      • Opcode ID: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                      • Instruction ID: 15e3bb1d1e740cde8be907a6ea62339ac50dc69c79779b2982dc86070a051ca5
                                                      • Opcode Fuzzy Hash: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                      • Instruction Fuzzy Hash: CFE15B22B19B5686EB11DFA6D4401AC73B2FB48B98B514136DE4D2BBB9DF3CD54AC300
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                      • String ID:
                                                      • API String ID: 1326169664-0
                                                      • Opcode ID: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                      • Instruction ID: 3c6fbb5760a0435cd1b2de23b39ed78b4ee84ecf8d135b80596b324515fa34f0
                                                      • Opcode Fuzzy Hash: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                      • Instruction Fuzzy Hash: 7DE15C22B09B5686FB11DBA6D4401AC7372FB48B98B51413ADE4D1BBB9DF3CD84AC300
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$memchr
                                                      • String ID: 0123456789ABCDEFabcdef-+Xx
                                                      • API String ID: 2740501399-2799312399
                                                      • Opcode ID: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
                                                      • Instruction ID: fdf844f9999b0aa64c981cf4e1719c09e3a2cc4450d4874ea3da9a76e1629970
                                                      • Opcode Fuzzy Hash: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
                                                      • Instruction Fuzzy Hash: C052AF22B09AC68AFB519F29D05027C37A1BB05B84B568439DE5D2F7B5CF3DE866D300
                                                      APIs
                                                        • Part of subcall function 00007FFE01427600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE013F3887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0142760F
                                                        • Part of subcall function 00007FFE013FF6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FFE01424C66,?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE66), ref: 00007FFE013FF6FC
                                                      • _W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE77), ref: 00007FFE01415F35
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE77), ref: 00007FFE01415F4A
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE77), ref: 00007FFE01415F58
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$Gettnames_lock_localesrealloc
                                                      • String ID:
                                                      • API String ID: 3705959680-0
                                                      • Opcode ID: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
                                                      • Instruction ID: 911489c45996b86c180fcf0db2ace2aa41c70c0d3ebd91cae5acb811dd4c36aa
                                                      • Opcode Fuzzy Hash: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
                                                      • Instruction Fuzzy Hash: 6E821762E09B4285FB56DF25E8402B937A1FF95B84F844135EA0E5E3B6EF3CE4818744
                                                      APIs
                                                        • Part of subcall function 00007FFE01427600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE013F3887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0142760F
                                                        • Part of subcall function 00007FFE013FF6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FFE01424C66,?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE66), ref: 00007FFE013FF6FC
                                                      • _W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE88), ref: 00007FFE01415245
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE88), ref: 00007FFE0141525A
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE88), ref: 00007FFE01415268
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$Gettnames_lock_localesrealloc
                                                      • String ID:
                                                      • API String ID: 3705959680-0
                                                      • Opcode ID: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
                                                      • Instruction ID: b126b822032464e2610a96b727943718053427825fae5298d6aa3abb964c4528
                                                      • Opcode Fuzzy Hash: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
                                                      • Instruction Fuzzy Hash: 75821961E09B4285FB52DF25D8502B937A6BF94B84F894135EA0E5F3B6EF3CE4818740
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ErrorFormatLastMessage
                                                      • String ID: GetLastError() = 0x%X
                                                      • API String ID: 3479602957-3384952017
                                                      • Opcode ID: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                      • Instruction ID: 03957f339625c86e619908699dc07c15f857aa178ffe48bb474e222578fe156c
                                                      • Opcode Fuzzy Hash: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                      • Instruction Fuzzy Hash: 63219032A18BC083E7118B2AE400399B7A4F7D97A4F159315EBE8036E9EB78C545CB40
                                                      APIs
                                                        • Part of subcall function 00007FFE01421E70: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01421F72
                                                        • Part of subcall function 00007FFE01427600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE013F3887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0142760F
                                                      • _Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE66,?,?,?,?,?,?,?,00007FFE013FF7E7), ref: 00007FFE01424BCF
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE66,?,?,?,?,?,?,?,00007FFE013FF7E7), ref: 00007FFE01424BE4
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE66,?,?,?,?,?,?,?,00007FFE013FF7E7), ref: 00007FFE01424BF3
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$Gettnames_invalid_parameter_noinfo_noreturn_lock_locales
                                                      • String ID:
                                                      • API String ID: 962949324-0
                                                      • Opcode ID: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
                                                      • Instruction ID: 7136e14f5a15320971dc6b792c29ca5615029707810a2edc5c2ddf5da90167c7
                                                      • Opcode Fuzzy Hash: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
                                                      • Instruction Fuzzy Hash: E9325925A09B0285FB51DF25E8441B937A6FFA4B84B894035EA0E4F7B6EF3CE4818341
                                                      APIs
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014146ED
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0141473B
                                                        • Part of subcall function 00007FFE0141EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0140923E), ref: 00007FFE0141EC08
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                      • String ID:
                                                      • API String ID: 15630516-0
                                                      • Opcode ID: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
                                                      • Instruction ID: a5d8537b2bb3b91d4c92feec80caa1742e4585bd9571a2363e8f82915d766a40
                                                      • Opcode Fuzzy Hash: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
                                                      • Instruction Fuzzy Hash: 6DD14B22B09B9686FB10CFA5D5402AC6372EB48B98F454532DE5D2BBB9DF3CE459C340
                                                      APIs
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014142AD
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014142FB
                                                        • Part of subcall function 00007FFE0141EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0140923E), ref: 00007FFE0141EC08
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                      • String ID:
                                                      • API String ID: 15630516-0
                                                      • Opcode ID: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
                                                      • Instruction ID: 72bb24b7e968e5676f360831866536c7f7df2e16f6271fb8285e948d4939a777
                                                      • Opcode Fuzzy Hash: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
                                                      • Instruction Fuzzy Hash: 22D14A22B09B5686FB10CFA5D5542AC63B2EB48B98F454132DE4D2BBB9DF3CE449C340
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                      • String ID:
                                                      • API String ID: 1654775311-0
                                                      • Opcode ID: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
                                                      • Instruction ID: 1fb699311109f47b8383a1e2d679b76a42f723b0c56a2d3a631fb20cf7476a43
                                                      • Opcode Fuzzy Hash: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
                                                      • Instruction Fuzzy Hash: 79A1C462F096A285FB119BA6D4506BC37A1BB45B98F564039DE4E1FBB5CF3CD861C300
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                      • String ID:
                                                      • API String ID: 1654775311-0
                                                      • Opcode ID: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
                                                      • Instruction ID: c313af9479ceafabf99280874f5f5ea31e3857a27d0d06bb6360d12ce506ed01
                                                      • Opcode Fuzzy Hash: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
                                                      • Instruction Fuzzy Hash: 68A19362F096A286FB118BA6E4506BC37A1BB55B98F554039DE4E1FBB4DF3C9851C300
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memmove$DiskFreeSpace_invalid_parameter_noinfo_noreturn
                                                      • String ID:
                                                      • API String ID: 1915456417-0
                                                      • Opcode ID: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                      • Instruction ID: 61629fd60b6159e3f4045915ccedf8196e816c7c6fcc868f0c3eeb29ab77bbe3
                                                      • Opcode Fuzzy Hash: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                      • Instruction Fuzzy Hash: F4416D22B14B8598FB00DFA1D8406AC3BB5FB48BA8F555629DE5D27BA8DF7CD085C340
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: InfoLocale___lc_locale_name_func
                                                      • String ID:
                                                      • API String ID: 3366915261-0
                                                      • Opcode ID: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                      • Instruction ID: dcd277f1727c33cf4c0dcbf07359ee9b4be2fd4d0c3c0a78fc2d22a5e00c5508
                                                      • Opcode Fuzzy Hash: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                      • Instruction Fuzzy Hash: 81F039B6E2C14283E7A85B28E4697392B60FB4474AF400136E90F4E6B4CF6DE94ED741
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
                                                      • Instruction ID: 2bbc3db8710b2d842226b35d564bc0757b78124e8338025138170a4776a47086
                                                      • Opcode Fuzzy Hash: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
                                                      • Instruction Fuzzy Hash: 01020326A19A468AEB618F29D45037D33A1FB54F88F549032EA4E1F7B5CF3DD886C350
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
                                                      • Instruction ID: 65f20101e7501427282c299a2831c4a9abc4750940e4f43d0da71b9a0aa784c0
                                                      • Opcode Fuzzy Hash: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
                                                      • Instruction Fuzzy Hash: E8026E22A09A4689EB518F2AD45077C37A1FB64F98F949131CA4E4F7B5CFBDD882C311
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _lock_locales
                                                      • String ID:
                                                      • API String ID: 3756862740-0
                                                      • Opcode ID: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
                                                      • Instruction ID: 3b7e7ffa4f940b4d69a81e245852395385cf6753d50ee24bad1702c89a7960d6
                                                      • Opcode Fuzzy Hash: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
                                                      • Instruction Fuzzy Hash: 4DE15C22E09B8285FB56AF25A8401B933A5EF54BD0F454139ED4E5F7B6DF3CE4428740
                                                      APIs
                                                      • memset.VCRUNTIME140 ref: 000000014000475B
                                                        • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                        • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                        • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                      • ?RationalApproximation@utility@dvacore@@YA?AV?$rational@H@boost@@N@Z.DVACORE ref: 0000000140004866
                                                        • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140004A15
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$memcmp$Approximation@utility@dvacore@@H@boost@@RationalV?$rational@memset
                                                      • String ID: brightness$camera_firmware_version$camera_id$channel_mask$clip_id$contrast$digital_gain_blue$digital_gain_green$digital_gain_red$exposure_compensation$exposure_time$framerate_denominator$framerate_numerator$genlock_setting$gmt_date$gmt_time$iso$jamsync_setting$local_date$local_time$pixel_aspect_ratio$reel_id_full$sample_size$samplerate$saturation$sensor_id$sensor_name$shutter_degrees$shutter_fractions$shutter_phase_offset$user_timecode_preference$white_balance_kelvin$white_balance_tint
                                                      • API String ID: 2423274481-1946953090
                                                      • Opcode ID: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                      • Instruction ID: 3df9d643723a61ec3293b9608ef6f05312d7ec0c5a500361e19cd6c4bd00b042
                                                      • Opcode Fuzzy Hash: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                      • Instruction Fuzzy Hash: 2C32FAB1204A4091EB07EF27E5913EA2762AB8EBD8F444522FB5D4F7B7EE39C5458340
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
                                                      • API String ID: 2943138195-1388207849
                                                      • Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                      • Instruction ID: 9537584096dd76c33232e599b174a01f2d41051065c5c27b1944a4f8d3605257
                                                      • Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                      • Instruction Fuzzy Hash: C3F17CB2F08E1284FB558BA6C9542F827B0BB04B64F4045F7CA2D57AB9DF7DA664C340
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID: `anonymous namespace'
                                                      • API String ID: 2943138195-3062148218
                                                      • Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                      • Instruction ID: 5a29b6c1429cfa8d39dfb81238d5c3de45e5da2cb0e28a838a0fff4b6e632f50
                                                      • Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                      • Instruction Fuzzy Hash: 1DE13972A08B8699EB10CF66D8801F977B0FB44B68F5480B7EA6D17B65EF38D564C700
                                                      APIs
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400026F4
                                                      • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002732
                                                      • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 000000014000274E
                                                      • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002782
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00000001400027D4
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400028A8
                                                      • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00000001400028DE
                                                      • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 00000001400028FA
                                                      • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 000000014000292E
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z.MSVCP140 ref: 000000014000295A
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002A28
                                                      • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A68
                                                      • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A72
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: U?$char_traits@$D@std@@@std@@$_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??6?$basic_ostream@D@std@@@1@@V01@V?$basic_streambuf@$??1?$basic_ios@??1?$basic_iostream@
                                                      • String ID: (
                                                      • API String ID: 703713002-3887548279
                                                      • Opcode ID: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                      • Instruction ID: baf078011914228b1285121be46ed74d2e86fc5146668a69ad3868f5cbe279a1
                                                      • Opcode Fuzzy Hash: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                      • Instruction Fuzzy Hash: 38D18DB2214B8495EB11CF6AE4903EE7761F789BD4F509206EB8E57BA9DF39C085C700
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$Library$ByteCharErrorLastLoadMultiWide$AddressFreeProc
                                                      • String ID: [NOT FOUND ] %s
                                                      • API String ID: 2350601386-3340296899
                                                      • Opcode ID: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                      • Instruction ID: 89755aee4be5230680617513bdac96f2938001ccf8c1f4c7198f5862e1eb9078
                                                      • Opcode Fuzzy Hash: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                      • Instruction Fuzzy Hash: 84B1BE32605B9481FB169B26E54039D6761F788BE4F048615FBE90BBE6DFBAC5D0C340
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID:
                                                      • API String ID: 2943138195-0
                                                      • Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                      • Instruction ID: b6e59e0cc504c5bc74829672c9f27847007d06e6620818c3fe9095c44e1b4631
                                                      • Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                      • Instruction Fuzzy Hash: 32F17972B08E829AE710DFA6D4901FC37B1EB04B5CF4480B3EA5D57AA9DE38D569C340
