Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3gPZmVbozD.msi

Overview

General Information

Sample name:3gPZmVbozD.msi
renamed because original name is a hash value
Original sample name:88ca3332931ba3bd47e0def74997b62cf5615fe79cca565edf92160540e2927b.msi
Analysis ID:1580026
MD5:fa83ae439fadce1e74cd7f84820f6d7d
SHA1:6bf2284c716425218c42f8027935a29f99e32bbf
SHA256:88ca3332931ba3bd47e0def74997b62cf5615fe79cca565edf92160540e2927b
Tags:LegionLoadermaddhouzz-commsiuser-johnk3r
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
Query firmware table information (likely to detect VMs)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7328 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\3gPZmVbozD.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7360 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7472 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D8BC283402454473AA94702B7499391E MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 7660 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7916 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ImporterREDServer.exe (PID: 8016 cmdline: "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" MD5: F67792E08586EA936EBCAE43AAB0388D)
        • conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • createdump.exe (PID: 7924 cmdline: "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)
      • conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding D8BC283402454473AA94702B7499391E, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7472, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7660, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding D8BC283402454473AA94702B7499391E, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7472, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7660, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding D8BC283402454473AA94702B7499391E, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7472, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7660, ProcessName: powershell.exe
Sigma detected: Msiexec Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.67.183.84, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7472, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731
Sigma detected: Suspicious MsiExec Embedding Parent
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding D8BC283402454473AA94702B7499391E, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7472, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7660, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding D8BC283402454473AA94702B7499391E, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7472, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7660, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-23T18:26:18.934117+010028292021A Network Trojan was detected192.168.2.449731172.67.183.84443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3EA19BE5-AFD9-44E3-AEE5-EB703BC123C6}Jump to behavior
Source: unknownHTTPS traffic detected: 172.67.183.84:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1875759656.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000000.1880611027.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: ucrtbase.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000A.00000002.1885188721.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000000.1880611027.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1875759656.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: ucrtbase.pdbUGP source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 3gPZmVbozD.msi, MSIE590.tmp.1.dr, 60da62.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012DA330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,10_2_00007FFE012DA330

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49731 -> 172.67.183.84:443
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: maddhouzz.com
Source: unknownHTTP traffic detected: POST /updater.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: maddhouzz.comContent-Length: 71Cache-Control: no-cache
Source: 3gPZmVbozD.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 60da62.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 3gPZmVbozD.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 60da62.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 3gPZmVbozD.msi, 60da62.msi.1.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: powershell.exe, 00000003.00000002.1821666345.0000000006E6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
Source: 3gPZmVbozD.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 60da62.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 3gPZmVbozD.msi, 60da62.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: 3gPZmVbozD.msi, 60da62.msi.1.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: 3gPZmVbozD.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 60da62.msi.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 3gPZmVbozD.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 60da62.msi.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: 3gPZmVbozD.msi, 60da62.msi.1.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
Source: 3gPZmVbozD.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 60da62.msi.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000003.00000002.1819833611.000000000563B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: 3gPZmVbozD.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 60da62.msi.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: 3gPZmVbozD.msi, 60da62.msi.1.drString found in binary or memory: http://ocsp.digicert.com0K
Source: 3gPZmVbozD.msi, 60da62.msi.1.drString found in binary or memory: http://ocsp.digicert.com0N
Source: 3gPZmVbozD.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 60da62.msi.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000003.00000002.1817707284.0000000004727000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 3gPZmVbozD.msi, 60da62.msi.1.drString found in binary or memory: http://schemas.mick
Source: powershell.exe, 00000003.00000002.1817707284.00000000045D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1817707284.0000000004727000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 3gPZmVbozD.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 60da62.msi.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ImporterREDServer.exe, 0000000A.00000002.1885188721.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.drString found in binary or memory: http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-
Source: powershell.exe, 00000003.00000002.1817707284.00000000045D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: 3gPZmVbozD.msi, 60da62.msi.1.drString found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
Source: powershell.exe, 00000003.00000002.1819833611.000000000563B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1819833611.000000000563B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1819833611.000000000563B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.1817707284.0000000004727000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1817707284.0000000004C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: 3gPZmVbozD.msi, 60da62.msi.1.drString found in binary or memory: https://maddhouzz.com/updater.phpx
Source: powershell.exe, 00000003.00000002.1819833611.000000000563B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: 3gPZmVbozD.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 60da62.msi.1.drString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownHTTPS traffic detected: 172.67.183.84:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\60da5f.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE3D5.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE453.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE492.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE4B3.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE502.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE532.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE590.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI186.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{3EA19BE5-AFD9-44E3-AEE5-EB703BC123C6}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB89.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC9.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\60da62.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\60da62.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIE3D5.tmpJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_000000014001222010_2_0000000140012220
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_000000014000839010_2_0000000140008390
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_0000000140007FC010_2_0000000140007FC0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012DF9B010_2_00007FFE012DF9B0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0130F9DA10_2_00007FFE0130F9DA
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012F220810_2_00007FFE012F2208
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012DE8B010_2_00007FFE012DE8B0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0130288010_2_00007FFE01302880
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012E60D010_2_00007FFE012E60D0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012F434010_2_00007FFE012F4340
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012EABB010_2_00007FFE012EABB0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0130A27C10_2_00007FFE0130A27C
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012F633810_2_00007FFE012F6338
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE01302D7010_2_00007FFE01302D70
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0130BDA010_2_00007FFE0130BDA0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE013095A810_2_00007FFE013095A8
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012ECDF010_2_00007FFE012ECDF0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012F547010_2_00007FFE012F5470
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012E946010_2_00007FFE012E9460
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012F0C6010_2_00007FFE012F0C60
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012E644010_2_00007FFE012E6440
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012F6C8410_2_00007FFE012F6C84
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE013044E010_2_00007FFE013044E0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012EBCD010_2_00007FFE012EBCD0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012E8FB010_2_00007FFE012E8FB0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012F478010_2_00007FFE012F4780
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012DC78010_2_00007FFE012DC780
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012DD81010_2_00007FFE012DD810
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0130B69810_2_00007FFE0130B698
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012EDF1010_2_00007FFE012EDF10
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012F071010_2_00007FFE012F0710
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012F3F0010_2_00007FFE012F3F00
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE1A53750810_2_00007FFE1A537508
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: String function: 000000014000BC30 appears 53 times
Source: api-ms-win-core-handle-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: 3gPZmVbozD.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs 3gPZmVbozD.msi
Source: 3gPZmVbozD.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs 3gPZmVbozD.msi
Source: 3gPZmVbozD.msiBinary or memory string: OriginalFilenameDataUploader.dllF vs 3gPZmVbozD.msi
Source: 3gPZmVbozD.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs 3gPZmVbozD.msi
Source: 3gPZmVbozD.msiBinary or memory string: OriginalFilenameucrtbase.dllj% vs 3gPZmVbozD.msi
Source: 3gPZmVbozD.msiBinary or memory string: OriginalFilenamevcruntime140.dllT vs 3gPZmVbozD.msi
Source: 3gPZmVbozD.msiBinary or memory string: OriginalFilenamemsvcp140.dllT vs 3gPZmVbozD.msi
Source: 3gPZmVbozD.msiBinary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs 3gPZmVbozD.msi
Source: 3gPZmVbozD.msiBinary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs 3gPZmVbozD.msi
Source: 3gPZmVbozD.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs 3gPZmVbozD.msi
Source: dvacore.dll.1.drBinary string: Win.FileUtils path: Throw file exception with last error (HRESULT): $$$/dvacore/utility/FileUtils_WIN/Unknown=Unknown$$$/dvacore/utility/FileUtils_WIN/Invalid=Invalid$$$/dvacore/utility/FileUtils_WIN/Removable=Removable$$$/dvacore/utility/FileUtils_WIN/Fixed=Local Disk$$$/dvacore/utility/FileUtils_WIN/Network=Network$$$/dvacore/utility/FileUtils_WIN/CDROM=CD-ROM$$$/dvacore/utility/FileUtils_WIN/RAMDisk=RAM Disk_:\Device\Floppy\\?\\\?\UNC (error Unable to delete \/.\\127.0.0.1xt4
Source: classification engineClassification label: mal68.evad.winMSI@17/91@1/1
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_0000000140010BE0 GetLastError,FormatMessageA,10_2_0000000140010BE0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012DA7B0 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn,10_2_00007FFE012DA7B0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML1620.tmpJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF051FB14E0AFD2E98.TMPJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\3gPZmVbozD.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D8BC283402454473AA94702B7499391E
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D8BC283402454473AA94702B7499391EJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dvacore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: libzip.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_system.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_date_time.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_threads.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_filesystem.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dvaunittesting.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: utest.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3EA19BE5-AFD9-44E3-AEE5-EB703BC123C6}Jump to behavior
Source: 3gPZmVbozD.msiStatic file information: File size 60282613 > 1048576
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1875759656.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000000.1880611027.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: ucrtbase.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000A.00000002.1885188721.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000000.1880611027.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1875759656.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: ucrtbase.pdbUGP source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 3gPZmVbozD.msi, MSIE590.tmp.1.dr, 60da62.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: 3gPZmVbozD.msi, 60da62.msi.1.dr
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]
Source: vcruntime140.dll.1.drStatic PE information: section name: _RDATA
Source: UnRar.exe.1.drStatic PE information: section name: _RDATA
Source: BCUninstaller.exe.1.drStatic PE information: section name: _RDATA
Source: createdump.exe.1.drStatic PE information: section name: _RDATA
Source: MSIBC9.tmp.1.drStatic PE information: section name: .fptable
Source: MSIE3D5.tmp.1.drStatic PE information: section name: .fptable
Source: MSIE453.tmp.1.drStatic PE information: section name: .fptable
Source: MSIE492.tmp.1.drStatic PE information: section name: .fptable
Source: MSIE4B3.tmp.1.drStatic PE information: section name: .fptable
Source: MSIE502.tmp.1.drStatic PE information: section name: .fptable
Source: MSIE532.tmp.1.drStatic PE information: section name: .fptable
Source: MSIE590.tmp.1.drStatic PE information: section name: .fptable
Source: MSI186.tmp.1.drStatic PE information: section name: .fptable
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04560B35 push ebx; iretd 3_2_04560B42
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0456BD82 push esp; ret 3_2_0456BD93
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE4B3.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE502.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE3D5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE492.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE590.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE532.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE453.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI186.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE453.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE3D5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE4B3.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE492.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE590.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI186.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE502.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE532.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0130C0C0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_00007FFE0130C0C0
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1348Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3084Jump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBC9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE4B3.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE502.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE532.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE453.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE3D5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE492.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE590.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI186.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeAPI coverage: 8.2 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep count: 1348 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep count: 3084 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7772Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7760Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE012DA330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,10_2_00007FFE012DA330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: 60da62.msi.1.drBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 7_2_00007FF7B6C82ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF7B6C82ECC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 7_2_00007FF7B6C82984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF7B6C82984
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 7_2_00007FF7B6C82ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF7B6C82ECC
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 7_2_00007FF7B6C83074 SetUnhandledExceptionFilter,7_2_00007FF7B6C83074
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_0000000140011004 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0000000140011004
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_0000000140011D78 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0000000140011D78
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_0000000140011F24 SetUnhandledExceptionFilter,10_2_0000000140011F24
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE01322CDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FFE01322CDC
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE1A54004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FFE1A54004C