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__p___argc__p___argv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                      • String ID:
                                                      • API String ID: 1818695170-0
                                                      • Opcode ID: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                      • Instruction ID: 023b0e87761b9852ca56ff973ea6cc8ec164607202ff5c8f9f76f90c0a7f0558
                                                      • Opcode Fuzzy Hash: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                      • Instruction Fuzzy Hash: BA315E3120520192FA5BEB67E5223E927A1AB9D7C4F444025BB994F2F7DE7FC805C351
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
                                                      • API String ID: 2943138195-2309034085
                                                      • Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                      • Instruction ID: dba9019643add3a13f723db1e8b7b07992cb6b706a52ac1c0c4e976060fb1b6b
                                                      • Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                      • Instruction Fuzzy Hash: 80E1AE62F08E5284FB149B66C9541FC27B0AF44F64F5401F7CAAD17AB9DE3CA9A8C341
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memcmp$_invalid_parameter_noinfo_noreturn$clockmemcpymemset
                                                      • String ID: B8RB$MRDH$SideCarLut$flip_horizontal$flip_vertical
                                                      • API String ID: 140832405-680935841
                                                      • Opcode ID: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                      • Instruction ID: 18037ac5236aebefbc83965bda8a7e26ab6d0ca403e2fb1aff30bf3622b6eda0
                                                      • Opcode Fuzzy Hash: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                      • Instruction Fuzzy Hash: BD2270B2605BC485EB22DF2AE8413E93364F799798F449215EB9C5B7A6EF35C285C300
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                      • String ID: csm$csm$csm
                                                      • API String ID: 3436797354-393685449
                                                      • Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                      • Instruction ID: a170910458eba7292d1ca9403bdb50b112e74424914ca85558114a1636717424
                                                      • Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                      • Instruction Fuzzy Hash: CCD17072B08B8186EB609F66D4402BD77B4FB45BA8F0401B6DE9D57B69CF38E4A4C740
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$__strncntfreemalloc$CompareInfoString
                                                      • String ID:
                                                      • API String ID: 3420081407-0
                                                      • Opcode ID: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                      • Instruction ID: f4588367c80a70311fb496792d0b497f31fbce1798604a99e838af66e09d7a63
                                                      • Opcode Fuzzy Hash: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                      • Instruction Fuzzy Hash: D4A1B162A086C2C6FF31AF2094107BB6692EF04BA4F454639DE5D2E7E5DF7CE8488340
                                                      APIs
                                                        • Part of subcall function 00007FFE0142B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                        • Part of subcall function 00007FFE0142B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                        • Part of subcall function 00007FFE0142B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                        • Part of subcall function 00007FFE0142B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0140A87E), ref: 00007FFE01406971
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0140A87E), ref: 00007FFE0140698E
                                                      • _Maklocstr.LIBCPMT ref: 00007FFE014069AA
                                                      • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0140A87E), ref: 00007FFE014069B3
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0140A87E), ref: 00007FFE014069D0
                                                      • _Maklocstr.LIBCPMT ref: 00007FFE014069EC
                                                      • _Maklocstr.LIBCPMT ref: 00007FFE01406A01
                                                        • Part of subcall function 00007FFE013F4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D72
                                                        • Part of subcall function 00007FFE013F4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D98
                                                        • Part of subcall function 00007FFE013F4D50: memmove.VCRUNTIME140(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4DB0
                                                      Strings
                                                      • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE01406999
                                                      • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE014069DB
                                                      • :AM:am:PM:pm, xrefs: 00007FFE014069FA
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Maklocstrfree$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
                                                      • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                      • API String ID: 269533641-35662545
                                                      • Opcode ID: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                      • Instruction ID: 6fc0ecaf11e29c266c4eb9242793c18c24ef1462f9275c2fa64a8a7e0099d474
                                                      • Opcode Fuzzy Hash: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                      • Instruction Fuzzy Hash: 85213C72A08F4182EB01DF25E4502A973A2FB98F84F458235DA4D4B776EF3CE595C380
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiStringWide$freemalloc$__strncnt
                                                      • String ID:
                                                      • API String ID: 1733283546-0
                                                      • Opcode ID: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                      • Instruction ID: f3720c1b52b1a7f1b507ef972acd566c79e7636e4666c2bc111df6e799b42706
                                                      • Opcode Fuzzy Hash: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                      • Instruction Fuzzy Hash: 30919032A08B82C7EB249F51D44077A67A1FB44BA4F554239EA5D6FBE8DF7CE4458300
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Xp_setw$Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                      • String ID:
                                                      • API String ID: 3166507417-0
                                                      • Opcode ID: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                      • Instruction ID: b3e2560a6667ff7b24a38bdf76836af04701b456d5d14642d5bb4b5760f7902a
                                                      • Opcode Fuzzy Hash: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                      • Instruction Fuzzy Hash: F5618322F086529AFB10DFA2D4801FD2761AB6874CF904536DE0D6BAB5DE3CE58EC701
                                                      APIs
                                                      • SetDllDirectoryW.KERNEL32 ref: 000000014000721A
                                                      • ?AppDir@Dir@filesupport@dvacore@@SA?AV123@XZ.DVACORE ref: 0000000140007225
                                                      • ?FullPath@Dir@filesupport@dvacore@@QEBA?AV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@std@@XZ.DVACORE ref: 0000000140007236
                                                      • ?UTF16to8@string@dvacore@@YA?AV?$basic_string@EU?$char_traits@E@std@@U?$SBAAllocator@E@allocator@dvacore@@@std@@AEBV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@4@@Z.DVACORE ref: 0000000140007245
                                                      • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140007275
                                                      • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 00000001400072A6
                                                      • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400072B6
                                                      • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007362
                                                      • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007372
                                                      • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 000000014000738A
                                                        • Part of subcall function 0000000140008300: WaitForMultipleObjects.KERNEL32 ref: 0000000140008346
                                                        • Part of subcall function 0000000140008300: ResetEvent.KERNEL32 ref: 0000000140008355
                                                        • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007859
                                                        • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007866
                                                        • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007873
                                                        • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007880
                                                        • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000788D
                                                        • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000789A
                                                      • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400073F6
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Dir@filesupport@dvacore@@$CloseHandle$Allocator@_Allocator@allocator@dvacore@@BlockDispose@FileSmallU?$char_traits@_UnmapV?$basic_string@_ViewW@std@@atoi$Allocator@Dir@DirectoryE@allocator@dvacore@@@std@@E@std@@EventF16to8@string@dvacore@@FullMultipleObjectsPath@ResetU?$char_traits@V123@V?$basic_string@W@allocator@dvacore@@@4@@W@allocator@dvacore@@@std@@Wait
                                                      • String ID:
                                                      • API String ID: 2702579277-0
                                                      • Opcode ID: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                      • Instruction ID: 4e02132fa2518a481f17a5c3ad5963577c23686a774b89ce01035fe16d76d46e
                                                      • Opcode Fuzzy Hash: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                      • Instruction Fuzzy Hash: 09618EB2608A4082FB12CB26F8947EA67A2F78EBD0F505121FB9D476B5DF3DC5498700
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 2003779279-1866435925
                                                      • Opcode ID: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                      • Instruction ID: d5f32a1580af344c128eb07461130b0a780cb29a97cd89ada5afa2f6e8f6ecc6
                                                      • Opcode Fuzzy Hash: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                      • Instruction Fuzzy Hash: 2F91A022A18A4A82EF64DF19E4913B97761FB80F88F548036CA4E4B7B5DF7DD446C300
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                      • API String ID: 0-3207858774
                                                      • Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                      • Instruction ID: 8c673facbe0446f094aa2e6abc2d52a45d48fcdfd1ad0a959156057bf55b6e80
                                                      • Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                      • Instruction Fuzzy Hash: 49916C62B08E8689EB208B66D4512B877F2AB54F64F9440F3DA6D077B5EF3CE525C340
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+$Name::operator+=
                                                      • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                      • API String ID: 179159573-1464470183
                                                      • Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                      • Instruction ID: cc6d84e72e0096953dd20ddd304edc4bbaa4c22bdcf27411d7af910660373c85
                                                      • Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                      • Instruction Fuzzy Hash: 59515832F18E5689FB14CBA6E8805BC37B0BB14BA4F5041B6EA1D57A68DF39E561C300
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Xp_setw$Xp_setn$Xp_addx$iswspaceiswxdigit
                                                      • String ID:
                                                      • API String ID: 3781602613-0
                                                      • Opcode ID: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                      • Instruction ID: 1d3eafeb9c56c4d7017c071ec4c2bbd9ff6b52b09cff560f3f9c7092ce2512f9
                                                      • Opcode Fuzzy Hash: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                      • Instruction Fuzzy Hash: 62615122F085429AF721DFA2D4812FD2761EB64748F904536DE0D6BAB5DE3CE58EC701
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID:
                                                      • API String ID: 2943138195-0
                                                      • Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                      • Instruction ID: 1e55fe5da2c57df31ca230ccc459ecd50d1619018747ed65906024bc81c9fbad
                                                      • Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                      • Instruction Fuzzy Hash: 336170A2B14B5298FB01DBA2D8801FC33B1BB44B68F4044B7DE1D2BA69EF78D565C340
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820453162.00007FFE1A451000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                      • Associated: 00000009.00000002.1820426233.00007FFE1A450000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820482713.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820522114.00007FFE1A458000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820547380.00007FFE1A459000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a450000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abort$AdjustPointermemmove
                                                      • String ID:
                                                      • API String ID: 338301193-0
                                                      • Opcode ID: 07f6f1c71b1fba12c50c9bfb688491a0a06ff6fb4efb73833bc0a4a245d0f2ba
                                                      • Instruction ID: ab3d2bf39f9f70bdd0041414ce6a29f64a4b18c4c59e61ff3d05cb026d8be023
                                                      • Opcode Fuzzy Hash: 07f6f1c71b1fba12c50c9bfb688491a0a06ff6fb4efb73833bc0a4a245d0f2ba
                                                      • Instruction Fuzzy Hash: 69519FA2F0AF4281FA65FB5BD05453C6694AF45FA4F1984F7DA4E06AA4DF2CE461C300
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                      • String ID: csm$csm$csm
                                                      • API String ID: 211107550-393685449
                                                      • Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                      • Instruction ID: dd77f5896c138bfc5b664b798722c1efbcfa16ecb01bef4021ea8bc46e6d0d90
                                                      • Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                      • Instruction Fuzzy Hash: 95E18272B08B818AE7109F66D4802BD77B1FB44B68F1441B6DAAD47765CF38E4A5C740
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820453162.00007FFE1A451000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                      • Associated: 00000009.00000002.1820426233.00007FFE1A450000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820482713.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820522114.00007FFE1A458000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820547380.00007FFE1A459000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a450000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                      • String ID: csm$csm$csm
                                                      • API String ID: 211107550-393685449
                                                      • Opcode ID: cb3bf927df27b60c74c765ddc221b28a06d569304d98737ce8ec765a202f2bbd
                                                      • Instruction ID: 31088108f935c430db0587a9948692a64effcbdd203dc3c457576e008ef76eea
                                                      • Opcode Fuzzy Hash: cb3bf927df27b60c74c765ddc221b28a06d569304d98737ce8ec765a202f2bbd
                                                      • Instruction Fuzzy Hash: EAE1A3B3A08B828AE711FF6AD4802BD77A0FB45B68F1441B7DA4D47666DF38E495C700
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memchrtolower$_errnoisspace
                                                      • String ID: 0$0123456789abcdefghijklmnopqrstuvwxyz
                                                      • API String ID: 3508154992-2692187688
                                                      • Opcode ID: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                      • Instruction ID: ea714a6a99bd1aefc24bf811c340c45e514dab14f22a4f16681f19b7f96581aa
                                                      • Opcode Fuzzy Hash: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                      • Instruction Fuzzy Hash: 1751FA12A0D7D246FB618F2499143BD6691BB55BE4FB84030CE9D4FBB5DE3CA882C712
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                      • API String ID: 2943138195-2239912363
                                                      • Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                      • Instruction ID: 9ae0265f05c1baf5e62756abfdd888c9f5bf29699ca226719b38bcc9b566bba6
                                                      • Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                      • Instruction Fuzzy Hash: E7514762F18F8688FB558B62D8412BC77B0BB08B64F4441F7DA5D53AA5DF3CA065CB10
                                                      APIs
                                                      • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                      • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                      • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                        • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                        • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                        • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                        • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                        • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                        • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                        • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                      • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                      • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                      • String ID: ImptRED_CEvent_
                                                      • API String ID: 2242036409-942587184
                                                      • Opcode ID: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                      • Instruction ID: 9b405900c275d478bf9193c59fc3990d56eeb31e22b03c6e117ca8d8066cf312
                                                      • Opcode Fuzzy Hash: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                      • Instruction Fuzzy Hash: 1D519AB2204B8096EB11CB6AE89079E7B70F389B98F504111EF8D57BA9DF3DC549CB00
                                                      APIs
                                                      • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E41