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssc40.ps1" -propfile "c:\users\user\appdata\local\temp\msic3d.txt" -scriptfile "c:\users\user\appdata\local\temp\scrc3e.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrc3f.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssc40.ps1" -propfile "c:\users\user\appdata\local\temp\msic3d.txt" -scriptfile "c:\users\user\appdata\local\temp\scrc3e.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrc3f.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: ___lc_locale_name_func,GetLocaleInfoEx,10_2_00007FFE012FEFC0
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 7_2_00007FF7B6C82DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_00007FF7B6C82DA0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		1
Replication Through Removable Media		1
Command and Scripting Interpreter		1
Scripting		1
DLL Side-Loading		1
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		1
DLL Side-Loading		1
Windows Service		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Windows Service		11
Process Injection		2
Obfuscated Files or Information		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Timestomp		NTDS24
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets111
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Masquerading		DCSync121
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job121
Virtualization/Sandbox Evasion		Proc Filesystem1
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
Process Injection		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580026 Sample: 3gPZmVbozD.msi Startdate: 23/12/2024 Architecture: WINDOWS Score: 68 49 maddhouzz.com 2->49 57 Suricata IDS alerts for network traffic 2->57 59 AI detected suspicious sample 2->59 61 Sigma detected: Suspicious Script Execution From Temp Folder 2->61 63 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->63 9 msiexec.exe 139 107 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 35 C:\Windows\Installer\MSIE590.tmp, PE32 9->35 dropped 37 C:\Windows\Installer\MSIE532.tmp, PE32 9->37 dropped 39 C:\Windows\Installer\MSIE502.tmp, PE32 9->39 dropped 41 52 other files (none is malicious) 9->41 dropped 14 msiexec.exe 14 9->14         started        19 cmd.exe 1 9->19         started        21 createdump.exe 1 9->21         started        process6 dnsIp7 51 maddhouzz.com 172.67.183.84, 443, 49731 CLOUDFLARENETUS United States 14->51 43 C:\Users\user\AppData\Local\Temp\scrC3E.ps1, Unicode 14->43 dropped 45 C:\Users\user\AppData\Local\Temp\pssC40.ps1, Unicode 14->45 dropped 47 C:\Users\user\AppData\Local\Temp\msiC3D.txt, Unicode 14->47 dropped 53 Query firmware table information (likely to detect VMs) 14->53 55 Bypasses PowerShell execution policy 14->55 23 powershell.exe 17 14->23         started        25 ImporterREDServer.exe 1 19->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        file8 signatures9 process10 process11 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dll0%ReversingLabs
C:\Windows\Installer\MSI186.tmp0%ReversingLabs
C:\Windows\Installer\MSIBC9.tmp0%ReversingLabs
C:\Windows\Installer\MSIE3D5.tmp0%ReversingLabs
C:\Windows\Installer\MSIE453.tmp0%ReversingLabs
C:\Windows\Installer\MSIE492.tmp0%ReversingLabs
C:\Windows\Installer\MSIE4B3.tmp0%ReversingLabs
C:\Windows\Installer\MSIE502.tmp0%ReversingLabs
C:\Windows\Installer\MSIE532.tmp0%ReversingLabs
C:\Windows\Installer\MSIE590.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://maddhouzz.com/updater.php0%Avira URL Cloudsafe
https://maddhouzz.com/updater.phpx0%Avira URL Cloudsafe
http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-0%Avira URL Cloudsafe
http://schemas.mick0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
maddhouzz.com
172.67.183.84
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://maddhouzz.com/updater.phptrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1819833611.000000000563B000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://crl.micropowershell.exe, 00000003.00000002.1821666345.0000000006E6B000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1817707284.0000000004727000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1817707284.00000000045D1000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1817707284.0000000004727000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://go.micropowershell.exe, 00000003.00000002.1817707284.0000000004C92000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/powershell.exe, 00000003.00000002.1819833611.000000000563B000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1819833611.000000000563B000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Licensepowershell.exe, 00000003.00000002.1819833611.000000000563B000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Iconpowershell.exe, 00000003.00000002.1819833611.000000000563B000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.mick3gPZmVbozD.msi, 60da62.msi.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-ImporterREDServer.exe, 0000000A.00000002.1885188721.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://maddhouzz.com/updater.phpx3gPZmVbozD.msi, 60da62.msi.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aka.ms/winui2/webview2download/Reload():3gPZmVbozD.msi, 60da62.msi.1.drfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1817707284.00000000045D1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1817707284.0000000004727000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              172.67.183.84
                              		maddhouzz.comUnited States
                              		13335CLOUDFLARENETUStrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1580026
                              Start date and time:2024-12-23 18:25:14 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 7m 41s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:15
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:3gPZmVbozD.msi
                              renamed because original name is a hash value
                              Original Sample Name:88ca3332931ba3bd47e0def74997b62cf5615fe79cca565edf92160540e2927b.msi
                              Detection:MAL
                              Classification:mal68.evad.winMSI@17/91@1/1
                              EGA Information:
                              • Successful, ratio: 33.3%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 14
                              • Number of non-executed functions: 197
                              Cookbook Comments:
                              • Found application associated with file extension: .msi

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                              • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target ImporterREDServer.exe, PID 8016 because there are no executed function
                              • Execution Graph export aborted for target powershell.exe, PID 7660 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • VT rate limit hit for: 3gPZmVbozD.msi

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              12:26:19API Interceptor7x Sleep call for process: powershell.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              CLOUDFLARENETUSphish_alert_sp2_2.0.0.0.emlGet hashmaliciousUnknownBrowse
                              • 1.1.1.1
                              xlSzrIs5h6.exeGet hashmaliciousLummaC, StealcBrowse
                              • 104.21.36.201
                              ZysXVT72cl.exeGet hashmaliciousLummaCBrowse
                              • 172.67.192.247
                              NxqDwaYpbp.exeGet hashmaliciousLummaCBrowse
                              • 104.21.36.201
                              http://plnbl.io/review/FSUQBEfTfzwHGet hashmaliciousUnknownBrowse
                              • 104.22.54.104
                              5diately.msgGet hashmaliciousUnknownBrowse
                              • 1.1.1.1
                              NAnOVCOt4L.exeGet hashmaliciousLummaCBrowse
                              • 172.67.199.72
                              2jx1O1t486.exeGet hashmaliciousLummaC, StealcBrowse
                              • 104.21.36.201
                              fkawMJ7FH8.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, StealcBrowse
                              • 104.21.63.229
                              OtHVIQ2ge4.exeGet hashmaliciousLummaCBrowse
                              • 104.21.36.201

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              37f463bf4616ecd445d4a1937da06e19fkawMJ7FH8.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, StealcBrowse
                              • 172.67.183.84
                              ChoForgot.exeGet hashmaliciousVidarBrowse
                              • 172.67.183.84
                              Archivo-PxFkiLTWYG-23122024095010.htaGet hashmaliciousUnknownBrowse
                              • 172.67.183.84
                              Archivo-PxFkiLTWYG-23122024095010.htaGet hashmaliciousUnknownBrowse
                              • 172.67.183.84
                              YYjRtxS70h.exeGet hashmaliciousUnknownBrowse
                              • 172.67.183.84
                              YYjRtxS70h.exeGet hashmaliciousUnknownBrowse
                              • 172.67.183.84
                              nTyPEbq9wQ.lnkGet hashmaliciousUnknownBrowse
                              • 172.67.183.84
                              7A2lfjTYNf.lnkGet hashmaliciousUnknownBrowse
                              • 172.67.183.84
                              6fW0guYpsH.lnkGet hashmaliciousUnknownBrowse
                              • 172.67.183.84
                              FzmtNV0vnG.lnkGet hashmaliciousUnknownBrowse
                              • 172.67.183.84

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exesetup.msiGet hashmaliciousUnknownBrowse
                                installer.msiGet hashmaliciousUnknownBrowse
                                  setup.msiGet hashmaliciousUnknownBrowse
                                    Setup.msiGet hashmaliciousUnknownBrowse
                                      q9bzWO2X1r.msiGet hashmaliciousUnknownBrowse
                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exesetup.msiGet hashmaliciousUnknownBrowse
                                          installer.msiGet hashmaliciousUnknownBrowse
                                            setup.msiGet hashmaliciousUnknownBrowse
                                              Setup.msiGet hashmaliciousUnknownBrowse
                                                q9bzWO2X1r.msiGet hashmaliciousUnknownBrowse

                                                  Created / dropped Files

                                                  C:\Config.Msi\60da61.rbs

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:modified
                                                  Size (bytes):20975
                                                  Entropy (8bit):5.799816133215197
                                                  Encrypted:false
                                                  SSDEEP:384:r0Bz/NxNSN9NUNTNwNKNaNINsNWNdN7NnNtUNBNMNKNSNFN4N0N6N8NjNkNlNlNW:rmpT8naR+0EWSoHZNtajy08vG6kihqP+
                                                  MD5:9B3FE6D06BFE79096F6BB6425A0386BB
                                                  SHA1:CE1CF43475A6B954D2A36C3BE313C3992F822ADF
                                                  SHA-256:6A8CFD97EF5B240F3D4F5011FD5AB3BF3F3097E00E7A0B6548F5A699BEFE3C08
                                                  SHA-512:2CAAFC286F8549A56DFA6A60E1F4D60BDFD2844DAB6CA5C462A694121E9CE09F0BBCF2476705E8D293AD968DB2DE7E84019B91EEEBB522D970724722EF003318
                                                  Malicious:false
                                                  Preview:...@IXOS.@.....@Kc.Y.@.....@.....@.....@.....@.....@......&.{3EA19BE5-AFD9-44E3-AEE5-EB703BC123C6}..App x installer..3gPZmVbozD.msi.@.....@.....@.....@......icon_22.exe..&.{90986429-FF00-4665-9CF9-007CC571AF21}.....@.....@.....@.....@.......@.....@.....@.......@......App x installer......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{3EA19BE5-AFD9-44E3-AEE5-EB703BC123C6}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{3EA19BE5-AFD9-44E3-AEE5-EB703BC123C6}.@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}&.{3EA19BE5-AFD9-44E3-AEE5-EB703BC123C6}.@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}&.{3EA19BE5-AFD9-44E3-AEE5-EB703BC123C6}.@......&.{DE28A560-E5E1-4035-8CA3-44934686A249}&.{3EA19BE5-AFD9-44E3-AEE5-EB703BC123C6}.@......&.{03D39B98-E7BB-4062-BD92-307D642A5CF1}&.{3EA19BE5-AFD9-44E3-AEE5-EB703BC123C6}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{3

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1360
                                                  Entropy (8bit):5.413197223328133
                                                  Encrypted:false
                                                  SSDEEP:24:3UWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NK3R82r6SVbu:EWSU4y4RQmFoUeWmfmZ9tK8NWR823Vbu
                                                  MD5:4EE98ECBC11472A5F2C270505F6B3879
                                                  SHA1:8522F7DA43966CA85A15553AB079EE3877350FF3
                                                  SHA-256:E2BD932F23DB7A52BE4921DB1C3D25BCDC2E9AA6CEEF34D68596CA2A6D97D454
                                                  SHA-512:D48EDFA575431893A668FED2BC500529D41BF3583C48B8C3080296CAE41F1657B8715A40BFA8565436F31685EC25C0A93903D3E3532426178C9890C16D35BF1D
                                                  Malicious:false
                                                  Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52m5tm1o.bbs.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pq5ykquf.r14.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\msiC3D.txt

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):96
                                                  Entropy (8bit):2.99798449505456
                                                  Encrypted:false
                                                  SSDEEP:3:QmalTuOIAlSRYplflbPRYplf955:Qmalt9lLZiLN
                                                  MD5:F26BF481CA203C7D611850139ACBEF41
                                                  SHA1:EA86C45B436D1B8F5F42F87AE5034332A5BCFEC4
                                                  SHA-256:A6AE6BBFC3486BA26A9A3C67B127D6972D16B8B925BDE4AF20880EE1B1D997CB
                                                  SHA-512:D1D2AE7C30A146AC1A85BDC133CE1F105AFC6F4EC8C5BD21A8EAACD0910929D3A9FCB540AB533A253C296C51DC71D1AE58749F7449DAB1C530E82D78D3544E4E
                                                  Malicious:true
                                                  Preview:..C.e.v.e.r.a.l.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .T.r.i.a.l.N.o.w. .:.<.-.>.:. .0. .<.<.:.>.>. .

                                                  C:\Users\user\AppData\Local\Temp\pssC40.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):6668
                                                  Entropy (8bit):3.5127462716425657
                                                  Encrypted:false
                                                  SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                  MD5:30C30EF2CB47E35101D13402B5661179
                                                  SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                  SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                  SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                  Malicious:true
                                                  Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                                  C:\Users\user\AppData\Local\Temp\scrC3E.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):250
                                                  Entropy (8bit):3.576902729499699
                                                  Encrypted:false
                                                  SSDEEP:6:QfFok79idK3fclQ9zgltHN+KiVmMXFVrMTlp1LlG7JidK3fpdInO:QfF3IugM/XFVrMTWNvn
                                                  MD5:479FAC6E0C05C5A57698619AFE51DEF2
                                                  SHA1:1AF4A4DB75ACE8324ED7BFF59D711E80A7BDB821
                                                  SHA-256:700080D274E5629A2BFA0D47B9BAF53AD69E67A64A2B04D84115D5851AB3DDBD
                                                  SHA-512:B0B5065C216EBC1124B985F3FF86EE7C7E7E9B994190D1103C454EDD602E0242B7160BFFB202538470254675DFACAC6159F1A459B979DAD563BDED84FCED193E
                                                  Malicious:true
                                                  Preview:..$.o.i.g.n.q.p. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".C.e.v.e.r.a.l.S.e.s.".....$.a.v.o.i.j.g. .=. .[.u.i.n.t.3.2.].(.$.o.i.g.n.q.p. .-.r.e.p.l.a.c.e. .'.b.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".T.r.i.a.l.N.o.w.". .$.a.v.o.i.j.g.

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exe

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):310928
                                                  Entropy (8bit):6.001677789306043
                                                  Encrypted:false
                                                  SSDEEP:3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
                                                  MD5:147B71C906F421AC77F534821F80A0C6
                                                  SHA1:3381128CA482A62333E20D0293FDA50DC5893323
                                                  SHA-256:7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
                                                  SHA-512:2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Joe Sandbox View:
                                                  • Filename: setup.msi, Detection: malicious, Browse
                                                  • Filename: installer.msi, Detection: malicious, Browse
                                                  • Filename: setup.msi, Detection: malicious, Browse
                                                  • Filename: Setup.msi, Detection: malicious, Browse
                                                  • Filename: q9bzWO2X1r.msi, Detection: malicious, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}|...|...|....../p....../v....../1...u.a.l....../u...|........./v....../}...Rich|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):117496
                                                  Entropy (8bit):6.136079902481222
                                                  Encrypted:false
                                                  SSDEEP:1536:P4ynPKh5ilvitpOeRZBMZTWTKnSU3hGe+K8b9Ate83CtyxZMPXR0qmOi4:PjoiaUDahe+B92e9tiMPXR0qmOX
                                                  MD5:F67792E08586EA936EBCAE43AAB0388D
                                                  SHA1:4A5B4009DE72DB003D57F8A4416D17F95B3539A8
                                                  SHA-256:4D434BB99C771524C35222E5C65EBEE87FD2F16DDA05BF6191F9723EECE2434D
                                                  SHA-512:F9E69377201E2DC577792F01B71ED3C9AF6C8AD52DD9E139C99EF1D9096F3EB7796F89642242BE8CEE4030EA9CF60EF1AA93D1B0890326A83CB9063E919F1E4A
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Joe Sandbox View:
                                                  • Filename: setup.msi, Detection: malicious, Browse
                                                  • Filename: installer.msi, Detection: malicious, Browse
                                                  • Filename: setup.msi, Detection: malicious, Browse
                                                  • Filename: Setup.msi, Detection: malicious, Browse
                                                  • Filename: q9bzWO2X1r.msi, Detection: malicious, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,|..B/..B/..B/.../..B/.G...B/.F...B/.A...B/.C...B/.C...B/..G...B/<.C...B/..C/..B/<.G...B/<../..B/.../..B/<.@...B/Rich..B/................PE..d.....-a..........#............................@.....................................].... .................................................D...,...............`....................]..T...................P_..(...P^...............0..H............................text............................... ..`.rdata...o...0...p..."..............@..@.data...@...........................@....pdata..`...........................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exe

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):506008
                                                  Entropy (8bit):6.4284173495366845
                                                  Encrypted:false
                                                  SSDEEP:6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
                                                  MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
                                                  SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
                                                  SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
                                                  SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12224
                                                  Entropy (8bit):6.596101286914553
                                                  Encrypted:false
                                                  SSDEEP:192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
                                                  MD5:919E653868A3D9F0C9865941573025DF
                                                  SHA1:EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
                                                  SHA-256:2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
                                                  SHA-512:6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12224
                                                  Entropy (8bit):6.640081558424349
                                                  Encrypted:false
                                                  SSDEEP:192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
                                                  MD5:7676560D0E9BC1EE9502D2F920D2892F
                                                  SHA1:4A7A7A99900E41FF8A359CA85949ACD828DDB068
                                                  SHA-256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
                                                  SHA-512:F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11712
                                                  Entropy (8bit):6.6023398138369505
                                                  Encrypted:false
                                                  SSDEEP:192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
                                                  MD5:AC51E3459E8FCE2A646A6AD4A2E220B9
                                                  SHA1:60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
                                                  SHA-256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
                                                  SHA-512:6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11720
                                                  Entropy (8bit):6.614262942006268
                                                  Encrypted:false
                                                  SSDEEP:192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
                                                  MD5:B0E0678DDC403EFFC7CDC69AE6D641FB
                                                  SHA1:C1A4CE4DED47740D3518CD1FF9E9CE277D959335
                                                  SHA-256:45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
                                                  SHA-512:2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11720
                                                  Entropy (8bit):6.654155040985372
                                                  Encrypted:false
                                                  SSDEEP:192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
                                                  MD5:94788729C9E7B9C888F4E323A27AB548
                                                  SHA1:B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
                                                  SHA-256:ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
                                                  SHA-512:AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):15304
                                                  Entropy (8bit):6.548897063441128
                                                  Encrypted:false
                                                  SSDEEP:192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
                                                  MD5:580D9EA2308FC2D2D2054A79EA63227C
                                                  SHA1:04B3F21CBBA6D59A61CD839AE3192EA111856F65
                                                  SHA-256:7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
                                                  SHA-512:97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11712
                                                  Entropy (8bit):6.622041192039296
                                                  Encrypted:false
                                                  SSDEEP:192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
                                                  MD5:35BC1F1C6FBCCEC7EB8819178EF67664
                                                  SHA1:BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
                                                  SHA-256:7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
                                                  SHA-512:9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11720
                                                  Entropy (8bit):6.730719514840594
                                                  Encrypted:false
                                                  SSDEEP:192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
                                                  MD5:3BF4406DE02AA148F460E5D709F4F67D
                                                  SHA1:89B28107C39BB216DA00507FFD8ADB7838D883F6
                                                  SHA-256:349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
                                                  SHA-512:5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11720
                                                  Entropy (8bit):6.626458901834476
                                                  Encrypted:false
                                                  SSDEEP:192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
                                                  MD5:BBAFA10627AF6DFAE5ED6E4AEAE57B2A
                                                  SHA1:3094832B393416F212DB9107ADD80A6E93A37947
                                                  SHA-256:C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
                                                  SHA-512:D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12232
                                                  Entropy (8bit):6.577869728469469
                                                  Encrypted:false
                                                  SSDEEP:192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
                                                  MD5:3A4B6B36470BAD66621542F6D0D153AB
                                                  SHA1:5005454BA8E13BAC64189C7A8416ECC1E3834DC6
                                                  SHA-256:2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
                                                  SHA-512:84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11712
                                                  Entropy (8bit):6.6496318655699795
                                                  Encrypted:false
                                                  SSDEEP:192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
                                                  MD5:A038716D7BBD490378B26642C0C18E94
                                                  SHA1:29CD67219B65339B637A1716A78221915CEB4370
                                                  SHA-256:B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
                                                  SHA-512:43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12736
                                                  Entropy (8bit):6.587452239016064
                                                  Encrypted:false
                                                  SSDEEP:192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
                                                  MD5:D75144FCB3897425A855A270331E38C9
                                                  SHA1:132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
                                                  SHA-256:08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
                                                  SHA-512:295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):14280
                                                  Entropy (8bit):6.658205945107734
                                                  Encrypted:false
                                                  SSDEEP:384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
                                                  MD5:8ACB83D102DABD9A5017A94239A2B0C6
                                                  SHA1:9B43A40A7B498E02F96107E1524FE2F4112D36AE
                                                  SHA-256:059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
                                                  SHA-512:B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12224
                                                  Entropy (8bit):6.621310788423453
                                                  Encrypted:false
                                                  SSDEEP:96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
                                                  MD5:808F1CB8F155E871A33D85510A360E9E
                                                  SHA1:C6251ABFF887789F1F4FC6B9D85705788379D149
                                                  SHA-256:DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
                                                  SHA-512:441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11720
                                                  Entropy (8bit):6.7263193693903345
                                                  Encrypted:false
                                                  SSDEEP:192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
                                                  MD5:CFF476BB11CC50C41D8D3BF5183D07EC
                                                  SHA1:71E0036364FD49E3E535093E665F15E05A3BDE8F
                                                  SHA-256:B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
                                                  SHA-512:7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12744
                                                  Entropy (8bit):6.601327134572443
                                                  Encrypted:false
                                                  SSDEEP:192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
                                                  MD5:F43286B695326FC0C20704F0EEBFDEA6
                                                  SHA1:3E0189D2A1968D7F54E721B1C8949487EF11B871
                                                  SHA-256:AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
                                                  SHA-512:6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):14272
                                                  Entropy (8bit):6.519411559704781
                                                  Encrypted:false
                                                  SSDEEP:192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
                                                  MD5:E173F3AB46096482C4361378F6DCB261
                                                  SHA1:7922932D87D3E32CE708F071C02FB86D33562530
                                                  SHA-256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
                                                  SHA-512:3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12232
                                                  Entropy (8bit):6.659079053710614
                                                  Encrypted:false
                                                  SSDEEP:192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
                                                  MD5:9C9B50B204FCB84265810EF1F3C5D70A
                                                  SHA1:0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
                                                  SHA-256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
                                                  SHA-512:EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11200
                                                  Entropy (8bit):6.7627840671368835
                                                  Encrypted:false
                                                  SSDEEP:192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
                                                  MD5:0233F97324AAAA048F705D999244BC71
                                                  SHA1:5427D57D0354A103D4BB8B655C31E3189192FC6A
                                                  SHA-256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
                                                  SHA-512:8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12224
                                                  Entropy (8bit):6.590253878523919
                                                  Encrypted:false
                                                  SSDEEP:192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
                                                  MD5:E1BA66696901CF9B456559861F92786E
                                                  SHA1:D28266C7EDE971DC875360EB1F5EA8571693603E
                                                  SHA-256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
                                                  SHA-512:08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11720
                                                  Entropy (8bit):6.672720452347989
                                                  Encrypted:false
                                                  SSDEEP:192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
                                                  MD5:7A15B909B6B11A3BE6458604B2FF6F5E
                                                  SHA1:0FEB824D22B6BEEB97BCE58225688CB84AC809C7
                                                  SHA-256:9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
                                                  SHA-512:D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):13760
                                                  Entropy (8bit):6.575688560984027
                                                  Encrypted:false
                                                  SSDEEP:192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
                                                  MD5:6C3FCD71A6A1A39EAB3E5C2FD72172CD
                                                  SHA1:15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
                                                  SHA-256:A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
                                                  SHA-512:EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12232
                                                  Entropy (8bit):6.70261983917014
                                                  Encrypted:false
                                                  SSDEEP:192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
                                                  MD5:D175430EFF058838CEE2E334951F6C9C
                                                  SHA1:7F17FBDCEF12042D215828C1D6675E483A4C62B1
                                                  SHA-256:1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
                                                  SHA-512:6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12744
                                                  Entropy (8bit):6.599515320379107
                                                  Encrypted:false
                                                  SSDEEP:192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
                                                  MD5:9D43B5E3C7C529425EDF1183511C29E4
                                                  SHA1:07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
                                                  SHA-256:19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
                                                  SHA-512:C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12232
                                                  Entropy (8bit):6.690164913578267
                                                  Encrypted:false
                                                  SSDEEP:192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
                                                  MD5:43E1AE2E432EB99AA4427BB68F8826BB
                                                  SHA1:EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
                                                  SHA-256:3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
                                                  SHA-512:40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11720
                                                  Entropy (8bit):6.615761482304143
                                                  Encrypted:false
                                                  SSDEEP:192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
                                                  MD5:735636096B86B761DA49EF26A1C7F779
                                                  SHA1:E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
                                                  SHA-256:5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
                                                  SHA-512:3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12744
                                                  Entropy (8bit):6.627282858694643
                                                  Encrypted:false
                                                  SSDEEP:192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
                                                  MD5:031DC390780AC08F498E82A5604EF1EB
                                                  SHA1:CF23D59674286D3DC7A3B10CD8689490F583F15F
                                                  SHA-256:B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
                                                  SHA-512:1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):15816
                                                  Entropy (8bit):6.435326465651674
                                                  Encrypted:false
                                                  SSDEEP:192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
                                                  MD5:285DCD72D73559678CFD3ED39F81DDAD
                                                  SHA1:DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
                                                  SHA-256:6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
                                                  SHA-512:84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12232
                                                  Entropy (8bit):6.5874576656353145
                                                  Encrypted:false
                                                  SSDEEP:192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
                                                  MD5:5CCE7A5ED4C2EBAF9243B324F6618C0E
                                                  SHA1:FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
                                                  SHA-256:AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
                                                  SHA-512:FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):13768
                                                  Entropy (8bit):6.645869978118917
                                                  Encrypted:false
                                                  SSDEEP:192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
                                                  MD5:41FBBB054AF69F0141E8FC7480D7F122
                                                  SHA1:3613A572B462845D6478A92A94769885DA0843AF
                                                  SHA-256:974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
                                                  SHA-512:97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):61176
                                                  Entropy (8bit):5.850944458899023
                                                  Encrypted:false
                                                  SSDEEP:1536:8dAqjxlblBAeX9cMPqnLQmnSPFCCBXuk9:8d1l59cJbSNZBXuO
                                                  MD5:3B02A4FCAAC283D3C5E082B62F88BE25
                                                  SHA1:C230237FA2BEF46A4C9649871EE46BBA89958C4E
                                                  SHA-256:D02FB06775ED21CE1124C5A9BA42D7E00872C4CAF3933F0852FFD98591EE9790
                                                  SHA-512:9FE3ACDC6CDC51F56AB205A669F3865FB18DA79750A62E896615AF98F4D37B4A5DADB898126B421133CBD86805A1A84D1C92A429F88AA2152D07939BEBEB93B0
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.X.F...F...F...>O..F.......F.......F.......F.......F.......F...F...F..-/...F..-/...F..-/#..F...FK..F..-/...F..Rich.F..........PE..d.....-a.........." .....X...|.......Y.................................................... .....................................................x.......h.......................0...P...T.......................(....................p..X............................text....V.......X.................. ..`.rdata...X...p...Z...\..............@..@.data...............................@....pdata..............................@..@.rsrc...h...........................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):127224
                                                  Entropy (8bit):6.217127607919178
                                                  Encrypted:false
                                                  SSDEEP:1536:KOMFt1bvZ+4WYoIW9YAlqlEO/NiuE0PJmISN10ZpzdUAsSAl9/mEzuEVvHV7Gvru:fMFZ+4azlqlEO/0d0PkIxPYGX6
                                                  MD5:ABDA3CF0D286D6CC5EC2CB1B49DBC180
                                                  SHA1:85CA9C24AD7CF07830E86607723770645D724C28
                                                  SHA-256:5549E8D3C90AFC8A90558529FE0127CE8A36805D853ED2BBD2A832E497D07405
                                                  SHA-512:AF813D4529C7971C6427E84C21275F2D703495E8BCDE72112ED400FCF2BFD64D1E3754E7A8D95A4D1953472C3C9821EF0444CD844F02AE31FA2C5FA8D93E66CF
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'y.fI*.fI*.fI*...*.fI*..M+.fI*..J+.fI*..L+.fI*..H+.fI*..H+.fI*..H+.fI*.fH*.fI*..L+.fI*..I+.fI*...*.fI*.f.*.fI*..K+.fI*Rich.fI*................PE..d.....-a.........." ......................................................... ............ ..........................................x..|B..............p.......@...............D....>..T...................0@..(...0?............... ...............................text...p........................... ..`.rdata....... ......................@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc..D...........................@..B................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):418040
                                                  Entropy (8bit):6.1735291180760505
                                                  Encrypted:false
                                                  SSDEEP:6144:vJXvKtM+eZLmd2Mht6hBj2+1J3Hw2iojntPqbmdv0Pz:vJXvcMRZLmd2Mht6hBj3A2iW8WO
                                                  MD5:1CC74B77B1A0B6F14B19F45412D62227
                                                  SHA1:25C8D5B1DD13C826AC97995E2265E7960877A869
                                                  SHA-256:1314E7F48DCFAA9ED62AD80C19D4EAD856C6D216D6F80B8EFA1A3803087C506A
                                                  SHA-512:CA88D9DB167FEE11DCF88FD365DBAEF9E2704996E622F1523943C5AF54D6AE2546D860DB86B20757C89FA52E4140D474EB0EA4A69042AA4CAAF6125E0D5381D9
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+ ..Es..Es..Es...s..Es..Ar..Es..Fr..Es..@r..Es..Dr..Es..Dr..Es..Ds(.Es..@r..Es..Er..Es..s..Es...s..Es..Gr..EsRich..Es........PE..d.....-a.........." .........:.......................................................4.... .........................................`n...T...........p.......0..d2...D.................T...................0...(...0................ ...............................text...\........................... ..`.rdata..h.... ......................@..@.data....7.......0..................@....pdata..d2...0...4..................@..@.rsrc........p.......8..............@..@.reloc...............>..............@..B................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):698104
                                                  Entropy (8bit):6.463466021766765
                                                  Encrypted:false
                                                  SSDEEP:12288:rtCgw2rHcLfk4heNe39mSOWE64h/5+JLkxBdmmVaSV:JCglHsfb9vzE64h/CAxBdmmVaSV
                                                  MD5:087DAF44CD13B79E4D59068B3A1C6250
                                                  SHA1:653FB242A44C7742764C77D8249D00DDDC1C867E
                                                  SHA-256:7AAFC98B0189C4DB66E03EC69B0DA58E59F5728FA9C37F7A61D1531E4D146FD6
                                                  SHA-512:3BB7494191EDDA18416B425762EA35B1C614CA420E6D0A8BBA5B9749C453F2552435FC97CF4532E088BBEC2B57A7DC9F782F7C7CEC67F96A33511C367F6A5052
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>.B.P.B.P.B.P.K...N.P...T.J.P...S.@.P...U.Z.P...Q.F.P...Q.G.P.B.Q...P..U.P.P..P.C.P...C.P.B...C.P..R.C.P.RichB.P.........................PE..d.....-a.........." ................l................................................s.... ..........................................7..T...4...........X....`...D...................Q..T...................@S..(...@R..................H............................text............................... ..`.rdata...V.......X..................@..@.data...`(...0..."..................@....pdata...D...`...F...6..............@..@.rsrc...X............|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):31480
                                                  Entropy (8bit):5.969706735107452
                                                  Encrypted:false
                                                  SSDEEP:384:rTnmLAtoAmXkI4WW9jLU7gJX5ZGz/5UtxcNPMUyZJKSm/dAgZsHL4DhAm:noxXzI5Z05uqlyEiRUhR
                                                  MD5:CC2C7E9435E8F818F3114AEFCC84E053
                                                  SHA1:F106C5EEAA3545CB85BA1217F40E4AE8F047E69E
                                                  SHA-256:59415F12FF688B58C9180A545F4836A4C2DDF472C232B3BE9FAB7965F9980924
                                                  SHA-512:316D0F0374DA2818CC1A83A6F8BE8E70CCCC2D9F37DB54DF9322FF26FF436EB18532CEB549F286E569E1A6B82BA1345FFE4A7ADC678AE450FC5C3C637F24259D
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{...{...{...r.e.....)...h...)...s...)...y...)....... ...x...{...E......y......z......z...{.a.z......z...Rich{...........PE..d.....-a.........." .....,...4......@0................................................... ..........................................T......tU..x.......`....p.......^..............0F..T....................G..(....F...............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...h....`.......N..............@....pdata.......p.......R..............@..@.rsrc...`............V..............@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):103672
                                                  Entropy (8bit):5.851546804507911
                                                  Encrypted:false
                                                  SSDEEP:1536:DkEZwX0tTbIIJdLJABqKSimO9K64vaO4WpgXyhchiUKcvKXMnVOlVS:QErbXvAxO41yhcBvKXwaVS
                                                  MD5:129051E3B7B8D3CC55559BEDBED09486
                                                  SHA1:E257D69C91594C623A8649AC3F76DC4B0C4D8EDF
                                                  SHA-256:73BFA0700A1C1631483D1ADC79A5225066A28A5CA94D70267DE6B0573BF11BDF
                                                  SHA-512:6DCF486B58A0C8E16CB0A2A0B7C53812275DF7E55CEBE94B645517D2A061A67CA3B9CFDDA4F94E89BE57D3B629540C4A45DD153EF84DB90E46D06257A936831A
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X..............&........................................&.............&......&......&.J.......".....&......Rich............................PE..d.....-a.........." ................4...............................................:..... ..........................................J.......[..........`............x..............`...T.......................(....................................................text............................... ..`.rdata.............................@..@.data........p.......N..............@....pdata...............\..............@..@.rsrc...`............n..............@..@.reloc...............t..............@..B........................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):57488
                                                  Entropy (8bit):6.382541157520703
                                                  Encrypted:false
                                                  SSDEEP:768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
                                                  MD5:71F796B486C7FAF25B9B16233A7CE0CD
                                                  SHA1:21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
                                                  SHA-256:B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
                                                  SHA-512:A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):4664568
                                                  Entropy (8bit):6.259383987199329
                                                  Encrypted:false
                                                  SSDEEP:49152:AroFmAk9nrwChDI061WcO0ABWmIex2MvOGL//VCsHqwApmqamnBObTETCAtdB8n:0tI0OWiVmIek+QpmqtB+9
                                                  MD5:A6A89F55416DB79D9E13B82685A04D60
                                                  SHA1:EDE6DE1377BBE28E1F0D0DEF095367F1E788FE3B
                                                  SHA-256:22D7C730C0092CDE5E339276F45882ACF4E172269153C6A328D83314DBACEF4B
                                                  SHA-512:D2A734AE3ACC3033C050634839E32F90AE29862D77EC28B87945D62D44562ED56AC2A4266BC70F0F42CACCC0A7D93B07E2B42D7FFCEFE2F599A6A9DC2F26C583
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........$n..J=..J=..J=...=..J=..N<..J=..I<..J=..O<..J=..K<..J=..N<..J=..L<..J=..K<..J=..K<..J=..K=i.J=..N<..J=..O<U.J=..J<..J=..=..J=...=..J=..H<..J=Rich..J=................PE..d.....-a.........." ......+..........f(.......................................I.......H... ..........................................7>.8.....A......@I.......G......G......PI..F....1.T...................0.1.(...0.1...............+..............................text.....+.......+................. ..`.rdata.......+.......+.............@..@.data....'...`B......DB.............@....pdata.......G.......E.............@..@.rsrc........@I.......F.............@..@.reloc...F...PI..H....F.............@..B........................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):215288
                                                  Entropy (8bit):6.050529290720027
                                                  Encrypted:false
                                                  SSDEEP:3072:emvBIfdYtwUTAgsHW0Akz0dMtTWYUQ4TyjEXv8pQxI88hw:ekBIATA1z7tTzovXv8Kxzj
                                                  MD5:BF5EE5008353BB5C52DCF8821082CE6B
                                                  SHA1:F85B517F96FE87D953925D05238345A03594C8F8
                                                  SHA-256:9273A49CAC32ACA5358A77D41DE00FEB589ED3285B2B2E07E9CE9CEBF80BAA31
                                                  SHA-512:B5862D1679AB4F44B228C3E52F5CB98616BF089BAD5EC3BBB63ABDCABDDB55C71C36628E2945C7460AA33F836D85A1A320BF2C704072B307A3B719CD3C6A8549
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[..5...5...5......5...1...5...6...5...0...5...4...5...4...5.#.4...5...4.-.5.#.0...5.#.5...5.#....5.......5.#.7...5.Rich..5.........PE..d.....-a.........." .........j...............................................p............ ..............................................!...........P..h....0.......,.......`..........T...........................@................................................text............................... ..`.rdata..............................@..@.data....$..........................@....pdata.......0... ..................@..@.rsrc...h....P......."..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ghiuoqfj.rar