                                                      • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007E60
                                                      • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E94
                                                        • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                        • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                        • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                        • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007ECB
                                                        • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                        • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                        • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007EE5
                                                      • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F92
                                                      • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F9C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                      • String ID: ImptRED_SEvent_
                                                      • API String ID: 2242036409-1609572862
                                                      • Opcode ID: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                      • Instruction ID: 8a97eb910a4fcdb6b4de6865597d3f36b8df7ed7ebbeccb018c797ebbaee1b0b
                                                      • Opcode Fuzzy Hash: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                      • Instruction Fuzzy Hash: 15519A72204B8096EB11CB6AE8907AE7B70F389B98F504111EF8D17BA8DF3DC549CB40
                                                      APIs
                                                      • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                      • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                      • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                        • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                        • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                        • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                        • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                        • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                        • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                        • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                      • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                      • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                      • String ID: ImptRED_CmdMap_
                                                      • API String ID: 2242036409-3276274529
                                                      • Opcode ID: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                      • Instruction ID: 80f30c22282736ca9dbe0986c54b36137faedd7c3a9fa85d2e807ed86ae44cad
                                                      • Opcode Fuzzy Hash: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                      • Instruction Fuzzy Hash: BC518972204B8096EB11CB6AE8907DE7B70F389B98F504111EF8D17BA8DF79C449CB00
                                                      APIs
                                                      • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007C81
                                                      • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007CA0
                                                      • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007CD4
                                                        • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                        • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                        • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                        • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D0B
                                                        • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                        • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                        • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D25
                                                      • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DD2
                                                      • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DDC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                      • String ID: ImptRED_DMap_
                                                      • API String ID: 2242036409-2879874026
                                                      • Opcode ID: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                      • Instruction ID: 0bc148500ed73b7892a49071eae52613f37d732fbc5d9ce32192ec441dd01905
                                                      • Opcode Fuzzy Hash: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                      • Instruction Fuzzy Hash: F9518BB2204B4096EB11CB56E8807AE7B70F789B98F504116EF8D17BA8DF7DC549CB00
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 1099746521-1866435925
                                                      • Opcode ID: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                      • Instruction ID: 906b499b5c6fd16a29edcf86ca7eb8a1217bf44ff731c96d7a8a3406cc29dcbb
                                                      • Opcode Fuzzy Hash: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                      • Instruction Fuzzy Hash: 4A21F5A1E1958A96FF54EB10E8837F92322EF50740F98443AD58E1E5B6EF2DE54AC340
                                                      APIs
                                                        • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                        • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                        • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00000001400050DF
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140005233
                                                        • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                      • memcmp.VCRUNTIME140 ref: 00000001400052B4
                                                      • memcmp.VCRUNTIME140 ref: 0000000140005325
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400053DA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnmemcmp$strcmp
                                                      • String ID: MRDH$SideCarLut
                                                      • API String ID: 916663099-3852011117
                                                      • Opcode ID: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                      • Instruction ID: 38950fd8b35224f21f2e144008351fd49fe11793fcade85143d264d05d5c62af
                                                      • Opcode Fuzzy Hash: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                      • Instruction Fuzzy Hash: 4DD192B2204A8496EB62DF26E8843DE2761F74A7D5F841212FB5D4BAF6EF74C645C300
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 2003779279-1866435925
                                                      • Opcode ID: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                      • Instruction ID: 4ba8893faf807f1f1ad577847dbc6b5fdd41119bc0d3ced61992d9ad6cc883b5
                                                      • Opcode Fuzzy Hash: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                      • Instruction Fuzzy Hash: 78619D22A08A8686EF64DF19E4913B96761FF80F89F548136CA4E4B7B5DF7DD446C300
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrowfputwcfwritestd::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 1428583292-1866435925
                                                      • Opcode ID: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                      • Instruction ID: 0e771680fa94b85d8f644288c44d8d82c871c1432b329babdd3ad2b5524fb7bc
                                                      • Opcode Fuzzy Hash: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                      • Instruction Fuzzy Hash: 10717D72619A82D6EB51CF66E4802A933A0FB44B88F894036EB4D4BBB5DF3DD955C300
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
                                                      • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                      • API String ID: 1852475696-928371585
                                                      • Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                      • Instruction ID: 5fa10fdce8dcb5356498265a4192ebe5b9b5713b16bdcf8e4c95d039b1b90389
                                                      • Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                      • Instruction Fuzzy Hash: E0519F62B09E8692EE24CB66E4905B9A370FF44FA4F4044B3DA9D07A75DF3CE525C341
                                                      APIs
                                                      • std::ios_base::failure::failure.LIBCPMT ref: 00007FFE014398D3
                                                      • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE0142C678), ref: 00007FFE014398E4
                                                      • std::ios_base::failure::failure.LIBCPMT ref: 00007FFE01439927
                                                      • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE0142C678), ref: 00007FFE01439938
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 2003779279-1866435925
                                                      • Opcode ID: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                      • Instruction ID: b1959b1d913e132410ef4697aa88504056e5d74880b6ae8d49394b8075051df3
                                                      • Opcode Fuzzy Hash: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                      • Instruction Fuzzy Hash: B9617B22A18A46C2EB68CF19E4913B96760FF80F98F458036CA4E4B3B5DFADD446C300
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memchrtolower$_errnoisspace
                                                      • String ID: 0123456789abcdefghijklmnopqrstuvwxyz
                                                      • API String ID: 3508154992-4256519037
                                                      • Opcode ID: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                      • Instruction ID: 6c23253563a7be9212e220d0779ed1e82e2213a77c069c1800a2b0f6d9e8d94e
                                                      • Opcode Fuzzy Hash: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                      • Instruction Fuzzy Hash: C6512822A0D69646FB618E20E42077D7691BF65B98F994034DD8D8B7B4DF3CE882C712
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 2003779279-1866435925
                                                      • Opcode ID: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                      • Instruction ID: 787fe88f534caeddeb85b322243a91f45219a100c4cb62fb1db474d0fe8ef787
                                                      • Opcode Fuzzy Hash: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                      • Instruction Fuzzy Hash: C75180A2A08A8982EF50EF19D4C02B9A361FF44F98F554536DA5D9B7B9DF3CD846C300
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+$Name::operator+=
                                                      • String ID: {for
                                                      • API String ID: 179159573-864106941
                                                      • Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                      • Instruction ID: b5ff9ad7d75d44de82479b1d1ea989e6cb238eeed99a53d98c6831248690d940
                                                      • Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                      • Instruction Fuzzy Hash: DF512AB2B08A8599E7119F66D4413FC73A1EB45B68F8480F2EA5C4BBA5EF7CD564C300
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A466A6B,?,?,00000000,00007FFE1A46689C,?,?,?,?,00007FFE1A4665E5), ref: 00007FFE1A466931
                                                      • GetLastError.KERNEL32(?,?,?,00007FFE1A466A6B,?,?,00000000,00007FFE1A46689C,?,?,?,?,00007FFE1A4665E5), ref: 00007FFE1A46693F
                                                      • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A466A6B,?,?,00000000,00007FFE1A46689C,?,?,?,?,00007FFE1A4665E5), ref: 00007FFE1A466958
                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A466A6B,?,?,00000000,00007FFE1A46689C,?,?,?,?,00007FFE1A4665E5), ref: 00007FFE1A46696A
                                                      • FreeLibrary.KERNEL32(?,?,?,00007FFE1A466A6B,?,?,00000000,00007FFE1A46689C,?,?,?,?,00007FFE1A4665E5), ref: 00007FFE1A4669B0
                                                      • GetProcAddress.KERNEL32(?,?,?,00007FFE1A466A6B,?,?,00000000,00007FFE1A46689C,?,?,?,?,00007FFE1A4665E5), ref: 00007FFE1A4669BC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                      • String ID: api-ms-
                                                      • API String ID: 916704608-2084034818
                                                      • Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                      • Instruction ID: c7d80991d5b7b2fc89eb12b231d97325ca4b7f5a7539b8ce03e98701c9b29696
                                                      • Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                      • Instruction Fuzzy Hash: 78319021B1AF8291EE199B07A8005B5A2A4BF44FB0F1945B7DD2D0B7B4EF3CE168C740
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A453717,?,?,00000000,00007FFE1A453548,?,?,?,?,00007FFE1A4532C9), ref: 00007FFE1A4535DD
                                                      • GetLastError.KERNEL32(?,?,?,00007FFE1A453717,?,?,00000000,00007FFE1A453548,?,?,?,?,00007FFE1A4532C9), ref: 00007FFE1A4535EB
                                                      • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A453717,?,?,00000000,00007FFE1A453548,?,?,?,?,00007FFE1A4532C9), ref: 00007FFE1A453604
                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A453717,?,?,00000000,00007FFE1A453548,?,?,?,?,00007FFE1A4532C9), ref: 00007FFE1A453616
                                                      • FreeLibrary.KERNEL32(?,?,?,00007FFE1A453717,?,?,00000000,00007FFE1A453548,?,?,?,?,00007FFE1A4532C9), ref: 00007FFE1A45365C
                                                      • GetProcAddress.KERNEL32(?,?,?,00007FFE1A453717,?,?,00000000,00007FFE1A453548,?,?,?,?,00007FFE1A4532C9), ref: 00007FFE1A453668
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820453162.00007FFE1A451000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                      • Associated: 00000009.00000002.1820426233.00007FFE1A450000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820482713.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820522114.00007FFE1A458000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820547380.00007FFE1A459000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a450000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                      • String ID: api-ms-
                                                      • API String ID: 916704608-2084034818
                                                      • Opcode ID: f3ae6e208fe004567e7f0a3f678c73f8fb6582ef1bf2b3c2b3910a50123c0093
                                                      • Instruction ID: 4c7697f960399a6fe41d7a27a0a58cfa91874543dcc4120afa2ed25dc96e39d3
                                                      • Opcode Fuzzy Hash: f3ae6e208fe004567e7f0a3f678c73f8fb6582ef1bf2b3c2b3910a50123c0093
                                                      • Instruction Fuzzy Hash: 2631B261B1AE4291EE21AB13A82057A63D4BF48FB0F5945FADD1D473A0DF3CF4658740
                                                      APIs
                                                        • Part of subcall function 00007FFE0142B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                        • Part of subcall function 00007FFE0142B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                        • Part of subcall function 00007FFE0142B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                        • Part of subcall function 00007FFE0142B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE01421309
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE01421326
                                                      • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE0142134B
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE01421368
                                                        • Part of subcall function 00007FFE013F4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D72
                                                        • Part of subcall function 00007FFE013F4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D98
                                                        • Part of subcall function 00007FFE013F4D50: memmove.VCRUNTIME140(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4DB0
                                                      Strings
                                                      • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE01421331
                                                      • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE01421373
                                                      • :AM:am:PM:pm, xrefs: 00007FFE01421392
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
                                                      • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                      • API String ID: 2607222871-35662545
                                                      • Opcode ID: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                      • Instruction ID: 3db0a7b9ad755819336767602133b0c53061a66b95ffb94ddd5373a997c9c6b9
                                                      • Opcode Fuzzy Hash: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                      • Instruction Fuzzy Hash: F2213E76A04B8582EB10DF21E4402A973A2FB98F94F498635DA4D5B776EF3CE585C380
                                                      APIs
                                                        • Part of subcall function 00007FFE0142B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                        • Part of subcall function 00007FFE0142B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                        • Part of subcall function 00007FFE0142B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                        • Part of subcall function 00007FFE0142B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE01406A5E
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE01406A7B
                                                      • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE01406A9B
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE01406AB8
                                                        • Part of subcall function 00007FFE013F4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01406AB5,?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE013F4DF9
                                                        • Part of subcall function 00007FFE013F4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01406AB5,?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE013F4E28
                                                        • Part of subcall function 00007FFE013F4DD0: memmove.VCRUNTIME140(?,?,00000000,00007FFE01406AB5,?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE013F4E3F
                                                      Strings
                                                      • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE01406AC3
                                                      • :AM:am:PM:pm, xrefs: 00007FFE01406AD4
                                                      • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE01406A86
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
                                                      • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                      • API String ID: 2607222871-3743323925