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:RAR archive data, v5
                                                  Category:dropped
                                                  Size (bytes):357598
                                                  Entropy (8bit):7.999511624100511
                                                  Encrypted:true
                                                  SSDEEP:6144:eW1TnparOLMpg7BnyUDa9Hrl7CGlV/BpJpot9ZK4hOXJtL/ZpgYkZ4tYJDZXCCB:ZBparOApg7BWxrdCGlV/BMi4sXvLhpg5
                                                  MD5:E9B3A0AF46DE7E10E5C3D2AE5854E4C0
                                                  SHA1:3DDF895B574757526A2368A89202FDF81A181189
                                                  SHA-256:632C6A7FE54D7563BEEB7A772C022ACCBD2E3B02AAB13FB2C60798BE6ECE7122
                                                  SHA-512:452C4CDB0EF9AE6151BE49F0532DE803650DCB80477E9D0707E20B64E9DBB4CA1ED5D44A9B96C658AB039677EFBBCA8A2D9C53916047C9A40F667CEE5B6931FE
                                                  Malicious:false
                                                  Preview:Rar!.....t..!......I.X.-.d....B...j...|..<....d..m.r.e.4......@.....t.>^1.@J...%].8A...7*..xzG;a.......#=.cN3..R@..7..x.o.p..3...FS.F,[.A.d..3....'.U..$y.R&......F.....o.VW.[..0.W..zsV(..tMv.(....M..)...&..\..s..L.Y..F.}....r.........b.|fix...h..%J].i.c.j.O\.T.....?MV\.T#{.Lb".f.Bp.X......E.~&+d..p.O.................Z5.<On....w2C+.....v...h.. ..9DM.8.v..E.k.rj..xx.)...k.........F..B....ex...%.xM.&,..,)V.U.*.Fo.3........?mG...<..%O%..P.....,E......E^.irr......'<&.!......d....:..O2d...'.(.kc...WL....U.4a.O>.y.T.7.kn....G.}...V.\F...h.......(o.!./.oq...*sD.@..0h....~.a..........f.[....%..v.9..*.p.H.....}.U......e.0...?X.1;..m...}.....W4.&.6....>..9.c......Yz..;..u.T.Te...|...7.....W.....E.......[*Ir.Zc.t?f1....y.......c.`..0].......13Q. .....ba....... y./.m,.O...f.z..l^.(.....2.k..1(....m.%...^.j..../*.......1kG..WQP.%..b$..^.r.X!.k.|.s.d.}..d.....9.^@.R...'....{...+.(..Y./Y.3./...R.G42..2.f..<..xP.Q..K/.TGc..t.e.._.Z..[r.1d|.w..Y.z~>Z ...R..

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):566704
                                                  Entropy (8bit):6.494428734965787
                                                  Encrypted:false
                                                  SSDEEP:12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
                                                  MD5:6DA7F4530EDB350CF9D967D969CCECF8
                                                  SHA1:3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
                                                  SHA-256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
                                                  SHA-512:1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):22
                                                  Entropy (8bit):3.879664004902594
                                                  Encrypted:false
                                                  SSDEEP:3:mKDDlR+7H6U:hOD6U
                                                  MD5:D9324699E54DC12B3B207C7433E1711C
                                                  SHA1:864EB0A68C2979DCFF624118C9C0618FF76FA76C
                                                  SHA-256:EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
                                                  SHA-512:E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
                                                  Malicious:false
                                                  Preview:@echo off..Start "" %1

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\classes.jsa

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):12124160
                                                  Entropy (8bit):4.1175508751036585
                                                  Encrypted:false
                                                  SSDEEP:49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
                                                  MD5:8A13CBE402E0BBF3DA56315F0EBA7F8E
                                                  SHA1:EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
                                                  SHA-256:7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
                                                  SHA-512:46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
                                                  Malicious:false
                                                  Preview:.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\classes_nocoops.jsa

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):12124160
                                                  Entropy (8bit):4.117842215789484
                                                  Encrypted:false
                                                  SSDEEP:49152:lIsY5NLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8v:lYNDUK7k59
                                                  MD5:8DD2CDF8B1702DEE25F4BC2DCE10DA8F
                                                  SHA1:7AE8D142C41159D65C7AB9598C90EC1DF33138D1
                                                  SHA-256:B19E92D742D8989D275BB34FB7828211969997D38FF9250D9561F432D5C5F62C
                                                  SHA-512:6CEBD788559543623A3F54154F6C84E31A9716CFFA19D199087F0704CC9016F54CF0B3CFF6D8DB65428138EEB12553B23EBA7EDAF5B64A050A077DD2951286B0
                                                  Malicious:false
                                                  Preview:....j..L.........*.\.....................................+..............................j..-.....................................!>.............................|<:.......................A.......@...... t...............................".....................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.datatransfer.jmod

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Java jmod module version 1.0
                                                  Category:dropped
                                                  Size (bytes):51389
                                                  Entropy (8bit):7.916683616123071
                                                  Encrypted:false
                                                  SSDEEP:768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
                                                  MD5:8F4C0388762CD566EAE3261FF8E55D14
                                                  SHA1:B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
                                                  SHA-256:AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
                                                  SHA-512:1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
                                                  Malicious:false
                                                  Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^*#.j...R.A..qV.1o...p.....|._.-N$.!.;X....|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be.*.eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.*t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N....*..r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.desktop.jmod

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Java jmod module version 1.0
                                                  Category:dropped
                                                  Size (bytes):12133334
                                                  Entropy (8bit):7.944474086295981
                                                  Encrypted:false
                                                  SSDEEP:196608:h6fa1BzmQR9sZTGVq8B4ISiOCC0SabOyigGRA7OtuPZIWeXB:6a1gk+8B4IS8S2OyiJRA7OtYZaB
                                                  MD5:E3705B15388EC3BDFE799AD5DB80B172
                                                  SHA1:0B9B77F028727C73265393A68F37FC69C30205BD
                                                  SHA-256:BE59AC0E673827B731CF5616B41DA11581A5863285FEA1A0696AA4F93796BCC3
                                                  SHA-512:CA44B3E7658232FCC19C9AD223455F326D34B17384E566B8CAF0F7409D71B2B86F4089BF4A35128EC6CFFE080DF84C69C72C22B230FB0F2F8CB345442318F737
                                                  Malicious:false
                                                  Preview:JM..PK.........n/Q................classes/module-info.class.X...e../.l.!..!.#..M..."..g..#.B.........0;{.AAD.EE..QQQ.aG....{.]....7......~.{....k...{....<HD...4.......x%?G.4_St.Z...\..].+c..t.t........iC./...gZ..].8C..D'M...\3.+~5......z.<.f1..2.v./.As.Lv.....`2.M%...d.h..S`....YC.....D.u0-l.V#.5.,.e..)[..[.v..*............d.I...A........A+&."..8g.)"..E..1!.Z.]....Ak..5.......<'..L8bC..V4.U2.~$...i....)."I...O...d:......@..S...w0m...-....2..x....z.....O....k.8.}....P.....=..I/...<../.d..k....43VL.i...........C.S|`..!b.8....3.Ey..S..e..+.../T..j...g..B.@q9.."..>.LU..2-i....-.!....Z....g.BGl.j..R...Z.D.YJ.Kd...9 l.FN4.Rk.22..b..Rn...u..x.,...j.I.aZ.....X[{L.e..Z#..`.Z...*8..[.p..0.(...j..W..-M...V..H7.c.KN...5e.."...t[um..R...UF.c..1.....z|z.EeO..j..k.V..\x.8.....et;.9.^.Pa..+......U....Iu.q.t....HY.g...q.......omK...FKr1.F..F?.i.d../.]....68..L.........W..s.CU.|y.....zE..Q\...82..W.i[.#Q..xm......P..u.<.#...yC...,........~B..|sF.

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.instrument.jmod

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Java jmod module version 1.0
                                                  Category:dropped
                                                  Size (bytes):41127
                                                  Entropy (8bit):7.961466748192397
                                                  Encrypted:false
                                                  SSDEEP:768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
                                                  MD5:D039093C051B1D555C8F9B245B3D7FA0
                                                  SHA1:C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
                                                  SHA-256:4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
                                                  SHA-512:334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
                                                  Malicious:false
                                                  Preview:JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...*A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z|*.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.logging.jmod

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Java jmod module version 1.0
                                                  Category:dropped
                                                  Size (bytes):113725
                                                  Entropy (8bit):7.928841651831531
                                                  Encrypted:false
                                                  SSDEEP:3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
                                                  MD5:3A03EF8F05A2D0472AE865D9457DAB32
                                                  SHA1:7204170A08115A16A50D5A06C3DE7B0ADB6113B1
                                                  SHA-256:584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
                                                  SHA-512:1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
                                                  Malicious:false
                                                  Preview:JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm......*..Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h.*.^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz|..^.........8q..{...}.*G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j*..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.management.jmod

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Java jmod module version 1.0
                                                  Category:dropped
                                                  Size (bytes):896846
                                                  Entropy (8bit):7.923431656723031
                                                  Encrypted:false
                                                  SSDEEP:12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
                                                  MD5:C6FBB7D49CAA027010C2A817D80CA77C
                                                  SHA1:4191E275E1154271ABF1E54E85A4FF94F59E7223
                                                  SHA-256:1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
                                                  SHA-512:FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
                                                  Malicious:false
                                                  Preview:JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..|..]{.........S|...(cu/..i.d.z...[....'.M|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):639224
                                                  Entropy (8bit):6.219852228773659
                                                  Encrypted:false
                                                  SSDEEP:12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
                                                  MD5:01DACEA3CBE5F2557D0816FC64FAE363
                                                  SHA1:566064A9CB1E33DB10681189A45B105CDD504FD4
                                                  SHA-256:B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
                                                  SHA-512:C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):98224
                                                  Entropy (8bit):6.452201564717313
                                                  Encrypted:false
                                                  SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                  MD5:F34EB034AA4A9735218686590CBA2E8B
                                                  SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                  SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                  SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):37256
                                                  Entropy (8bit):6.297533243519742
                                                  Encrypted:false
                                                  SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
                                                  MD5:135359D350F72AD4BF716B764D39E749
                                                  SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
                                                  SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
                                                  SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Microsoft\Installer\{3EA19BE5-AFD9-44E3-AEE5-EB703BC123C6}\icon_22.exe

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:MS Windows icon resource - 7 icons, 256x256, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                  Category:dropped
                                                  Size (bytes):372526
                                                  Entropy (8bit):4.467275942115759
                                                  Encrypted:false
                                                  SSDEEP:3072:aAVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOzzCIhZ:LCANx6xPZX9mBW
                                                  MD5:B52B2D1D4C9E56CA24AB0CD0730CC5AD
                                                  SHA1:C70A3683DF57DE3096CA58F314C0B649035392CC
                                                  SHA-256:73CDA59B9158F5DCA967A6EC24A3608C672DCA63F714BFD7B7B5F81C1303F457
                                                  SHA-512:CDCAB1C415B87948AD45C967D6C50EA24935D7E58CFC30717E2943D9CE9F5DDEFCB5E60BCE58F9F387635EA30E1A0399DBA644316CC53F1802BAE73B76CB1BFA
                                                  Malicious:false
                                                  Preview:............ .( ..v......... .(.... ..@@.... .(B...(..00.... ..%...j.. .... ............... .....>......... .h......(............. ...... ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\60da5f.msi

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {90986429-FF00-4665-9CF9-007CC571AF21}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Dec 23 10:30:23 2024, Last Saved Time/Date: Mon Dec 23 10:30:23 2024, Last Printed: Mon Dec 23 10:30:23 2024, Number of Pages: 450
                                                  Category:dropped
                                                  Size (bytes):60282613
                                                  Entropy (8bit):7.201424542972685
                                                  Encrypted:false
                                                  SSDEEP:786432:aWZljVmrjV7eIAtehOTZPoZ4sdUuzt/NCaY2ksC:aWrVmrjV7eIvhOTZARjVCa1t
                                                  MD5:FA83AE439FADCE1E74CD7F84820F6D7D
                                                  SHA1:6BF2284C716425218C42F8027935A29F99E32BBF
                                                  SHA-256:88CA3332931BA3BD47E0DEF74997B62CF5615FE79CCA565EDF92160540E2927B
                                                  SHA-512:E80559DB304BB7F767D7C52793B24E23C282FDF20B18E0A83B3098864C87C31D2D3593B7297B056AC8F1BB05CD5376A6831BD62FBCEA83CFD3F6E7C96E6EA5CB
                                                  Malicious:false
                                                  Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...N...:...;...<...=...>...?...@...A...D...C...K...E...F...G...H...I...J...""..L...M...e...O...P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                  C:\Windows\Installer\60da62.msi

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {90986429-FF00-4665-9CF9-007CC571AF21}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Dec 23 10:30:23 2024, Last Saved Time/Date: Mon Dec 23 10:30:23 2024, Last Printed: Mon Dec 23 10:30:23 2024, Number of Pages: 450
                                                  Category:dropped
                                                  Size (bytes):60282613
                                                  Entropy (8bit):7.201424542972685
                                                  Encrypted:false
                                                  SSDEEP:786432:aWZljVmrjV7eIAtehOTZPoZ4sdUuzt/NCaY2ksC:aWrVmrjV7eIvhOTZARjVCa1t
                                                  MD5:FA83AE439FADCE1E74CD7F84820F6D7D
                                                  SHA1:6BF2284C716425218C42F8027935A29F99E32BBF
                                                  SHA-256:88CA3332931BA3BD47E0DEF74997B62CF5615FE79CCA565EDF92160540E2927B
                                                  SHA-512:E80559DB304BB7F767D7C52793B24E23C282FDF20B18E0A83B3098864C87C31D2D3593B7297B056AC8F1BB05CD5376A6831BD62FBCEA83CFD3F6E7C96E6EA5CB
                                                  Malicious:false
                                                  Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...N...:...;...<...=...>...?...@...A...D...C...K...E...F...G...H...I...J...""..L...M...e...O...P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                  C:\Windows\Installer\MSI186.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):380520
                                                  Entropy (8bit):6.512348002260683
                                                  Encrypted:false
                                                  SSDEEP:6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
                                                  MD5:FFDAACB43C074A8CB9A608C612D7540B
                                                  SHA1:8F054A7F77853DE365A7763D93933660E6E1A890
                                                  SHA-256:7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
                                                  SHA-512:A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSIB89.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):393114
                                                  Entropy (8bit):4.736519627075982
                                                  Encrypted:false
                                                  SSDEEP:3072:vG9IAVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOzzc:vG9JCANx6xPZX9mBt
                                                  MD5:29A3C32E4957FE1A5701BAD805F58596
                                                  SHA1:7744135CE1A1EE3D3B12A3BBC93E863BB5F4F82C
                                                  SHA-256:515839493351DAF8B4DA0F40A90B3BF7A8F4DDBA49D8BF065E45CF69D66F793C
                                                  SHA-512:D8A411E5746DE97F89A8CDC59957FD0CEAB6D0BA46F009777F049120ED172E90C8E509DDEEF0483A7123160599E2CB6FC7319BFE481E563E9B94713A862391AD
                                                  Malicious:false
                                                  Preview:...@IXOS.@.....@Jc.Y.@.....@.....@.....@.....@.....@......&.{3EA19BE5-AFD9-44E3-AEE5-EB703BC123C6}..App x installer..3gPZmVbozD.msi.@.....@.....@.....@......icon_22.exe..&.{90986429-FF00-4665-9CF9-007CC571AF21}.....@.....@.....@.....@.......@.....@.....@.......@......App x installer......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@4....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F}C.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}8.21:\Software\Coors Q Corporation\App x installer\Version.@.......@.....@.....@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}N.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll.@.......@.....@.....@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}U.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.d

                                                  C:\Windows\Installer\MSIBC9.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):787808
                                                  Entropy (8bit):6.693392695195763
                                                  Encrypted:false
                                                  SSDEEP:24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
                                                  MD5:8CF47242B5DF6A7F6D2D7AF9CC3A7921
                                                  SHA1:B51595A8A113CF889B0D1DD4B04DF16B3E18F318
                                                  SHA-256:CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
                                                  SHA-512:748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSIE3D5.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1021792
                                                  Entropy (8bit):6.608727172078022
                                                  Encrypted:false
                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSIE453.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1021792
                                                  Entropy (8bit):6.608727172078022
                                                  Encrypted:false
                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSIE492.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1021792
                                                  Entropy (8bit):6.608727172078022
                                                  Encrypted:false
                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSIE4B3.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1021792
                                                  Entropy (8bit):6.608727172078022
                                                  Encrypted:false
                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSIE502.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1201504
                                                  Entropy (8bit):6.4557937684843365
                                                  Encrypted:false
                                                  SSDEEP:24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
                                                  MD5:E83D774F643972B8ECCDB3A34DA135C5
                                                  SHA1:A58ECCFB12D723C3460563C5191D604DEF235D15
                                                  SHA-256:D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
                                                  SHA-512:CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.|CF..@G.|DF..@G.|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSIE532.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1021792
                                                  Entropy (8bit):6.608727172078022
                                                  Encrypted:false
                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSIE590.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1021792
                                                  Entropy (8bit):6.608727172078022
                                                  Encrypted:false
                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\SourceHash{3EA19BE5-AFD9-44E3-AEE5-EB703BC123C6}