                                                      • Opcode ID: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                      • Instruction ID: dd3629450851faaafa474d19ec1713f4e9ec68baf489643368e3c8f767a6cab0
                                                      • Opcode Fuzzy Hash: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                      • Instruction Fuzzy Hash: F2214A22A08B4682EB20DF21F454269B3B1FB99B94F414234DA4E4B7B6EF7CE484C740
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abort$AdjustPointer
                                                      • String ID:
                                                      • API String ID: 1501936508-0
                                                      • Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                      • Instruction ID: 3340ad0ef687755665e0948b2e78bba830d422a79992a7ca10a3492fd47c67ab
                                                      • Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                      • Instruction Fuzzy Hash: 97517E21F09F83A1EA659B56984423867B5AF84FA0B0D85F7CA6E077B5DF3CE4658300
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abort$AdjustPointer
                                                      • String ID:
                                                      • API String ID: 1501936508-0
                                                      • Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                      • Instruction ID: d2a6b68a0db477eb576b49ff3885c99ef793cb9d4bf6b670516a50575e50c2b7
                                                      • Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                      • Instruction Fuzzy Hash: 7A51BE61F0AF42A1EA659F579144A7863B1AF54FA1F0584F7CA6E077B4DF3CE8618300
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                      • String ID:
                                                      • API String ID: 578106097-0
                                                      • Opcode ID: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                      • Instruction ID: 6a947751c457a589d1951ce27fa929038d86b3a9fcbb4a6c0a43430abe1945da
                                                      • Opcode Fuzzy Hash: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                      • Instruction Fuzzy Hash: 2961E622F1C65286EB11DF61E4805BE6720FBA4748F904132EE4E5B7B5DE3CD58AC701
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                      • String ID:
                                                      • API String ID: 578106097-0
                                                      • Opcode ID: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                      • Instruction ID: 953b296227c860e83b26a9282d5c13a3550bc1d568f9eac4751fa27584986e61
                                                      • Opcode Fuzzy Hash: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                      • Instruction Fuzzy Hash: 5161E222B1CA5282E711DF61E4806FE6760FFA5348F900536EE4E1B6B5DE3CE58AC701
                                                      APIs
                                                        • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                        • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                        • Part of subcall function 000000014000C8A0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000014000C98E
                                                      • memcpy.VCRUNTIME140 ref: 000000014000C3C8
                                                      • memcpy.VCRUNTIME140 ref: 000000014000C427
                                                        • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0B6
                                                        • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0C4
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000C52F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memcpy$__acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturn
                                                      • String ID: REDR3D-x64.dll$[LOAD PATH ] %s$[TEST TEST] IGNORING REDIRECT %s
                                                      • API String ID: 1244713665-103080910
                                                      • Opcode ID: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                      • Instruction ID: cfd617ef930489ab8aca6008b2e9167fc097850ba9bca21f1b358ae0caa8a91c
                                                      • Opcode Fuzzy Hash: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                      • Instruction Fuzzy Hash: 8E719AB2721A4086EB12CF66E8443DD37B1F749BD8F484622EF195BBA9DB38C181C340
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: FileHeader_local_unwind
                                                      • String ID: MOC$RCC$csm$csm
                                                      • API String ID: 2627209546-1441736206
                                                      • Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                      • Instruction ID: 13f36b8ef8a164e65b5ccc2ae67a1e3560f99a3af51df7b62cf897f98c307eae
                                                      • Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                      • Instruction Fuzzy Hash: EE518F72B09A1286EB609F36900037966B1FF44FA4F5401F3DA6D433A5DF3CE461CA82
                                                      APIs
                                                      • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                      • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                      • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                      • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                      • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                      • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                                      • String ID:
                                                      • API String ID: 1492985063-0
                                                      • Opcode ID: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                      • Instruction ID: c8404d0b7dac135a461826d57f818375c200501a51cfbfcecc82e8383ca51cf8
                                                      • Opcode Fuzzy Hash: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                      • Instruction Fuzzy Hash: 11515F72600A4082EB62CF1BE5947A9A7A0F789FE5F15C611EF9E477F1CB7AC5468300
                                                      APIs
                                                      • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBB38
                                                      • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBB48
                                                      • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBB5D
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBB91
                                                      • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBB9B
                                                      • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBBAB
                                                      • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBBBB
                                                        • Part of subcall function 00007FFE014425AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5AF8), ref: 00007FFE014425C6
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memmove$memset$_invalid_parameter_noinfo_noreturnmalloc
                                                      • String ID:
                                                      • API String ID: 1468981775-0
                                                      • Opcode ID: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                      • Instruction ID: f074bb4193fc39d2620981d47998d6c81fb9090b2953e7f5c51e2fe46d0b0cd0
                                                      • Opcode Fuzzy Hash: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                      • Instruction Fuzzy Hash: 6C41D2A2B08AC592EF14AB16E4042A9A322FB44BC4F954536EF1D1FBBECE7CD041C340
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrowsetvbufstd::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 2924853686-1866435925
                                                      • Opcode ID: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                      • Instruction ID: 4e12194930b967f0ac57799e8d505d97b1f28549d3a13319e7fea3cbc80c31a5
                                                      • Opcode Fuzzy Hash: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                      • Instruction Fuzzy Hash: F141AD72A14B8686EB55CF65E4403B933A0FB14B98F444139DA4C4F6B5DF3CE9A5CB40
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: CurrentThread$xtime_get
                                                      • String ID:
                                                      • API String ID: 1104475336-0
                                                      • Opcode ID: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                      • Instruction ID: 9423321279c73148f66975f8e9a9b928b5b3cbed908596dee2130ce962642f6d
                                                      • Opcode Fuzzy Hash: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                      • Instruction Fuzzy Hash: 9E413B72A09646CBEB61CF56E44427977A1FB44B44F10803ADB8E4A6B4DF3EEC85C701
                                                      APIs
                                                      • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE01413B56
                                                        • Part of subcall function 00007FFE0142B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                        • Part of subcall function 00007FFE0142B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                        • Part of subcall function 00007FFE0142B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                        • Part of subcall function 00007FFE0142B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      • _Maklocstr.LIBCPMT ref: 00007FFE01413BCF
                                                      • _Maklocstr.LIBCPMT ref: 00007FFE01413BE5
                                                      • _Getvals.LIBCPMT ref: 00007FFE01413C8A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Maklocstr$Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                      • String ID: false$true
                                                      • API String ID: 2626534690-2658103896
                                                      • Opcode ID: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                      • Instruction ID: bf1b83a154f8da1d80604fc93e994b4571834da301881aac0453ec4881b43f5b
                                                      • Opcode Fuzzy Hash: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                      • Instruction Fuzzy Hash: 5E415D26B08B919AF711CF74E4401ED33B1FB9874CB405226EE4D2BA69EF38D596C340
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: NameName::atol
                                                      • String ID: `template-parameter$void
                                                      • API String ID: 2130343216-4057429177
                                                      • Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                      • Instruction ID: 281848e25189939d8f46b3d671101bd4d76b77b385028f46700257289bff91cd
                                                      • Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                      • Instruction Fuzzy Hash: F2414A22F08F9688FB00DBA6D8512FC2371BB08BA4F5411B6CE5D17A65DF3CA569C340
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                      • API String ID: 2943138195-2211150622
                                                      • Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                      • Instruction ID: b0179c5ce5824b0b8fa4f7e54ba4a7663dc3b1ba82f3f9afcbd25b553dee131e
                                                      • Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                      • Instruction Fuzzy Hash: 7B4146B2B08F8688FB128B66D8802BC77B4BB08B28F5441B2DA5D17374DF3CA564C740
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID: char $int $long $short $unsigned
                                                      • API String ID: 2943138195-3894466517
                                                      • Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                      • Instruction ID: 7477ffd9062da6214b5c408c4c7d56bde271c8e69d4f63807fde89573a5be73f
                                                      • Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                      • Instruction Fuzzy Hash: C1414A32B18E5688EB158F6AD8441BC37B1BB09B64F5481F7CA1C57B68DF38A5A4C700
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnmemsetstrcspn$localeconvmemmove
                                                      • String ID:
                                                      • API String ID: 3009415009-0
                                                      • Opcode ID: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                      • Instruction ID: ad9a90c1e3a3380d0b6206613b4248cf835436d0d7b25cea1cd62c2a64b9bc85
                                                      • Opcode Fuzzy Hash: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                      • Instruction Fuzzy Hash: 82E16D22B09B8685FB11DBB5D4406AC6372FB49B88F515136DE5D2BBA9DF3CD44AC300
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Dunscale$_errno
                                                      • String ID:
                                                      • API String ID: 2900277114-0
                                                      • Opcode ID: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                      • Instruction ID: bb7532c0a8596e09fdc1c3c2389b0a704279868e42300d3676fbc183d0d34c49
                                                      • Opcode Fuzzy Hash: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                      • Instruction Fuzzy Hash: 2FA1D332E086469AEB10DF2685800BD73A1FF66758F948231F7091B5BADF3CB4DA9741
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Dunscale$_errno
                                                      • String ID:
                                                      • API String ID: 2900277114-0
                                                      • Opcode ID: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                      • Instruction ID: 18cbd59db16a610c9fc145de933dab68b049303adc370ec840564dacd9673993
                                                      • Opcode Fuzzy Hash: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                      • Instruction Fuzzy Hash: 75A1A227E18E8B86E711DE3484401BD63A2FF667D4F904235EA4E2E5B5EF3CA0D68301
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                                      • String ID: R3DAPI 7.3.1-44A14 (20200513 W64S)
                                                      • API String ID: 2665656946-1215215629
                                                      • Opcode ID: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                      • Instruction ID: 1f94f83d43c849715069b53280c3cf1e8531b19b99bc01c412034d7b6d4e24df
                                                      • Opcode Fuzzy Hash: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                      • Instruction Fuzzy Hash: B19122B1211A8499EB22DF27F8503DA7361F74ABD4F884222EB490B7B9DB7EC141C701
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: fgetc
                                                      • String ID:
                                                      • API String ID: 2807381905-0
                                                      • Opcode ID: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                      • Instruction ID: 3a39e832a27d8c715d5483f927ea6d3cd0c002d628e50e107b0945c909dfe99e
                                                      • Opcode Fuzzy Hash: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                      • Instruction Fuzzy Hash: 40914C73605A8189EB10DF25D4943AC33A1FB48B9CF56123AEA4E5BBA9DF3DD458C300
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                      • String ID:
                                                      • API String ID: 3490103321-0
                                                      • Opcode ID: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                      • Instruction ID: 73e2f588164fb4c27e4c4e52aa6855933ec2bb15b470adf1cc409a9b0304e28f
                                                      • Opcode Fuzzy Hash: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                      • Instruction Fuzzy Hash: E661D522F1CA4286E721DF61E4805BE7760FBA4744F904532EE4E5BAB9DE3CD589CB01
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                      • String ID:
                                                      • API String ID: 3490103321-0
                                                      • Opcode ID: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                      • Instruction ID: 2512b7ca6506b6210c0d7812f60297bfb5b4235a7a053c411df193c4ee8a2679
                                                      • Opcode Fuzzy Hash: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                      • Instruction Fuzzy Hash: 5361C422B1CA4282E711DF61E4805FE6760FFA5744F900532EE4E5BAB5DF7CE58A8B01
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                      • String ID:
                                                      • API String ID: 2016347663-0
                                                      • Opcode ID: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                      • Instruction ID: f0df9d4c83997f2469ca076860e1cd9aeef013c4e6a6dd2ab8e2acc452abb021
                                                      • Opcode Fuzzy Hash: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                      • Instruction Fuzzy Hash: D041F36171868592EF14AB26E4043A96352FB04BE4F95463AEF6D0FBF5DE7CE041C300
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: FileHandle$CloseCreateInformation
                                                      • String ID:
                                                      • API String ID: 1240749428-0
                                                      • Opcode ID: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                      • Instruction ID: cf5c1c18fe3158371b2d1895e8bea3838e92857c37708694deefb48bbe4f4a4f
                                                      • Opcode Fuzzy Hash: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                      • Instruction Fuzzy Hash: BB41AE22F086818BF760CF70A8507AA33A1EB487A8F025735EE1C1BAA4DE3CD5958740
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                      • String ID:
                                                      • API String ID: 3741236498-0
                                                      • Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                      • Instruction ID: f71624807bd8f576d0ea09554d7a21daa895c2a5cdf77bbe3c396da433716d5a
                                                      • Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                      • Instruction Fuzzy Hash: B231C421B19FD180EB159B27A804579A3A4FF08FE4B5945B6DE2D037A0EE3DD4A2C340
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_configthreadlocale_initialize_narrow_environment_initialize_onexit_table_onexit
                                                      • String ID:
                                                      • API String ID: 2153537742-0
                                                      • Opcode ID: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                      • Instruction ID: 534899ad21150968aac174715d7514135b35f9473fc5e80356d1b8ef46292b69
                                                      • Opcode Fuzzy Hash: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                      • Instruction Fuzzy Hash: 95115E38A0024155FA5FB7F398173EC11969FAC3C4F454524BB498F2F3EE7B88658662
                                                      APIs