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                  Category:dropped
                                                  Size (bytes):20480
                                                  Entropy (8bit):1.1643055674461733
                                                  Encrypted:false
                                                  SSDEEP:12:JSbX72FjFAGiLIlHVRpZh/7777777777777777777777777vDHFkwiW7bit/l0i5:JLQI5teW+iF
                                                  MD5:6E67661947FACEDF567DC71964B9557F
                                                  SHA1:6418E24DD1BFE456D0CC2DFB924CD2B46405C6C9
                                                  SHA-256:A0B04EC74CB416250A7D1E437A813C62952350C11A93A6BFDB013BB088029300
                                                  SHA-512:B7E5FEF02DB5D6E6E8D4B1081D477B487FC2261DAF547FB524E68D804A054D8C40CF6D4AE6F7FE28F9E4DC8DB2212D0F1D702B8A5E093F797B3DBFA7ABC5CF24
                                                  Malicious:false
                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\inprogressinstallinfo.ipi

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                  Category:dropped
                                                  Size (bytes):20480
                                                  Entropy (8bit):1.5860587086444276
                                                  Encrypted:false
                                                  SSDEEP:48:Nt8PhXuRc06WXJ0FT5C75sjeWAAECiCyVSCvo4MUX2ySCOTU:mhX13FTcGj/ECeFXj
                                                  MD5:1E4BA22E9B0E588F09A3275018F2398A
                                                  SHA1:82CCB45FB86AAC0A773AAC306A201344FC16F0D7
                                                  SHA-256:DBB537AB837B394DF17654C9B1B45C407F67C7415B4CDD7017AC1DF53962B30B
                                                  SHA-512:40C1CB09A38F253C3688147738BF2FF28C9A4BB7E229B0D9C0717CEC2B9D22BFCEB4BE0D9722E3B6A9BF5D8A75903CFCB7B483C64EBD6E5D2DD113414AF8F24C
                                                  Malicious:false
                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):432221
                                                  Entropy (8bit):5.375177649370009
                                                  Encrypted:false
                                                  SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaun:zTtbmkExhMJCIpErO
                                                  MD5:291426D47CF6CA3C2648F6880E0BCCAE
                                                  SHA1:87EB401DB330697F7B4192252A22B6DF252C1A9B
                                                  SHA-256:C3146E25871CA5FF76CA90C9924ADB08826CCFC1C9D34A5E135C640D7B0661F6
                                                  SHA-512:FCF5352C8AC18629BB686C9C44508C0FF94213B437733CF22CA7FD6F97FDA2DDE7BD24583225DDDDD30B049557A7090008C8D15E140FAE39B8F5E97F33B11D98
                                                  Malicious:false
                                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                  C:\Windows\Temp\~DF051FB14E0AFD2E98.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):73728
                                                  Entropy (8bit):0.1455134157141511
                                                  Encrypted:false
                                                  SSDEEP:24:zlgePTxkrMvxipVkrMvvkrMvPAEVkryjCyH1ipVkrMvIV2BwGkZMU801DXv+lrDX:a4TeySCTAAECiCyVSCvo4MUXBXvofX
                                                  MD5:171D52968B45E8008EB7FEA433F21202
                                                  SHA1:F7AC2F1E732B217B753DDCA1618DD6D5AC14BFAE
                                                  SHA-256:20644B4CC2211B45162FCDDAAFABF9DBFDE07AD280CE93E71F3740FEFD871A43
                                                  SHA-512:0C34B6DA0026B29F8E1BE4BEF7C9D6DBE80CA834030957B7EAA14C403EA82774CF811429FA4077BA9199F801E7721F4DE375595BFEB7432366682F9B2B64F3C9
                                                  Malicious:false
                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DF2AAA26FC2354F764.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DF2DAC09133C45C8E7.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                  Category:dropped
                                                  Size (bytes):20480
                                                  Entropy (8bit):1.5860587086444276
                                                  Encrypted:false
                                                  SSDEEP:48:Nt8PhXuRc06WXJ0FT5C75sjeWAAECiCyVSCvo4MUX2ySCOTU:mhX13FTcGj/ECeFXj
                                                  MD5:1E4BA22E9B0E588F09A3275018F2398A
                                                  SHA1:82CCB45FB86AAC0A773AAC306A201344FC16F0D7
                                                  SHA-256:DBB537AB837B394DF17654C9B1B45C407F67C7415B4CDD7017AC1DF53962B30B
                                                  SHA-512:40C1CB09A38F253C3688147738BF2FF28C9A4BB7E229B0D9C0717CEC2B9D22BFCEB4BE0D9722E3B6A9BF5D8A75903CFCB7B483C64EBD6E5D2DD113414AF8F24C
                                                  Malicious:false
                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DF3883F47A5563329F.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                  Category:dropped
                                                  Size (bytes):20480
                                                  Entropy (8bit):1.5860587086444276
                                                  Encrypted:false
                                                  SSDEEP:48:Nt8PhXuRc06WXJ0FT5C75sjeWAAECiCyVSCvo4MUX2ySCOTU:mhX13FTcGj/ECeFXj
                                                  MD5:1E4BA22E9B0E588F09A3275018F2398A
                                                  SHA1:82CCB45FB86AAC0A773AAC306A201344FC16F0D7
                                                  SHA-256:DBB537AB837B394DF17654C9B1B45C407F67C7415B4CDD7017AC1DF53962B30B
                                                  SHA-512:40C1CB09A38F253C3688147738BF2FF28C9A4BB7E229B0D9C0717CEC2B9D22BFCEB4BE0D9722E3B6A9BF5D8A75903CFCB7B483C64EBD6E5D2DD113414AF8F24C
                                                  Malicious:false
                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DF58177434320BFEA9.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                  Category:dropped
                                                  Size (bytes):32768
                                                  Entropy (8bit):1.268960818371767
                                                  Encrypted:false
                                                  SSDEEP:48:R0PupO+CFXJpT5EVU75sjeWAAECiCyVSCvo4MUX2ySCOTU:+PBRTuVUGj/ECeFXj
                                                  MD5:1B96EABC16B00BC68B9B7EAC0B8BD575
                                                  SHA1:F724E17A8108DBD27B25D64B064F404CF5D1E77D
                                                  SHA-256:FE84BC7608AFF81D27A887D4B7E6B59E49D0D46171EEFB12B9A31AD6BA6D108E
                                                  SHA-512:0700D640A8088F0CC1F33F450E128CFB188EC87CFB6C222CFB49DF52296F8F71B63FF6E79863856BFD70725AB1E965D473C2238E5AC8561877ECD1D6F328FF00
                                                  Malicious:false
                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DF6122E07795B2A715.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                  Category:dropped
                                                  Size (bytes):32768
                                                  Entropy (8bit):1.268960818371767
                                                  Encrypted:false
                                                  SSDEEP:48:R0PupO+CFXJpT5EVU75sjeWAAECiCyVSCvo4MUX2ySCOTU:+PBRTuVUGj/ECeFXj
                                                  MD5:1B96EABC16B00BC68B9B7EAC0B8BD575
                                                  SHA1:F724E17A8108DBD27B25D64B064F404CF5D1E77D
                                                  SHA-256:FE84BC7608AFF81D27A887D4B7E6B59E49D0D46171EEFB12B9A31AD6BA6D108E
                                                  SHA-512:0700D640A8088F0CC1F33F450E128CFB188EC87CFB6C222CFB49DF52296F8F71B63FF6E79863856BFD70725AB1E965D473C2238E5AC8561877ECD1D6F328FF00
                                                  Malicious:false
                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DF710A14E3C9D445E9.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                  Category:dropped
                                                  Size (bytes):32768
                                                  Entropy (8bit):1.268960818371767
                                                  Encrypted:false
                                                  SSDEEP:48:R0PupO+CFXJpT5EVU75sjeWAAECiCyVSCvo4MUX2ySCOTU:+PBRTuVUGj/ECeFXj
                                                  MD5:1B96EABC16B00BC68B9B7EAC0B8BD575
                                                  SHA1:F724E17A8108DBD27B25D64B064F404CF5D1E77D
                                                  SHA-256:FE84BC7608AFF81D27A887D4B7E6B59E49D0D46171EEFB12B9A31AD6BA6D108E
                                                  SHA-512:0700D640A8088F0CC1F33F450E128CFB188EC87CFB6C222CFB49DF52296F8F71B63FF6E79863856BFD70725AB1E965D473C2238E5AC8561877ECD1D6F328FF00
                                                  Malicious:false
                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DF78AD506628AC083D.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DF8F6B3FBFAD71A062.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DFAF53EF3A74296ED2.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DFE4A9A1C79C1149B8.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):32768
                                                  Entropy (8bit):0.07125899919259641
                                                  Encrypted:false
                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOkwrflbQWOtgVky6lit/:2F0i8n0itFzDHFkwiWOZit/
                                                  MD5:D06DF7D110FA7B2EABA44F40176F4880
                                                  SHA1:1C35AABEAD7D69C1717616DDFDA076F31F084826
                                                  SHA-256:3576192BEA410A2CF1C17F71B57463A0198F248EB402D5F60FCBCD1BBBA91557
                                                  SHA-512:C93017EA87833C978E0440B2A8C5C5081E453FE477A027A385A60877F26C5F6A80C0E5C273B228EAED16C58F1579E51D63D7DA8633496C3F4972518F4C5ED148
                                                  Malicious:false
                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DFEABFD4B0BC01441A.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  \Device\ConDrv

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):638
                                                  Entropy (8bit):4.751962275036146
                                                  Encrypted:false
                                                  SSDEEP:12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
                                                  MD5:15CA959638E74EEC47E0830B90D0696E
                                                  SHA1:E836936738DCB6C551B6B76054F834CFB8CC53E5
                                                  SHA-256:57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
                                                  SHA-512:101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
                                                  Malicious:false
                                                  Preview:[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

                                                  Static File Info

                                                  General

                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {90986429-FF00-4665-9CF9-007CC571AF21}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Dec 23 10:30:23 2024, Last Saved Time/Date: Mon Dec 23 10:30:23 2024, Last Printed: Mon Dec 23 10:30:23 2024, Number of Pages: 450
                                                  Entropy (8bit):7.201424542972685
                                                  TrID:
                                                  • Windows SDK Setup Transform Script (63028/2) 88.73%
                                                  • Generic OLE2 / Multistream Compound File (8008/1) 11.27%
                                                  File name:3gPZmVbozD.msi
                                                  File size:60'282'613 bytes
                                                  MD5:fa83ae439fadce1e74cd7f84820f6d7d
                                                  SHA1:6bf2284c716425218c42f8027935a29f99e32bbf
                                                  SHA256:88ca3332931ba3bd47e0def74997b62cf5615fe79cca565edf92160540e2927b
                                                  SHA512:e80559db304bb7f767d7c52793b24e23c282fdf20b18e0a83b3098864c87c31d2d3593b7297b056ac8f1bb05cd5376a6831bd62fbcea83cfd3f6e7c96e6ea5cb
                                                  SSDEEP:786432:aWZljVmrjV7eIAtehOTZPoZ4sdUuzt/NCaY2ksC:aWrVmrjV7eIvhOTZARjVCa1t
                                                  TLSH:AAD76C01B3FA4148F2F75EB17EBA45A594BABD521B30C0EF1204A60E1B71BC25BB5763
                                                  File Content Preview:........................>............................................2..................................................................x......................................................................................................................

                                                  File Icon

                                                  Icon Hash:2d2e3797b32b2b99

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-12-23T18:26:18.934117+01002829202ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA1192.168.2.449731172.67.183.84443TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 23, 2024 18:26:17.664834976 CET49731443192.168.2.4172.67.183.84
                                                  Dec 23, 2024 18:26:17.664918900 CET44349731172.67.183.84192.168.2.4
                                                  Dec 23, 2024 18:26:17.665011883 CET49731443192.168.2.4172.67.183.84
                                                  Dec 23, 2024 18:26:17.671031952 CET49731443192.168.2.4172.67.183.84
                                                  Dec 23, 2024 18:26:17.671072006 CET44349731172.67.183.84192.168.2.4
                                                  Dec 23, 2024 18:26:18.889396906 CET44349731172.67.183.84192.168.2.4
                                                  Dec 23, 2024 18:26:18.889497042 CET49731443192.168.2.4172.67.183.84
                                                  Dec 23, 2024 18:26:18.929915905 CET49731443192.168.2.4172.67.183.84
                                                  Dec 23, 2024 18:26:18.929965019 CET44349731172.67.183.84192.168.2.4
                                                  Dec 23, 2024 18:26:18.930217028 CET44349731172.67.183.84192.168.2.4
                                                  Dec 23, 2024 18:26:18.930278063 CET49731443192.168.2.4172.67.183.84
                                                  Dec 23, 2024 18:26:18.933878899 CET49731443192.168.2.4172.67.183.84
                                                  Dec 23, 2024 18:26:18.933981895 CET49731443192.168.2.4172.67.183.84
                                                  Dec 23, 2024 18:26:18.934052944 CET44349731172.67.183.84192.168.2.4
                                                  Dec 23, 2024 18:26:19.640976906 CET44349731172.67.183.84192.168.2.4
                                                  Dec 23, 2024 18:26:19.641041040 CET44349731172.67.183.84192.168.2.4
                                                  Dec 23, 2024 18:26:19.641063929 CET49731443192.168.2.4172.67.183.84
                                                  Dec 23, 2024 18:26:19.641160965 CET49731443192.168.2.4172.67.183.84
                                                  Dec 23, 2024 18:26:19.641653061 CET49731443192.168.2.4172.67.183.84
                                                  Dec 23, 2024 18:26:19.641716957 CET44349731172.67.183.84192.168.2.4
                                                  Dec 23, 2024 18:26:19.641747952 CET49731443192.168.2.4172.67.183.84
                                                  Dec 23, 2024 18:26:19.641772985 CET49731443192.168.2.4172.67.183.84