                                                      • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE013F5F96), ref: 00007FFE013F2F59
                                                      • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5F96), ref: 00007FFE013F2F6B
                                                      • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE013F5F96), ref: 00007FFE013F2F7A
                                                      • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE013F5F96), ref: 00007FFE013F2FE0
                                                      • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE013F5F96), ref: 00007FFE013F2FEE
                                                      • _wcsdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE013F5F96), ref: 00007FFE013F3001
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: __pctype_func$___lc_codepage_func___lc_locale_name_func_wcsdupcalloc
                                                      • String ID:
                                                      • API String ID: 490008815-0
                                                      • Opcode ID: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                      • Instruction ID: 637e7d555ecbf406e8f121ff53b179020048fbe42432aecbc7da7bfb835811be
                                                      • Opcode Fuzzy Hash: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                      • Instruction Fuzzy Hash: 5C210E62D18F8583EB019F38D5052787760FBA9B49F15A224CE8D1A232EF7DE5E9C340
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle$FileUnmapView
                                                      • String ID:
                                                      • API String ID: 260491571-0
                                                      • Opcode ID: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                      • Instruction ID: e4157fc547da492297a5d265050bc8fab675aa544c6886f43f24823cbbcadd6d
                                                      • Opcode Fuzzy Hash: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                      • Instruction Fuzzy Hash: 1DF01438616E00D5FA07DB63ECA83A427A1BB8DBD9F440211EB4E4B331DE3F85998300
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abort$CallEncodePointerTranslator
                                                      • String ID: MOC$RCC
                                                      • API String ID: 2889003569-2084237596
                                                      • Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                      • Instruction ID: 95551738f020360106ce0e4a5d51af8358a96d733a0f46841438ab8ec114847b
                                                      • Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                      • Instruction Fuzzy Hash: 2C917073B08B818AE750CB66E4802BD77B1F744B98F1441AAEA9D17765DF38E1A5CB00
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820453162.00007FFE1A451000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                      • Associated: 00000009.00000002.1820426233.00007FFE1A450000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820482713.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820522114.00007FFE1A458000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820547380.00007FFE1A459000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a450000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abort$CallEncodePointerTranslator
                                                      • String ID: MOC$RCC
                                                      • API String ID: 2889003569-2084237596
                                                      • Opcode ID: b9d59197ed9058caaff3681df3c64902a43601032ad083162a420140406a310d
                                                      • Instruction ID: f6990e212b63b9d77aff2c40b0969a7ea4bd145461f67864c5c5fb56a3a2a7cd
                                                      • Opcode Fuzzy Hash: b9d59197ed9058caaff3681df3c64902a43601032ad083162a420140406a310d
                                                      • Instruction Fuzzy Hash: 269195B3B04B818AE711EB6AD4402BD77B0FB45B98F1041A6EA4D17765DF38D1A5CB00
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                      • API String ID: 2943138195-757766384
                                                      • Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                      • Instruction ID: bd672bf0ede5a672a3e43bde9f63582e8ff03d23a4df9e9c7da89643a7bb4bd1
                                                      • Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                      • Instruction Fuzzy Hash: 89714C72B48E8284EB148F56D9501B867B5BB05F94F4485FBDA6D0BA78DF3CA671C300
                                                      APIs
                                                      • memcmp.VCRUNTIME140 ref: 000000014000AD12
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000ADD5
                                                        • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                        • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: __acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnmemcmp
                                                      • String ID: @$[FAIL INT. ] path '%s' already exists at index %u$[FAIL INT. ] too many paths
                                                      • API String ID: 3207467095-2931640462
                                                      • Opcode ID: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                      • Instruction ID: 2da19ac7c4dfbac8c42f28ebd32a6b72bd3b2cb838895640dc67fbc0c8e08b7c
                                                      • Opcode Fuzzy Hash: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                      • Instruction Fuzzy Hash: DC5169B2B10A5489EB11CF6AE8407DD37B1F709BA8F504216EF2A67BE9DB74C581C740
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abort$CallEncodePointerTranslator
                                                      • String ID: MOC$RCC
                                                      • API String ID: 2889003569-2084237596
                                                      • Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                      • Instruction ID: e2342cd2ecbffb6ff42f339ac4e420e9f0fd62c43da3ec993a39aafb8337bc71
                                                      • Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                      • Instruction Fuzzy Hash: E9613776A08B858AE7248F66D4803FD77B0FB44B98F0841A6EE5D17B69DF38E065C700
                                                      APIs
                                                      • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0142B212), ref: 00007FFE0142BBFE
                                                      • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0142B212), ref: 00007FFE0142BC0F
                                                      • iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0142B212), ref: 00007FFE0142BC76
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: iswspace$iswxdigit
                                                      • String ID: (
                                                      • API String ID: 3812816871-3887548279
                                                      • Opcode ID: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                      • Instruction ID: 1c7ae0158b43efd192da6c7e812c72156f48e98d6351cb2013be3a352825956e
                                                      • Opcode Fuzzy Hash: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                      • Instruction Fuzzy Hash: 8B518066E1855382EB249B6295102FD73A1EF30B84FC88035DE894F4B4EF7DE8C2D212
                                                      APIs
                                                      • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01429122), ref: 00007FFE01429CFA
                                                      • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01429122), ref: 00007FFE01429D0B
                                                      • isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01429122), ref: 00007FFE01429D64
                                                      • isalnum.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01429122), ref: 00007FFE01429E14
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: isspace$isalnumisxdigit
                                                      • String ID: (
                                                      • API String ID: 3355161242-3887548279
                                                      • Opcode ID: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                      • Instruction ID: 83a4e2c7d54558f7b0d06d4698eb8b8a5777983769addb14e8694fdb7b3073af
                                                      • Opcode Fuzzy Hash: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                      • Instruction Fuzzy Hash: C941D867D0C1A256FB244F31E5103FDAB929F31B98F889030CA9C0F5B6DE1DE8469712
                                                      APIs
                                                        • Part of subcall function 00007FFE0142B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                        • Part of subcall function 00007FFE0142B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                        • Part of subcall function 00007FFE0142B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                        • Part of subcall function 00007FFE0142B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFE0140A22C), ref: 00007FFE01413A25
                                                        • Part of subcall function 00007FFE013FB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01421347,?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE013FB7BF
                                                        • Part of subcall function 00007FFE013FB794: memmove.VCRUNTIME140(?,?,00000000,00007FFE01421347,?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE013FB7DB
                                                      • _Getvals.LIBCPMT ref: 00007FFE01413A61
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
                                                      • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                      • API String ID: 3031888307-3573081731
                                                      • Opcode ID: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                      • Instruction ID: 5c33ae5afdf8b2978652ab46a17444d90df35d4ebb0cd60fe6c2269545fad598
                                                      • Opcode Fuzzy Hash: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                      • Instruction Fuzzy Hash: 94418872A08B8197E725CF22958056E7BA0FB89B91B054235DB8957E31DB7CE5A2CB00
                                                      APIs
                                                      • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE01413CE2
                                                        • Part of subcall function 00007FFE0142B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                        • Part of subcall function 00007FFE0142B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                        • Part of subcall function 00007FFE0142B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                        • Part of subcall function 00007FFE0142B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      • _Maklocstr.LIBCPMT ref: 00007FFE01413D5B
                                                      • _Maklocstr.LIBCPMT ref: 00007FFE01413D71
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                      • String ID: false$true
                                                      • API String ID: 309754672-2658103896
                                                      • Opcode ID: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                      • Instruction ID: 8adda36a2d89f28cc6e5ad51ccf6fe92fa7758cbe8b7cc91af3c1ddf14bffe05
                                                      • Opcode Fuzzy Hash: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                      • Instruction Fuzzy Hash: DF417A27B18B559AE710CFB0E4401ED33B1FB98748B404126EE4E2BB29EF38D5A5C394
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 2003779279-1866435925
                                                      • Opcode ID: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                      • Instruction ID: b9890c101a35b7b58f5107871a2cff9d34121f459024380be74a25441252afd5
                                                      • Opcode Fuzzy Hash: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                      • Instruction Fuzzy Hash: 6B21BE62A0868692EB18EB15E6413B96361FF50784F844039E74D6FAB5DF3DE1A5C300
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 2003779279-1866435925
                                                      • Opcode ID: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                      • Instruction ID: fff578b84668e00ba50e20a90453103c768a8deb9d009469e2048435f4a5e02f
                                                      • Opcode Fuzzy Hash: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                      • Instruction Fuzzy Hash: 58F0D161A1864AD6EF58EB00E8826F92322FF50744FA44839E24D0E5B5EF3DE14BC340
                                                      APIs
                                                      • ?Recycle@MemoryRecycler@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140006CC6
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140006CF5
                                                      • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006D52
                                                      • memcpy.VCRUNTIME140 ref: 0000000140006DD5
                                                      • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006E6E
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: D@std@@@std@@Pninc@?$basic_streambuf@U?$char_traits@$MemoryRecycle@Recycler@allocator@dvacore@@_invalid_parameter_noinfo_noreturnmemcpy
                                                      • String ID:
                                                      • API String ID: 3275830057-0
                                                      • Opcode ID: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                      • Instruction ID: 3173563bc62d35887f7c9779bdd612006aafe20ffacca945d5b8f48763ffbb63
                                                      • Opcode Fuzzy Hash: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                      • Instruction Fuzzy Hash: 5CA16BB2704B8485EB16CF2AE5443A977A2F389FE8F584516EF8D177A4DB38C895C340
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: fgetwc
                                                      • String ID:
                                                      • API String ID: 2948136663-0
                                                      • Opcode ID: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                      • Instruction ID: 3db00aabf613547c8474c57bb9a1feddc54593c2d823dc3a1ceb4c6e0e05bdeb
                                                      • Opcode Fuzzy Hash: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                      • Instruction Fuzzy Hash: 45815D72609A41C9DB21CFA6C0903AC33A1FB48B88F55153AEB4E4BBA9DF3DD854C300
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                                      • String ID:
                                                      • API String ID: 2665656946-0
                                                      • Opcode ID: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                      • Instruction ID: 6f8685d0ee64a854513a2710a76b76ebba126a19a16799565d604b2c87d49ee9
                                                      • Opcode Fuzzy Hash: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                      • Instruction Fuzzy Hash: 884191B2304B8495EE16DB27B9043D9A395A74EBE0F440625BF6D0B7E5DE7CC081C304
                                                      APIs
                                                      • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FB9D3
                                                      • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FB9E1
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBA1A
                                                      • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBA24
                                                      • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBA32
                                                        • Part of subcall function 00007FFE014425AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5AF8), ref: 00007FFE014425C6
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memmovememset$_invalid_parameter_noinfo_noreturnmalloc
                                                      • String ID:
                                                      • API String ID: 3042321802-0
                                                      • Opcode ID: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                      • Instruction ID: 829428d7647aba1e5c6e6fc20a8d14b9ed1971c285d01d35c2154ca3f64ab818
                                                      • Opcode Fuzzy Hash: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                      • Instruction Fuzzy Hash: FA318061B086C291EF14AA16E5043AAA352FB04BD0F594535EF5D1FBAADE7CE0819300
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: NameName::$Name::operator+
                                                      • String ID:
                                                      • API String ID: 826178784-0
                                                      • Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                      • Instruction ID: 6dacf42679e37767e9a6e71146ceeddf0ea36b741deb9a3e94f1f5ffbaf00e4e
                                                      • Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                      • Instruction Fuzzy Hash: 3C414922B08E9698EB10CF63D9811B833B4BB19FA4B5440F3DA6D577A5DF38E965C300
                                                      APIs
                                                        • Part of subcall function 00007FFE01402160: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FFE013F4C3E,?,?,00000000,00007FFE013F5B5B), ref: 00007FFE0140216F
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5B5B), ref: 00007FFE013F4C47
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5B5B), ref: 00007FFE013F4C5B
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5B5B), ref: 00007FFE013F4C6F
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5B5B), ref: 00007FFE013F4C83
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5B5B), ref: 00007FFE013F4C97
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5B5B), ref: 00007FFE013F4CAB
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$setlocale
                                                      • String ID:
                                                      • API String ID: 294139027-0
                                                      • Opcode ID: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                      • Instruction ID: 9ee17a2731a19423157ecdd698ce1aac234f08a141f5ac1fcab50ef2dc036d7f
                                                      • Opcode Fuzzy Hash: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                      • Instruction Fuzzy Hash: C1112D22A06A4582FF199FA1D0F573923A2EF48F08F181138CA0E1D178CF6DD894D380
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: __acrt_iob_func$abortfputcfputs
                                                      • String ID:
                                                      • API String ID: 2697642930-0
                                                      • Opcode ID: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                      • Instruction ID: c812be0518abd22c97cf41dbc87e1815a2fe471880552ae143fd062ee4b239a8
                                                      • Opcode Fuzzy Hash: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                      • Instruction Fuzzy Hash: 8AE0ECA4E0864687FF086B61EC193346327DF48B92F240438C90F8E378CE3C54984251
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                      • String ID: %.0Lf$0123456789-
                                                      • API String ID: 4032823789-3094241602
                                                      • Opcode ID: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                      • Instruction ID: a964b73d0cbec54b1a4f4afe06c40b517a8807e07745aed6fd0454e2555fe60f
                                                      • Opcode Fuzzy Hash: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                      • Instruction Fuzzy Hash: 37714B72B59B6589EB00CFA5E8942AC2371EB48B98F404136DE4D5BBB8DE3CD44AC344
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnmemchrmemmove
                                                      • String ID: 0123456789-
                                                      • API String ID: 2457263114-3850129594
                                                      • Opcode ID: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                      • Instruction ID: c70cd1d4156369aee48da3db435fe46094c77924ccb580820d6bf0b1f3f1f557
                                                      • Opcode Fuzzy Hash: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                      • Instruction Fuzzy Hash: A4716B32B09B9589FB11CBA5E4502AC7771EB59B98F850135DE4D2BBB9CE3CD49AC300
                                                      APIs
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CB86
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CCD1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                      • String ID: gfffffff$gfffffff
                                                      • API String ID: 3668304517-161084747
                                                      • Opcode ID: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                      • Instruction ID: 0937b4d6cc115db4af66b3ecbb46b401b0ea56f4de858bbb036e92e46f157e0a
                                                      • Opcode Fuzzy Hash: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                      • Instruction Fuzzy Hash: D151B5B2311B8942EE25CB17F945799B355E748BE4F048226AFAD8B7E4DF38D081C301
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memset$_invalid_parameter_noinfo_noreturnswprintf_s
                                                      • String ID: %.0Lf
                                                      • API String ID: 1248405305-1402515088
                                                      • Opcode ID: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                      • Instruction ID: de6a35ca3b20a25bf45af280d3e488a0cf826fb2575ca4c34eac229d13082a2d
                                                      • Opcode Fuzzy Hash: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                      • Instruction Fuzzy Hash: 35619222B08B8586EB01DBB5E8502AD7762FF69B98F544135EE4D2BB79DE3CD045C300
                                                      APIs
                                                        • Part of subcall function 00007FFE1A466710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A46239E), ref: 00007FFE1A46671E
                                                      • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4641C3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abort
                                                      • String ID: $csm$csm
                                                      • API String ID: 4206212132-1512788406
                                                      • Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                      • Instruction ID: 6f50a36ca883886a7e3aafa40cb044ccfc2ce64156960597f32f2df646a6c02f
                                                      • Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                      • Instruction Fuzzy Hash: BB71B376708A9186DB608F1695447B97BB2FB04FE8F1481B6DF9C07AA6CB3CD4A1C740
                                                      APIs
                                                        • Part of subcall function 00007FFE1A45349C: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFE1A451222), ref: 00007FFE1A4534DC
                                                      • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45222F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820453162.00007FFE1A451000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                      • Associated: 00000009.00000002.1820426233.00007FFE1A450000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820482713.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820522114.00007FFE1A458000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820547380.00007FFE1A459000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a450000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abort
                                                      • String ID: $csm$csm
                                                      • API String ID: 4206212132-1512788406
                                                      • Opcode ID: a09d5685cbd6900e1f150081fbd72c345e37c8c45745b80ef19bb6454a475952
                                                      • Instruction ID: 09948e05cd1fe1754d755000a0d549ad12727534ed48f0b3eb3cd0f1aeef1a60
                                                      • Opcode Fuzzy Hash: a09d5685cbd6900e1f150081fbd72c345e37c8c45745b80ef19bb6454a475952
                                                      • Instruction Fuzzy Hash: EA71A2B2A08A8186D761AF22D45077D7BA0EB01FA9F0481B7FE4C57AA5CF3CD4A1C700
                                                      APIs
                                                        • Part of subcall function 00007FFE1A466710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A46239E), ref: 00007FFE1A46671E
                                                      • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A463F13
                                                      • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE1A463F23
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Frameabort$EmptyHandler3::StateUnwind
                                                      • String ID: csm$csm
                                                      • API String ID: 4108983575-3733052814
                                                      • Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                      • Instruction ID: dc58ff9c7d5aad7eb6626e69c976f18282211ff764a20537ee3a5b30e1d75796
                                                      • Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                      • Instruction Fuzzy Hash: 0D514B32A08E8286EB648F16A54427976B0FB54FA5F1441B7DBAD47AE5CF3CF860C700
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Exception$RaiseThrowabort
                                                      • String ID: csm
                                                      • API String ID: 3758033050-1018135373
                                                      • Opcode ID: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                      • Instruction ID: 1124a6f1e9041ffac7163f3f78dae90175e2735aa95a7e86d5ff78f36b3869ff
                                                      • Opcode Fuzzy Hash: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                      • Instruction Fuzzy Hash: D3515C22904BC5C6EB21DF28D4502A833A0FB58B98F159326DA5D1B7B6DF7DE5D5C300
                                                      APIs
                                                      • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE013FF8D4
                                                      • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE013FF8E6
                                                      • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE013FF96B
                                                        • Part of subcall function 00007FFE013F4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D72
                                                        • Part of subcall function 00007FFE013F4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D98
                                                        • Part of subcall function 00007FFE013F4D50: memmove.VCRUNTIME140(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4DB0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: setlocale$freemallocmemmove
                                                      • String ID: bad locale name
                                                      • API String ID: 4085402405-1405518554
                                                      • Opcode ID: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                      • Instruction ID: 656f286bb1330242dd1c7557d4b69de0e7e77b7496311e961e70b80a697777f2
                                                      • Opcode Fuzzy Hash: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                      • Instruction Fuzzy Hash: 1B31B423F086D242FF55AB15E44417A6696EF84BC0F598039DE5D5F7B5DE3CE8818340
                                                      APIs
                                                        • Part of subcall function 00007FFE0142B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                        • Part of subcall function 00007FFE0142B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                        • Part of subcall function 00007FFE0142B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                        • Part of subcall function 00007FFE0142B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFE0140A07C), ref: 00007FFE014138E1
                                                        • Part of subcall function 00007FFE013FB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01421347,?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE013FB7BF
                                                        • Part of subcall function 00007FFE013FB794: memmove.VCRUNTIME140(?,?,00000000,00007FFE01421347,?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE013FB7DB
                                                        • Part of subcall function 00007FFE014067B0: _Maklocstr.LIBCPMT ref: 00007FFE014067E0
                                                        • Part of subcall function 00007FFE014067B0: _Maklocstr.LIBCPMT ref: 00007FFE014067FF
                                                        • Part of subcall function 00007FFE014067B0: _Maklocstr.LIBCPMT ref: 00007FFE0140681E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
                                                      • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                      • API String ID: 2504686060-3573081731
                                                      • Opcode ID: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                      • Instruction ID: 5688e7ba9f6f8f7f3f74af9f1a39f5a683b41b2321e59823f8547b0338cb4516
                                                      • Opcode Fuzzy Hash: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                      • Instruction Fuzzy Hash: 6841CC72A18B8297E720CF21D18056EBBA2FB84B91B054235CB8947A21DF7CF566CB00
                                                      APIs
                                                        • Part of subcall function 00007FFE0142B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                        • Part of subcall function 00007FFE0142B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                        • Part of subcall function 00007FFE0142B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                        • Part of subcall function 00007FFE0142B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,0000003F,?,00000001,00007FFE01422278), ref: 00007FFE0142434D
                                                        • Part of subcall function 00007FFE013FB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01421347,?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE013FB7BF
                                                        • Part of subcall function 00007FFE013FB794: memmove.VCRUNTIME140(?,?,00000000,00007FFE01421347,?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE013FB7DB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
                                                      • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                      • API String ID: 462457024-3573081731
                                                      • Opcode ID: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                      • Instruction ID: 3f3427ecad3a27603c0f519c9f87131ed97cfec1e8203630c5c6f20e41b695e0
                                                      • Opcode Fuzzy Hash: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                      • Instruction Fuzzy Hash: BA41DE72A08B8297E724CF25D58056E7BA0FB94B81B494235DB8947E31DF3CF5A2CB00
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: NameName::
                                                      • String ID: %lf
                                                      • API String ID: 1333004437-2891890143
                                                      • Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                      • Instruction ID: 0738ce5a5e6581e922d1446b93f0bdb61c79c2669c134ad79077a7f7cf53f4d9
                                                      • Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                      • Instruction Fuzzy Hash: 70319022B0CEC185EA60CB27A8502BA7371FB45F94F4481F2E9AD47265CF3CD511C700
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: FileFindNext$wcscpy_s
                                                      • String ID: .
                                                      • API String ID: 544952861-248832578
                                                      • Opcode ID: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                      • Instruction ID: 0be135281fad1251dffd2e4b31b6bc67bc504d546eabed2e532c314807ce7a19
                                                      • Opcode Fuzzy Hash: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                      • Instruction Fuzzy Hash: DF216366A0C6C186FB70AF25E8483B973A0EB48B94F454135EA8D5B6B4DF7CD4458B40
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set
                                                      • API String ID: 1099746521-3882152299
                                                      • Opcode ID: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                      • Instruction ID: b896e3e4b4444bac8cd1c314fa0d1e2bea792da65e0179d3c55c599e6006891b
                                                      • Opcode Fuzzy Hash: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                      • Instruction Fuzzy Hash: 4C01F991F2C68B92FF18E725D842BBD1312EF90744F55853ED58E2EAB6DE3DE5068200
                                                      APIs
                                                        • Part of subcall function 00007FFE1A466710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A46239E), ref: 00007FFE1A46671E
                                                      • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A46243E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abortterminate
                                                      • String ID: MOC$RCC$csm
                                                      • API String ID: 661698970-2671469338
                                                      • Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                      • Instruction ID: e0c7e67050e7bcc879ce441277c353e79006899390e7b5a79779cd836a9446af
                                                      • Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                      • Instruction Fuzzy Hash: C6F04F36A18A4681EB545F66E1810B9B675FB48F65F1950F3D76C07272CF3CD8B0CA81
                                                      APIs
                                                        • Part of subcall function 00007FFE1A45349C: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFE1A451222), ref: 00007FFE1A4534DC
                                                      • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4512A6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820453162.00007FFE1A451000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                      • Associated: 00000009.00000002.1820426233.00007FFE1A450000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820482713.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820522114.00007FFE1A458000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820547380.00007FFE1A459000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a450000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abortterminate
                                                      • String ID: MOC$RCC$csm
                                                      • API String ID: 661698970-2671469338
                                                      • Opcode ID: 603a5f7e1ffd35de89984d0ad558701558f89ae88de5ad9bc6a09e4dc68ebe23
                                                      • Instruction ID: 2d019762d402d2b13b52595a7bb5cef6abbaccc731d504cdd7bcb820f87a5c18
                                                      • Opcode Fuzzy Hash: 603a5f7e1ffd35de89984d0ad558701558f89ae88de5ad9bc6a09e4dc68ebe23
                                                      • Instruction Fuzzy Hash: 7BF04476A18A4682D750BB16E54517C36A4EF49F64F1551F2D74846262CF3CE8B0CB01
                                                      APIs
                                                      • __C_specific_handler.LIBVCRUNTIME ref: 00007FFE1A46E9F0
                                                        • Part of subcall function 00007FFE1A46EC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1A46ECF0
                                                        • Part of subcall function 00007FFE1A46EC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1A46E9F5), ref: 00007FFE1A46ED3F
                                                        • Part of subcall function 00007FFE1A466710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A46239E), ref: 00007FFE1A46671E
                                                      • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A46EA1A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
                                                      • String ID: csm$f
                                                      • API String ID: 2451123448-629598281
                                                      • Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                      • Instruction ID: fa336cb7a7e8406a77e6e23331e4e67d0def185a5ca33e0f082f69644f79dd4a
                                                      • Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                      • Instruction Fuzzy Hash: 1FE0A071F18A8280E7346BA2A18217866F1AF14F60F1880F6DA5C07666CE39E4B08641
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID:
                                                      • API String ID: 2943138195-0
                                                      • Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                      • Instruction ID: bd72942c8ca2ed15108ff94acab9b3221f408333acd05b4673b5e4ddee20fc43
                                                      • Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                      • Instruction Fuzzy Hash: FF918166F08E9689FB118BA2D8403FC37B1BB04B24F5440F7DA5D576A6DF78A865C340
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+$NameName::
                                                      • String ID:
                                                      • API String ID: 168861036-0
                                                      • Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                      • Instruction ID: 43f08f136af9a81b3cea4d5a95ed8db2eebd54e7bbdd8150a9826076ee470774
                                                      • Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                      • Instruction Fuzzy Hash: 9E514B72B18E9688E711CF62E8503BC37B1BB44B68F5480B2DA6E477A5DF39E461C740
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memset$_invalid_parameter_noinfo_noreturnmemcpy
                                                      • String ID:
                                                      • API String ID: 3533975685-0
                                                      • Opcode ID: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                      • Instruction ID: 948ad675966271c9991ceaad39470193d7d81f5c1b48440d7dc352eab6ab828f
                                                      • Opcode Fuzzy Hash: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                      • Instruction Fuzzy Hash: B431B4B2711A9451EA06DF66F5443EDA291A788BE0F548635AF6C077E5EF38C4E2C300
                                                      APIs
                                                      • memmove.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE014067E5), ref: 00007FFE01406EA1
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE014067E5), ref: 00007FFE01406EF2
                                                      • memmove.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE014067E5), ref: 00007FFE01406EFC
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE01406F3D
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                      • String ID:
                                                      • API String ID: 2016347663-0
                                                      • Opcode ID: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                      • Instruction ID: 46494802ce9cdec9117d15989d16a464cd0736bb0a7e64eb03552749f494c34b
                                                      • Opcode Fuzzy Hash: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                      • Instruction Fuzzy Hash: 6D410262B0874692EF15DB92E1041796255EB48BE4F560639EF6E0FBF8EE3CE851C340
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                      • String ID:
                                                      • API String ID: 2016347663-0
                                                      • Opcode ID: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                      • Instruction ID: e9e7ed693c8be91739b6f03b50c4821f4bf959aea9c8a58af5babbd23f5e9e29
                                                      • Opcode Fuzzy Hash: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                      • Instruction Fuzzy Hash: 2F31C361B0868686EF14AB16A544369A355EF44BE8F654239EE7D0FBF5DE7CE041C300
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Xp_movx$Xp_setw_errnoldexpmemmove
                                                      • String ID:
                                                      • API String ID: 2295688418-0
                                                      • Opcode ID: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                      • Instruction ID: 7cd0abc317083f681f9741cbb355a9762aec2747b76391d30ff3148505578365
                                                      • Opcode Fuzzy Hash: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                      • Instruction Fuzzy Hash: C341D422A1CB4687F7519B2590412BE63A0FF98B54F948231EE4D1B7B6DF3CE94F8640
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcislower
                                                      • String ID:
                                                      • API String ID: 2234106055-0
                                                      • Opcode ID: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                      • Instruction ID: b06568875f6ef40e142a00a3c2dbeba458978eb38326e6ba0621880d135bfe28
                                                      • Opcode Fuzzy Hash: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                      • Instruction Fuzzy Hash: AA31D826A0C7C182FB21AB16E45437D6AA1FB90B91F194039DE8E5F7B9DE3CE485C710
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcisupper
                                                      • String ID:
                                                      • API String ID: 3857474680-0
                                                      • Opcode ID: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                      • Instruction ID: d656499cf1c2af985915777661a374fdfa4497d75f154cb4d599cac53e9c5df5
                                                      • Opcode Fuzzy Hash: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                      • Instruction Fuzzy Hash: 1E31D462A0C7C282FB15AB15A45437D6AA1FB90B95F19403ADA8E1F7A9DE2CE484C710
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID:
                                                      • API String ID: 2943138195-0
                                                      • Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                      • Instruction ID: 6f7a0c8f5ea239c983c912b33e342d8470e84bb3123b5f1c79df990d1ac1ce87
                                                      • Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                      • Instruction Fuzzy Hash: 06415672E08B958AEB01CFA6D8413BC37B0FB44B68F5480A6DA4D57769DF389455C710
                                                      APIs
                                                      • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,00000000,?,?,?,00007FFE0141E921), ref: 00007FFE0142AFB7
                                                      • memmove.VCRUNTIME140(?,00000000,?,?,?,00007FFE0141E921), ref: 00007FFE0142AFDB
                                                      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE0141E921), ref: 00007FFE0142AFE8
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE0141E921), ref: 00007FFE0142B05B
                                                        • Part of subcall function 00007FFE013F2E30: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE013F2E5A
                                                        • Part of subcall function 00007FFE013F2E30: LCMapStringEx.KERNEL32 ref: 00007FFE013F2E9E
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: String___lc_locale_name_funcfreemallocmemmovewcsnlen
                                                      • String ID:
                                                      • API String ID: 1076354707-0
                                                      • Opcode ID: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                      • Instruction ID: f06b74c7550a14bd34ba3eeb74f6bb8add422246858c16040b5bee2f3922d97c
                                                      • Opcode Fuzzy Hash: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                      • Instruction Fuzzy Hash: BA21D961B08BD186D7219F12A40096A9B94FB55BD4F984235DE6D1FBF5DE3CD4418304
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _wfsopen$fclosefseek
                                                      • String ID:
                                                      • API String ID: 1261181034-0
                                                      • Opcode ID: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                      • Instruction ID: 39664d18979d145c00ef3af706406949871bdcd4de5c859d1a01ecc4c798d231
                                                      • Opcode Fuzzy Hash: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                      • Instruction Fuzzy Hash: 97319321B1978543EF69DB16A4947767391EF84F84F4A4538CE0E9BBB4DE3CE8418740
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _fsopen$fclosefseek
                                                      • String ID:
                                                      • API String ID: 410343947-0
                                                      • Opcode ID: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                      • Instruction ID: 50fa546092234f24c44faa102d3f5fbd2bded8e646fdc7ccd14c70a9b9a5ed5e
                                                      • Opcode Fuzzy Hash: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                      • Instruction Fuzzy Hash: 46310621B2878A42FB68DB16A4446757793EF84F85F494938CE0E9B7B4DE3CEC418340
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$FormatFreeLibraryMessage
                                                      • String ID:
                                                      • API String ID: 4174221723-0
                                                      • Opcode ID: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                      • Instruction ID: 329cc6dd5267e1a20a6fc7da630ad77381380cdf8f0f417e816be49fa379c834
                                                      • Opcode Fuzzy Hash: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                      • Instruction Fuzzy Hash: F4315072A18B8441EB128B26E4453AE6751E79DBF4F249301F7FD0B6F9DBB9D5C08600
                                                      APIs
                                                      • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFE0142576B), ref: 00007FFE0142A604
                                                      • ___lc_collate_cp_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFE0142576B), ref: 00007FFE0142A60E
                                                        • Part of subcall function 00007FFE013F26E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE013F2728
                                                        • Part of subcall function 00007FFE013F26E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE013F274E
                                                        • Part of subcall function 00007FFE013F26E0: GetCPInfo.KERNEL32 ref: 00007FFE013F2792
                                                      • memcmp.VCRUNTIME140(?,?,?,?,?,?,?,00007FFE0142576B), ref: 00007FFE0142A631
                                                      • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FFE0142576B), ref: 00007FFE0142A66F
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: __strncnt$Info___lc_collate_cp_func___lc_locale_name_func_errnomemcmp
                                                      • String ID:
                                                      • API String ID: 3421985146-0
                                                      • Opcode ID: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                      • Instruction ID: fe80bd2ae46c2ec51856c3c9d5f0629ae21f3a89cb63f5a1046941e78d0240ab
                                                      • Opcode Fuzzy Hash: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                      • Instruction Fuzzy Hash: F5216F72B087828AEB208F26954012DB7A6FBD4FD4B954235DE9D5BBB4CF3CE8458701
                                                      APIs
                                                      • memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                        • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                        • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: __acrt_iob_func__stdio_common_vfprintfmemset
                                                      • String ID: [FINALIZE ] %08X %s$[UNLOAD LIB]$[UNLOAD LIB] %08X %s
                                                      • API String ID: 1351999747-1487749591
                                                      • Opcode ID: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                      • Instruction ID: 71482a23b425682d2a021b79c21f529c824127a60a25d7ce3ea3483a94a8a675
                                                      • Opcode Fuzzy Hash: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                      • Instruction Fuzzy Hash: 42213972215B8485E352DF22E5503DE37A4F74CF88F588129EB890BB69CF39C662D750
                                                      APIs
                                                      • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                      • ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                      • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                      • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_func
                                                      • String ID:
                                                      • API String ID: 3203701943-0
                                                      • Opcode ID: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                      • Instruction ID: 4aaa9055f457773a3941b5a5a8dce706b35ab72d69fce494c4f36289ac21efab
                                                      • Opcode Fuzzy Hash: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                      • Instruction Fuzzy Hash: 0101A5A2E15B5187DF058F799804178B7A0FB58B84B549235DA4E8F734DA7CD0C18700
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memmove$FormatFreeLocalMessage
                                                      • String ID: unknown error
                                                      • API String ID: 725469203-3078798498
                                                      • Opcode ID: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                      • Instruction ID: 0180ce94398c27a42c0a7b52e09b7ab3a8f6bcea21f99e41dfdd7a583b5940e4
                                                      • Opcode Fuzzy Hash: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                      • Instruction Fuzzy Hash: EA11582260978682E7219F25E14036DB7A1FB99BCCF488235EA8D0F7BACF7CD5508741
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: malloc
                                                      • String ID: MOC$RCC$csm
                                                      • API String ID: 2803490479-2671469338
                                                      • Opcode ID: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                      • Instruction ID: 4cbbb1d556229ea38626a6243ef7f532f862973eaa76563ac78ee8d084a25611
                                                      • Opcode Fuzzy Hash: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                      • Instruction Fuzzy Hash: BC018422E08582C6EF64AF15955417E22B1EF48B84F594039DA1D2FBA5CE6CE881C602
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                      • String ID: 0123456789-
                                                      • API String ID: 4032823789-3850129594
                                                      • Opcode ID: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                      • Instruction ID: 8aca4833dd0765712702b93e65cc0c92ac213c1685a50989791b092a9040a51b
                                                      • Opcode Fuzzy Hash: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                      • Instruction Fuzzy Hash: 4F715A72B49B5589EB01CFA5E8902AC2371FB48B98F404136EE4D5BBB8DE3CD44AC344
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                      • String ID: %.0Lf
                                                      • API String ID: 296878162-1402515088
                                                      • Opcode ID: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                      • Instruction ID: dc0b4b18a6933a4e6920fb7d219d6e3ec69581a4627b7253be32515637c9a3f5
                                                      • Opcode Fuzzy Hash: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                      • Instruction Fuzzy Hash: 7C716032B48B9586EB11CBA5E8402AD7372EB94B98F504136EE4D2BB79EF3CD455C340
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                      • String ID: %.0Lf
                                                      • API String ID: 296878162-1402515088
                                                      • Opcode ID: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                      • Instruction ID: 1441afd0019c2530502a472fb9ba3fd323cdb9979b417486f0ef8682d68d3cfa
                                                      • Opcode Fuzzy Hash: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                      • Instruction Fuzzy Hash: AF716132B08B9586EB11CB66E8802AD6372EF94B98F104136EE5D6BB79DF3CD445C340
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: rand_s
                                                      • String ID: invalid random_device value
                                                      • API String ID: 863162693-3926945683
                                                      • Opcode ID: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                      • Instruction ID: 4c5a42236438f87ac391a5266e83f9d91cc94ad74a838270408e4b9521b230fb
                                                      • Opcode Fuzzy Hash: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                      • Instruction Fuzzy Hash: F6510162C18A8A86F3528B34C4511BE6364FF363C8F908732E61E3E5B5DF2DA4C28201
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abort$CreateFrameInfo
                                                      • String ID: csm
                                                      • API String ID: 2697087660-1018135373
                                                      • Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                      • Instruction ID: e9a099ebed70afb4b9617f48e8700d5c265649d3c9b64dbae9380faa4d034033
                                                      • Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                      • Instruction Fuzzy Hash: A3514F36718B8186DA209B26E14027EB7B5F788FA1F1405B6DB9D07B66CF38D470CB40
                                                      APIs
                                                        • Part of subcall function 00007FFE1A45349C: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFE1A451222), ref: 00007FFE1A4534DC
                                                      • _CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE1A452666
                                                      • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4526C4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820453162.00007FFE1A451000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                      • Associated: 00000009.00000002.1820426233.00007FFE1A450000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820482713.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820522114.00007FFE1A458000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820547380.00007FFE1A459000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a450000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abort$CreateFrameInfo
                                                      • String ID: csm
                                                      • API String ID: 2697087660-1018135373
                                                      • Opcode ID: 6e99a40f12b24c169b8c8d77f5cbd6e99d42a79d20cf72913f8a52ee3316c6bc
                                                      • Instruction ID: e951cb27b2a14aa040c2acbf341571871fb4ebacc59ab1e0781d8989651ef6fa
                                                      • Opcode Fuzzy Hash: 6e99a40f12b24c169b8c8d77f5cbd6e99d42a79d20cf72913f8a52ee3316c6bc
                                                      • Instruction Fuzzy Hash: 685128B7718B4186D620EB16E04027E77A4FB89FA4F1415B6EB8D07B66CF38E461CB00
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Strftime_invalid_parameter_noinfo_noreturn
                                                      • String ID: !%x
                                                      • API String ID: 1195835417-1893981228
                                                      • Opcode ID: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                      • Instruction ID: 0fdd913203488520331c75a2670ccc75526431eb8f5f2791cb195ac45e000b71
                                                      • Opcode Fuzzy Hash: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                      • Instruction Fuzzy Hash: 8C417C62F18A9199FB00CBA5D8417EC3B71BB68798F844535EE5D2BBA9DF3C9185C300
                                                      APIs
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE013F3305
                                                        • Part of subcall function 00007FFE014425AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5AF8), ref: 00007FFE014425C6
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE013F57FA,?,?,?,00007FFE013F4438), ref: 00007FFE013F32FE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                      • String ID: ios_base::failbit set
                                                      • API String ID: 1934640635-3924258884
                                                      • Opcode ID: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                      • Instruction ID: 5dbaf2c5d475c3da415fae4e4029ca3b99c2d37f896bf6cb34a9175ca87f81c3