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 23, 2024 18:26:17.387667894 CET6138653192.168.2.41.1.1.1
                                                  Dec 23, 2024 18:26:17.656678915 CET53613861.1.1.1192.168.2.4

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Dec 23, 2024 18:26:17.387667894 CET192.168.2.41.1.1.10xab92Standard query (0)maddhouzz.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Dec 23, 2024 18:26:17.656678915 CET1.1.1.1192.168.2.40xab92No error (0)maddhouzz.com172.67.183.84A (IP address)IN (0x0001)false
                                                  Dec 23, 2024 18:26:17.656678915 CET1.1.1.1192.168.2.40xab92No error (0)maddhouzz.com104.21.18.202A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • maddhouzz.com

                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.449731172.67.183.844437472C:\Windows\SysWOW64\msiexec.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-23 17:26:18 UTC191OUTPOST /updater.php HTTP/1.1
                                                  Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                  User-Agent: AdvancedInstaller
                                                  Host: maddhouzz.com
                                                  Content-Length: 71
                                                  Cache-Control: no-cache
                                                  2024-12-23 17:26:18 UTC71OUTData Raw: 44 61 74 65 3d 32 33 25 32 46 31 32 25 32 46 32 30 32 34 26 54 69 6d 65 3d 31 32 25 33 41 32 36 25 33 41 31 36 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 38 2e 39 2e 39 26 53 6f 72 6f 71 56 69 6e 73 3d 54 72 75 65
                                                  Data Ascii: Date=23%2F12%2F2024&Time=12%3A26%3A16&BuildVersion=8.9.9&SoroqVins=True
                                                  2024-12-23 17:26:19 UTC825INHTTP/1.1 500 Internal Server Error
                                                  Date: Mon, 23 Dec 2024 17:26:19 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Cache-Control: no-store
                                                  cf-cache-status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vg%2BuIAdXIIXzyqvkb1IQ6mjl9Mlxj31x6F35sELvVEo2LL%2FsVp9s9BdlscBZfN6SzY2wA%2BxDcD7fOKvZiNQqMF1uwOHrKWO4ulisMUBbwc991tiPCvEJYCDHViOOMBwP"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8f6a0e51cd9741e0-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1641&min_rtt=1603&rtt_var=628&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=922&delivery_rate=1821584&cwnd=238&unsent_bytes=0&cid=5595ca88fb9497f2&ts=763&x=0"
                                                  2024-12-23 17:26:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:12:26:06
                                                  Start date:23/12/2024
                                                  Path:C:\Windows\System32\msiexec.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\3gPZmVbozD.msi"
                                                  Imagebase:0x7ff72db90000
                                                  File size:69'632 bytes
                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:1
                                                  Start time:12:26:06
                                                  Start date:23/12/2024
                                                  Path:C:\Windows\System32\msiexec.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                  Imagebase:0x7ff72db90000
                                                  File size:69'632 bytes
                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:2
                                                  Start time:12:26:09
                                                  Start date:23/12/2024
                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding D8BC283402454473AA94702B7499391E
                                                  Imagebase:0xe00000
                                                  File size:59'904 bytes
                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:12:26:19
                                                  Start date:23/12/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC40.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC3D.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC3E.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC3F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                  Imagebase:0xd0000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:12:26:19
                                                  Start date:23/12/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:12:26:26
                                                  Start date:23/12/2024
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
                                                  Imagebase:0x7ff60c840000
                                                  File size:289'792 bytes
                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:12:26:26
                                                  Start date:23/12/2024
                                                  Path:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"
                                                  Imagebase:0x7ff7b6c80000
                                                  File size:57'488 bytes
                                                  MD5 hash:71F796B486C7FAF25B9B16233A7CE0CD
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 0%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:8
                                                  Start time:12:26:26
                                                  Start date:23/12/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:9
                                                  Start time:12:26:26
                                                  Start date:23/12/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:10
                                                  Start time:12:26:27
                                                  Start date:23/12/2024
                                                  Path:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"
                                                  Imagebase:0x140000000
                                                  File size:117'496 bytes
                                                  MD5 hash:F67792E08586EA936EBCAE43AAB0388D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 0%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:11
                                                  Start time:12:26:27
                                                  Start date:23/12/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Executed Functions

                                                    Function 06DD1B50 Relevance: 4.0, Strings: 3, Instructions: 206COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1820954750.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $^q$$^q$$^q
                                                    • API String ID: 0-831282457
                                                    • Opcode ID: d8218517599caf3fb22269cd3ba07fee918abeaee1daf0bc3c3385c35deefd00
                                                    • Instruction ID: 64c3844d19ff9bbb654118b256f4e60b7caccebeca2b97dc272e903c04b100a8
                                                    • Opcode Fuzzy Hash: d8218517599caf3fb22269cd3ba07fee918abeaee1daf0bc3c3385c35deefd00
                                                    • Instruction Fuzzy Hash: CE612430B042589FDB65AF69DC40AAABBF6EF85210F1484BAE445CB392DB31CD45C7A1
                                                    Function 06DD1B34 Relevance: 2.6, Strings: 2, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1820954750.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $^q$$^q
                                                    • API String ID: 0-355816377
                                                    • Opcode ID: 65cc53de3bf2a2b3892ee4050c3ae53aaf776d32ec27f62dd2252d827717b2ef
                                                    • Instruction ID: 9446795a42daa2e0bb0ae10ef1d6d8bf8fd3cb2c584c27b64de9b40873f32fe5
                                                    • Opcode Fuzzy Hash: 65cc53de3bf2a2b3892ee4050c3ae53aaf776d32ec27f62dd2252d827717b2ef
                                                    • Instruction Fuzzy Hash: FB31C130E04309DFDBA4EF59CD44BA5BBF5EF81210F1980BAE4458B291D734D985CBA1
                                                    Function 04568478 Relevance: .3, Instructions: 266COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1817638856.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_4560000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e484966fdec270917bb6b1e0cd6cbdca6a3bea82c1d3d35f74c4c5db6196a78b
                                                    • Instruction ID: 3362b078db28652c99143a4fa570affe2e7eefee6160b4f50661e6192e9bc43d
                                                    • Opcode Fuzzy Hash: e484966fdec270917bb6b1e0cd6cbdca6a3bea82c1d3d35f74c4c5db6196a78b
                                                    • Instruction Fuzzy Hash: 3CA1AD31A012089FDB14EFA5D944AADBBF2FF84344F114559E806AF369DB74BC89DB80
                                                    Function 04568BC8 Relevance: .2, Instructions: 200COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1817638856.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_4560000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b5cd58f51d9d1b34a373f804d338b3e87465d08cfb8da790e72c4277f7fe4aed
                                                    • Instruction ID: d9303dff4b84049110efb24e6a58e190ad82d8d2dbc40483a089a8a6130bb897
                                                    • Opcode Fuzzy Hash: b5cd58f51d9d1b34a373f804d338b3e87465d08cfb8da790e72c4277f7fe4aed
                                                    • Instruction Fuzzy Hash: 3771DD30A012198FDB14DF69D880A9EFBF6FF89310F18856AE416DB251DB75BC46CB90
                                                    Function 04568D36 Relevance: .2, Instructions: 188COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1817638856.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_4560000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 95c9ff915e2d2b311361c4f3e3430ab21261b7d41e41ae5655a37f56385e0f1e
                                                    • Instruction ID: b3d7d72f6f0f7b8c4d0b31fc23cd19fe1f7abaf3ddb1d0cbc18770f6b91bcbca
                                                    • Opcode Fuzzy Hash: 95c9ff915e2d2b311361c4f3e3430ab21261b7d41e41ae5655a37f56385e0f1e
                                                    • Instruction Fuzzy Hash: 52716A30A01618DFDB14EFA5D484AADBBF2FF88304F248429D416AB2A1DB75AC46DB51
                                                    Function 04568959 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1817638856.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_4560000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 40403fba994baa4b8b9960dfaba6395ab69f643dd42ef3fb80a43b93362610c0
                                                    • Instruction ID: 42bb252b84339d62fe189c923d7d3cf41b79bb41986a52508549e4ee0d140368
                                                    • Opcode Fuzzy Hash: 40403fba994baa4b8b9960dfaba6395ab69f643dd42ef3fb80a43b93362610c0
                                                    • Instruction Fuzzy Hash: DE41DF316012149FEB14EF65D894AAE7BF6FF88750F184169E506EB3A0CF78AC81DB50
                                                    Function 04568BB3 Relevance: .1, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1817638856.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_4560000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 418bda428651359debfc4f9e3edfcb7bdd6d6f2efd32dcc690af6119b4a2659e
                                                    • Instruction ID: 078489e738e1aa6b492ef10680f05e3c5c6d7432dcfe7d621251803d72d7a556
                                                    • Opcode Fuzzy Hash: 418bda428651359debfc4f9e3edfcb7bdd6d6f2efd32dcc690af6119b4a2659e
                                                    • Instruction Fuzzy Hash: 14418E70A012189FDB14EFA6D8446ADFBF2FF85300F14842DD406AB255DBB4AC45CB90
                                                    Function 044BD006 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1817502920.00000000044BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 044BD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_44bd000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 21f91133b9ad1e5ca486a07bc5059fede106417dc6052aea48559b9556ef54fc
                                                    • Instruction ID: 26780dd8db1535bbf2a2895cdc2a2b18708dc989cb4709f63ffce97e4ccc522b
                                                    • Opcode Fuzzy Hash: 21f91133b9ad1e5ca486a07bc5059fede106417dc6052aea48559b9556ef54fc
                                                    • Instruction Fuzzy Hash: 6401926140E3C05ED7124B259894792BFB4DF43224F0CC1DBD8888F293C2695849C7B2
                                                    Function 044BD01D Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1817502920.00000000044BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 044BD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_44bd000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cab52b53bba7d3891b266b9206b304c52dd45f332240cb424eb825fad58d432d
                                                    • Instruction ID: c070811eec6c1d16d5d6964efe5a942ccd44330d7a56f74b08fec7707c13529b
                                                    • Opcode Fuzzy Hash: cab52b53bba7d3891b266b9206b304c52dd45f332240cb424eb825fad58d432d
                                                    • Instruction Fuzzy Hash: E20120B190570099EB204E15DDC47A7BF98DF41328F08C467DD880B246C679E841C6F1
                                                    Function 04563E16 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1817638856.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_4560000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cc7c4a9b64135acb218317270e970c89ae56340d68303a0e8488e53b045c0dec
                                                    • Instruction ID: 185ea03efffc10740c99f77695d4b59f028df0b305260e34a89499bcafc42c52
                                                    • Opcode Fuzzy Hash: cc7c4a9b64135acb218317270e970c89ae56340d68303a0e8488e53b045c0dec
                                                    • Instruction Fuzzy Hash: 8CF0D435A001199FDB15CF9DD990AEEF7B1FF88324F208159E515A72A1C736AC52CB60
                                                    Function 045688ED Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1817638856.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_4560000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 05174c1187563a6ac3501d3a28c1c6ec69912041ff6511dd76851e0348d24219
                                                    • Instruction ID: 359170859d71bed0def5ddd58f578fa08a84ec3a25cf11be6dbc14658025f589
                                                    • Opcode Fuzzy Hash: 05174c1187563a6ac3501d3a28c1c6ec69912041ff6511dd76851e0348d24219
                                                    • Instruction Fuzzy Hash: D5F03070A4060A9FDB04EFA5D595B6E7BB2EF44344F108918D1429F3A8DB78AD48CBD0