                                                      • Opcode Fuzzy Hash: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                      • Instruction Fuzzy Hash: 6621E921B09BC195DB60DB11E4402AAB3A4FF48BE0F544635EE9C5BBA8EF3CC545C700
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID: void$void
                                                      • API String ID: 2943138195-3746155364
                                                      • Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                      • Instruction ID: 21871c191d2fdd7125382a0f7e221601655f3dc68f5a3a5884c6515a15c5d336
                                                      • Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                      • Instruction Fuzzy Hash: 09313266F18E5588FB00CBA2E8410FC33B0BB48B58B4405B7EE5E63B69DF389164C750
                                                      APIs
                                                        • Part of subcall function 000000014000FAA0: memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000E441
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                      • String ID: [FAIL LOAD ] %s$[LOAD LIB ] %s
                                                      • API String ID: 1654775311-1428855073
                                                      • Opcode ID: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                      • Instruction ID: e1e0474e3a99f30cd742c56738cdfbd4506b2c38850e860c1e011aff6007d584
                                                      • Opcode Fuzzy Hash: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                      • Instruction Fuzzy Hash: EC218EB2714B8481FA16CB1AF44439A6362E78DBE4F544321BBA94BAF9DF38C181C740
                                                      APIs
                                                      • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFE013FC744), ref: 00007FFE013FF1D4
                                                        • Part of subcall function 00007FFE0142B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                        • Part of subcall function 00007FFE0142B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                        • Part of subcall function 00007FFE0142B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                        • Part of subcall function 00007FFE0142B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                      • String ID: false$true
                                                      • API String ID: 2502581279-2658103896
                                                      • Opcode ID: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                      • Instruction ID: ef303df0a96c51800ef0a53ac4ed34e3f2e037f9cbc78bcc3fda6101160338d2
                                                      • Opcode Fuzzy Hash: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                      • Instruction Fuzzy Hash: 36217F6B608B8592E720DF21E4403A977A1FB98BA8F454536DA8C0B779DF3CD195C780
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: FileHeader$ExceptionRaise
                                                      • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                      • API String ID: 3685223789-3176238549
                                                      • Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                      • Instruction ID: 73616ebadc9f9223b33c85ff90d06e019052bb1232d9ae2bbd2153aea9218c50
                                                      • Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                      • Instruction Fuzzy Hash: B7019E61B29E8691EE44DB56E450178A320FF80FA4F4050F3D61E076B6EF7CD424C300
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFileHeaderRaise
                                                      • String ID: csm
                                                      • API String ID: 2573137834-1018135373
                                                      • Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                      • Instruction ID: c233e05d9a4ea9b7d47da1cc59533c829a9f92959bee3c05ca488d2da86e2fe9
                                                      • Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                      • Instruction Fuzzy Hash: F8112132618B8182EB558F15E440279B7A5FB84F94F2841B1DE9C07768EF3CD9618700
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820453162.00007FFE1A451000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                      • Associated: 00000009.00000002.1820426233.00007FFE1A450000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820482713.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820522114.00007FFE1A458000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820547380.00007FFE1A459000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a450000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFileHeaderRaise
                                                      • String ID: csm
                                                      • API String ID: 2573137834-1018135373
                                                      • Opcode ID: 9f7a33d673fc978609ae4b898b368f5314f81222cced0233053e09beae7f99e8
                                                      • Instruction ID: 98cfe312b12a96db6f2b3ab104c59d221e0a625a9fec9fb08b68f2a294efc027
                                                      • Opcode Fuzzy Hash: 9f7a33d673fc978609ae4b898b368f5314f81222cced0233053e09beae7f99e8
                                                      • Instruction Fuzzy Hash: 1A112B72608F4582EB109B16F4502697BE0FB88F94F5842B1EE9D47B64DF3CD565CB40
                                                      APIs
                                                      • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE013F6A3D
                                                        • Part of subcall function 00007FFE013F4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01406AB5,?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE013F4DF9
                                                        • Part of subcall function 00007FFE013F4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01406AB5,?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE013F4E28
                                                        • Part of subcall function 00007FFE013F4DD0: memmove.VCRUNTIME140(?,?,00000000,00007FFE01406AB5,?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE013F4E3F
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE013F6A5A
                                                      Strings
                                                      • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE013F6A65
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$Getmonthsmallocmemmove
                                                      • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece
                                                      • API String ID: 794196016-2030377133
                                                      • Opcode ID: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                      • Instruction ID: 7d6d26b7f3a5e2e6e0cfad2596e7b2514a7ee297a45acaecea40b3c57f5f3ea7
                                                      • Opcode Fuzzy Hash: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                      • Instruction Fuzzy Hash: 54E0ED21A15B4693EF409B12F5843696361FF48B94F845034DA0E0BB75DF7CE4B4C300
                                                      APIs
                                                      • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE013F69ED
                                                        • Part of subcall function 00007FFE013F4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01406AB5,?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE013F4DF9
                                                        • Part of subcall function 00007FFE013F4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01406AB5,?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE013F4E28
                                                        • Part of subcall function 00007FFE013F4DD0: memmove.VCRUNTIME140(?,?,00000000,00007FFE01406AB5,?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE013F4E3F
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE013F6A0A
                                                      Strings
                                                      • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE013F6A15
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$Getdaysmallocmemmove
                                                      • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                      • API String ID: 2126063425-3283725177
                                                      • Opcode ID: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                      • Instruction ID: 426af90f47b4440abe5a6aee2f7be28b32de540249def8ac5e4e84cb0604dd72
                                                      • Opcode Fuzzy Hash: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                      • Instruction Fuzzy Hash: 64E0ED21A15B4293EF109B12F58436973A1EF48B94F544534DA0D0BB75DF3CE4A4C700
                                                      APIs
                                                      • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE013F633D
                                                        • Part of subcall function 00007FFE013F4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D72
                                                        • Part of subcall function 00007FFE013F4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D98
                                                        • Part of subcall function 00007FFE013F4D50: memmove.VCRUNTIME140(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4DB0
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE013F635A
                                                      Strings
                                                      • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE013F6365
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$Getmonthsmallocmemmove
                                                      • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
                                                      • API String ID: 794196016-4232081075
                                                      • Opcode ID: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                      • Instruction ID: f8497dfe8c3507925476a2b0f2a297c35951d559fa87f8e566cf4f06e797f33d
                                                      • Opcode Fuzzy Hash: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                      • Instruction Fuzzy Hash: 6AE0C921A15B4292EF009B12F58526963A1EB58B90F484035DA1D0A775DF3CE4E4C740
                                                      APIs
                                                      • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE013F62CD
                                                        • Part of subcall function 00007FFE013F4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D72
                                                        • Part of subcall function 00007FFE013F4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D98
                                                        • Part of subcall function 00007FFE013F4D50: memmove.VCRUNTIME140(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4DB0
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE013F62EA
                                                      Strings
                                                      • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE013F62F5
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$Getdaysmallocmemmove
                                                      • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                      • API String ID: 2126063425-3283725177
                                                      • Opcode ID: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                      • Instruction ID: f6e2270fb9ea1b7cc111f1aa08b9d7a535b5494aed83a2b29bb6d18f04c7b32b
                                                      • Opcode Fuzzy Hash: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                      • Instruction Fuzzy Hash: E4E0ED21B15B8293EF049B12F594369A365FF48B80F848434DA1D0B775EF3CE4A4C700
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrow
                                                      • String ID:
                                                      • API String ID: 432778473-0
                                                      • Opcode ID: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                      • Instruction ID: 3f6ef9a8942bd25f1c030384d86529519749b139d31aef7b6ed3ba5bf9942206
                                                      • Opcode Fuzzy Hash: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                      • Instruction Fuzzy Hash: 582153B6610A8489E729EE37E8523E92311F78C7D8F149426BF4D4FBAECE31C4518340
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1819105883.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 00000009.00000002.1819071890.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819140424.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819162618.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000009.00000002.1819182144.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrow$_invalid_parameter_noinfo_noreturn
                                                      • String ID:
                                                      • API String ID: 2822070131-0
                                                      • Opcode ID: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                      • Instruction ID: fb8aed582c15149af4c4f009e579fb1eee3dc1aedb4e9a74b926e9b9865ab3f7
                                                      • Opcode Fuzzy Hash: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                      • Instruction Fuzzy Hash: 331151B5710A40C9E71DEB73A8423EA1211EB887C4F149536BF480BA6ECE76C4518740
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,?,00007FFE1A4665B9,?,?,?,?,00007FFE1A46FB22,?,?,?,?,?), ref: 00007FFE1A46674B
                                                      • SetLastError.KERNEL32(?,?,?,00007FFE1A4665B9,?,?,?,?,00007FFE1A46FB22,?,?,?,?,?), ref: 00007FFE1A4667D4
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820598855.00007FFE1A461000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A460000, based on PE: true
                                                      • Associated: 00000009.00000002.1820573687.00007FFE1A460000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820629530.00007FFE1A471000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820659740.00007FFE1A476000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820678644.00007FFE1A477000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a460000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast
                                                      • String ID:
                                                      • API String ID: 1452528299-0
                                                      • Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                      • Instruction ID: 131fd2dc6aadba2bbb9080095e47cec664e6939d2c62196b6216be9e081b9d52
                                                      • Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                      • Instruction Fuzzy Hash: 29112124B09A9241FA589B679804174A2A2BF48FB1F144AF7D97E077F5DF2CA8618600
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,?,00007FFE1A45329D,?,?,?,?,00007FFE1A45411A,?,?,?,?,?), ref: 00007FFE1A4533FB
                                                      • SetLastError.KERNEL32(?,?,?,00007FFE1A45329D,?,?,?,?,00007FFE1A45411A,?,?,?,?,?), ref: 00007FFE1A453483
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820453162.00007FFE1A451000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                      • Associated: 00000009.00000002.1820426233.00007FFE1A450000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820482713.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820522114.00007FFE1A458000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820547380.00007FFE1A459000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe1a450000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast
                                                      • String ID:
                                                      • API String ID: 1452528299-0
                                                      • Opcode ID: 945a849ef1e4ef306028dce5c92f669efe6900a2f555f55e0f0d86f2d5e2500a
                                                      • Instruction ID: 479f95d0abd456450994b2144b3c1d5de1097ad16161fc6272fe47a8af93c2bc
                                                      • Opcode Fuzzy Hash: 945a849ef1e4ef306028dce5c92f669efe6900a2f555f55e0f0d86f2d5e2500a
                                                      • Instruction Fuzzy Hash: B81130E0F09E1292FA15B723A86013966A1AF45FB0F5846F6D92E473F5DF3CB4618740
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free
                                                      • String ID:
                                                      • API String ID: 1294909896-0
                                                      • Opcode ID: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                      • Instruction ID: 0b161cbe35abb025478f37a365ca848c148f8ac6404ff633db6df27426626ba9
                                                      • Opcode Fuzzy Hash: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                      • Instruction Fuzzy Hash: CBF0CF32A19B4293EB449B16EAA416873A6FB88F91F544031DA4E4BB70DF6DE4A5C300
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free
                                                      • String ID:
                                                      • API String ID: 1294909896-0
                                                      • Opcode ID: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                      • Instruction ID: 06503603013d92481f311f95c867eab23c70ac2541a2a6c18463cd258dccbfbd
                                                      • Opcode Fuzzy Hash: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                      • Instruction Fuzzy Hash: F8F0E732A19B4297EB449B16EAA41787362FF88B90F144031DA4E4BB70DF7DE4A5C300
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free
                                                      • String ID:
                                                      • API String ID: 1294909896-0
                                                      • Opcode ID: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                      • Instruction ID: 58c93d1b5776f3a24b80f1950f7b380fcd2f98012b1323db5bcdec5318b7bdf8
                                                      • Opcode Fuzzy Hash: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                      • Instruction Fuzzy Hash: 7FF0E732A19B4293EB449B16EAA417873A2FF88B90F144031DA4D4BB70DF7DE4A5C300
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1820265189.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 00000009.00000002.1820241461.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820316432.00007FFE01445000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820353027.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820377447.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000009.00000002.1820401216.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free
                                                      • String ID:
                                                      • API String ID: 1294909896-0
                                                      • Opcode ID: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                      • Instruction ID: 111f7ae8152226d857051dd424f58d31100f2e509658485dd0251826edf07c38
                                                      • Opcode Fuzzy Hash: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                      • Instruction Fuzzy Hash: 59E00276E15A0183FF159F62D8A40286375FF98F59B181032CE1E4E274DE6CD895C700