                                                    Non-executed Functions

                                                    Function 06DD1658 Relevance: 15.3, Strings: 12, Instructions: 281COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1820954750.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 84Xk$84Xk$tP^q$tP^q$tP^q$tP^q$$^q$$^q$$^q$$^q$Pk$Pk
                                                    • API String ID: 0-925860617
                                                    • Opcode ID: 5ab142ff57e13dafd9bd4a54c6d7887fb1b80180375a081d9bf409eef98a93b6
                                                    • Instruction ID: 42acdde558bccfdfdc57de96b382a9febef2cab522e892caca849cc7397263e5
                                                    • Opcode Fuzzy Hash: 5ab142ff57e13dafd9bd4a54c6d7887fb1b80180375a081d9bf409eef98a93b6
                                                    • Instruction Fuzzy Hash: 0D914831F04354AFD765AB69DC04A6ABBF6EF85220B2881ABE445CF361CA31DC45C7E1
                                                    Function 06DD0898 Relevance: 10.2, Strings: 8, Instructions: 182COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1820954750.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                    • API String ID: 0-3732357466
                                                    • Opcode ID: a128167b964e1ad04e252059b1e35cdea730799780efad94a32647bb25fd75a5
                                                    • Instruction ID: 2299d93f0cedc9d49092fa520bbc20d9a42d42f7cc715c44c83b7aaae8f0de90
                                                    • Opcode Fuzzy Hash: a128167b964e1ad04e252059b1e35cdea730799780efad94a32647bb25fd75a5
                                                    • Instruction Fuzzy Hash: 3B515D31F04349CFEB65AF699804AABBBF5AFC5210F28846FD445CB241DA32C845C7A1
                                                    Function 06DD0E88 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1820954750.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4Wk$4Wk$$^q$$^q$$^q
                                                    • API String ID: 0-3095741987
                                                    • Opcode ID: e9c1fd027513570612c749b2b00c33c4cf91de551bd57a2b20d9227a4b5e5505
                                                    • Instruction ID: 5bffde8c68779df8552c3b9dc78d3db8a29bc825381ef3525bcc407b57a6b3bf
                                                    • Opcode Fuzzy Hash: e9c1fd027513570612c749b2b00c33c4cf91de551bd57a2b20d9227a4b5e5505
                                                    • Instruction Fuzzy Hash: 8E113A317102098FE7786E79A81077B7BEA8BC4610F24843AD546CB396DF36C841C3B6
                                                    Function 06DD04D0 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1820954750.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6dd0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4'^q$4'^q$$^q$$^q
                                                    • API String ID: 0-2049395529
                                                    • Opcode ID: 040d17fb33162661a404dfab2752169d7f3e19b1541e585bd9ebe616ae37dae5
                                                    • Instruction ID: ad7049822d1beca8ce22985649a59680c94714fe52725ccff746ab85e9882a44
                                                    • Opcode Fuzzy Hash: 040d17fb33162661a404dfab2752169d7f3e19b1541e585bd9ebe616ae37dae5
                                                    • Instruction Fuzzy Hash: 3C01DB21B493884FE76A3B6928245652FB65BC2650B5A449BC481DF25BCD25CC4AC3F2

                                                    Execution Graph

                                                    Execution Coverage:3.4%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:1.7%
                                                    Total number of Nodes:700
                                                    Total number of Limit Nodes:1
                                                    execution_graph 2967 7ff7b6c859ad 2968 7ff7b6c843d0 ExFilterRethrow 10 API calls 2967->2968 2969 7ff7b6c859ba 2968->2969 2970 7ff7b6c843d0 ExFilterRethrow 10 API calls 2969->2970 2972 7ff7b6c859c3 __GSHandlerCheck_EH 2970->2972 2971 7ff7b6c85a0a RaiseException 2973 7ff7b6c85a29 2971->2973 2972->2971 2974 7ff7b6c83b54 11 API calls 2973->2974 2978 7ff7b6c85a31 2974->2978 2975 7ff7b6c843d0 ExFilterRethrow 10 API calls 2976 7ff7b6c85a6d 2975->2976 2977 7ff7b6c843d0 ExFilterRethrow 10 API calls 2976->2977 2980 7ff7b6c85a76 2977->2980 2979 7ff7b6c84104 10 API calls 2978->2979 2982 7ff7b6c85a5a __GSHandlerCheck_EH 2978->2982 2979->2982 2981 7ff7b6c843d0 ExFilterRethrow 10 API calls 2980->2981 2983 7ff7b6c85a7f 2981->2983 2982->2975 2984 7ff7b6c843d0 ExFilterRethrow 10 API calls 2983->2984 2985 7ff7b6c85a8e 2984->2985 2243 7ff7b6c827ec 2266 7ff7b6c82b8c 2243->2266 2246 7ff7b6c8280d 2249 7ff7b6c8294d 2246->2249 2256 7ff7b6c8282b __scrt_release_startup_lock 2246->2256 2247 7ff7b6c82943 2306 7ff7b6c82ecc IsProcessorFeaturePresent 2247->2306 2250 7ff7b6c82ecc 7 API calls 2249->2250 2251 7ff7b6c82958 2250->2251 2253 7ff7b6c82960 _exit 2251->2253 2252 7ff7b6c82850 2254 7ff7b6c828d6 _get_initial_narrow_environment __p___argv __p___argc 2272 7ff7b6c81060 2254->2272 2256->2252 2256->2254 2259 7ff7b6c828ce _register_thread_local_exe_atexit_callback 2256->2259 2259->2254 2261 7ff7b6c82903 2262 7ff7b6c8290d 2261->2262 2263 7ff7b6c82908 _cexit 2261->2263 2302 7ff7b6c82d20 2262->2302 2263->2262 2313 7ff7b6c8316c 2266->2313 2269 7ff7b6c82bbb __scrt_initialize_crt 2271 7ff7b6c82805 2269->2271 2315 7ff7b6c8404c 2269->2315 2271->2246 2271->2247 2273 7ff7b6c81386 2272->2273 2297 7ff7b6c810b4 2272->2297 2342 7ff7b6c81450 __acrt_iob_func 2273->2342 2275 7ff7b6c81399 2300 7ff7b6c83020 GetModuleHandleW 2275->2300 2276 7ff7b6c81289 2276->2273 2277 7ff7b6c8129f 2276->2277 2347 7ff7b6c82688 2277->2347 2279 7ff7b6c81125 strcmp 2279->2297 2280 7ff7b6c812a9 2281 7ff7b6c81325 2280->2281 2282 7ff7b6c812b9 GetTempPathA 2280->2282 2356 7ff7b6c823c0 2281->2356 2285 7ff7b6c812cb GetLastError 2282->2285 2286 7ff7b6c812e9 strcat_s 2282->2286 2283 7ff7b6c81151 strcmp 2283->2297 2289 7ff7b6c81450 6 API calls 2285->2289 2286->2281 2287 7ff7b6c81304 2286->2287 2291 7ff7b6c81450 6 API calls 2287->2291 2290 7ff7b6c812df GetLastError 2289->2290 2295 7ff7b6c81312 2290->2295 2291->2295 2292 7ff7b6c81344 __acrt_iob_func fflush __acrt_iob_func fflush 2292->2295 2293 7ff7b6c8117d strcmp 2293->2297 2295->2275 2297->2276 2297->2279 2297->2283 2297->2293 2298 7ff7b6c81226 strcmp 2297->2298 2298->2297 2299 7ff7b6c81239 atoi 2298->2299 2299->2297 2301 7ff7b6c828ff 2300->2301 2301->2251 2301->2261 2303 7ff7b6c82d31 __scrt_initialize_crt 2302->2303 2304 7ff7b6c82916 2303->2304 2305 7ff7b6c8404c __scrt_initialize_crt 7 API calls 2303->2305 2304->2252 2305->2304 2307 7ff7b6c82ef2 2306->2307 2308 7ff7b6c82f11 RtlCaptureContext RtlLookupFunctionEntry 2307->2308 2309 7ff7b6c82f3a RtlVirtualUnwind 2308->2309 2310 7ff7b6c82f76 2308->2310 2309->2310 2311 7ff7b6c82fa8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2310->2311 2312 7ff7b6c82ffa 2311->2312 2312->2249 2314 7ff7b6c82bae __scrt_dllmain_crt_thread_attach 2313->2314 2314->2269 2314->2271 2316 7ff7b6c8405e 2315->2316 2317 7ff7b6c84054 2315->2317 2316->2271 2321 7ff7b6c844f4 2317->2321 2322 7ff7b6c84503 2321->2322 2324 7ff7b6c84059 2321->2324 2329 7ff7b6c86630 2322->2329 2325 7ff7b6c86460 2324->2325 2326 7ff7b6c8648b 2325->2326 2327 7ff7b6c8646e DeleteCriticalSection 2326->2327 2328 7ff7b6c8648f 2326->2328 2327->2326 2328->2316 2333 7ff7b6c86498 2329->2333 2334 7ff7b6c865b2 TlsFree 2333->2334 2339 7ff7b6c864dc 2333->2339 2335 7ff7b6c8650a LoadLibraryExW 2337 7ff7b6c8652b GetLastError 2335->2337 2338 7ff7b6c86581 2335->2338 2336 7ff7b6c865a1 GetProcAddress 2336->2334 2337->2339 2338->2336 2340 7ff7b6c86598 FreeLibrary 2338->2340 2339->2334 2339->2335 2339->2336 2341 7ff7b6c8654d LoadLibraryExW 2339->2341 2340->2336 2341->2338 2341->2339 2392 7ff7b6c81010 2342->2392 2344 7ff7b6c8148a __acrt_iob_func 2395 7ff7b6c81000 2344->2395 2346 7ff7b6c814a2 __stdio_common_vfprintf __acrt_iob_func fflush 2346->2275 2350 7ff7b6c82690 2347->2350 2348 7ff7b6c826aa malloc 2349 7ff7b6c826b4 2348->2349 2348->2350 2349->2280 2350->2348 2351 7ff7b6c826ba 2350->2351 2352 7ff7b6c826c5 2351->2352 2397 7ff7b6c82b30 2351->2397 2401 7ff7b6c81720 2352->2401 2355 7ff7b6c826cb 2355->2280 2357 7ff7b6c82688 5 API calls 2356->2357 2358 7ff7b6c823f5 OpenProcess 2357->2358 2359 7ff7b6c8243b GetLastError 2358->2359 2360 7ff7b6c82458 K32GetModuleBaseNameA 2358->2360 2363 7ff7b6c81450 6 API calls 2359->2363 2361 7ff7b6c82492 2360->2361 2362 7ff7b6c82470 GetLastError 2360->2362 2418 7ff7b6c81800 2361->2418 2364 7ff7b6c81450 6 API calls 2362->2364 2371 7ff7b6c82453 2363->2371 2366 7ff7b6c82484 CloseHandle 2364->2366 2366->2371 2368 7ff7b6c824ae 2370 7ff7b6c813c0 6 API calls 2368->2370 2369 7ff7b6c825b3 CloseHandle 2369->2371 2373 7ff7b6c824cf CreateFileA 2370->2373 2372 7ff7b6c825fa 2371->2372 2374 7ff7b6c825f3 _invalid_parameter_noinfo_noreturn 2371->2374 2429 7ff7b6c82660 2372->2429 2376 7ff7b6c82543 2373->2376 2377 7ff7b6c8250f GetLastError 2373->2377 2374->2372 2380 7ff7b6c82550 MiniDumpWriteDump 2376->2380 2382 7ff7b6c8258a CloseHandle CloseHandle 2376->2382 2379 7ff7b6c81450 6 API calls 2377->2379 2381 7ff7b6c82538 CloseHandle 2379->2381 2380->2382 2383 7ff7b6c82576 GetLastError 2380->2383 2381->2371 2382->2371 2383->2376 2384 7ff7b6c8258c 2383->2384 2386 7ff7b6c81450 6 API calls 2384->2386 2386->2382 2387 7ff7b6c813c0 __acrt_iob_func 2388 7ff7b6c81010 fprintf __stdio_common_vfprintf 2387->2388 2389 7ff7b6c813fa __acrt_iob_func 2388->2389 2488 7ff7b6c81000 2389->2488 2391 7ff7b6c81412 __stdio_common_vfprintf __acrt_iob_func fflush 2391->2292 2396 7ff7b6c81000 2392->2396 2394 7ff7b6c81036 __stdio_common_vfprintf 2394->2344 2395->2346 2396->2394 2398 7ff7b6c82b3e std::bad_alloc::bad_alloc 2397->2398 2407 7ff7b6c83f84 2398->2407 2400 7ff7b6c82b4f 2402 7ff7b6c8172e Concurrency::cancel_current_task 2401->2402 2403 7ff7b6c83f84 std::_Xinvalid_argument 2 API calls 2402->2403 2404 7ff7b6c8173f 2403->2404 2412 7ff7b6c83cc0 2404->2412 2408 7ff7b6c83fa3 2407->2408 2409 7ff7b6c83fc0 RtlPcToFileHeader 2407->2409 2408->2409 2410 7ff7b6c83fd8 2409->2410 2411 7ff7b6c83fe7 RaiseException 2409->2411 2410->2411 2411->2400 2413 7ff7b6c8176d 2412->2413 2414 7ff7b6c83ce1 2412->2414 2413->2355 2414->2413 2415 7ff7b6c83cf6 malloc 2414->2415 2416 7ff7b6c83d07 2415->2416 2417 7ff7b6c83d23 free 2415->2417 2416->2417 2417->2413 2419 7ff7b6c81863 WSAStartup 2418->2419 2420 7ff7b6c81850 2418->2420 2421 7ff7b6c8185c 2419->2421 2428 7ff7b6c8187f 2419->2428 2422 7ff7b6c81450 6 API calls 2420->2422 2423 7ff7b6c82660 __GSHandlerCheck_EH 8 API calls 2421->2423 2422->2421 2424 7ff7b6c81d87 2423->2424 2424->2368 2424->2369 2425 7ff7b6c81dd0 2427 7ff7b6c81450 6 API calls 2425->2427 2427->2421 2428->2421 2428->2425 2438 7ff7b6c820c0 2428->2438 2430 7ff7b6c82669 2429->2430 2431 7ff7b6c81334 2430->2431 2432 7ff7b6c829c0 IsProcessorFeaturePresent 2430->2432 2431->2292 2431->2387 2433 7ff7b6c829d8 2432->2433 2483 7ff7b6c82a94 RtlCaptureContext 2433->2483 2439 7ff7b6c820e9 2438->2439 2440 7ff7b6c82218 2438->2440 2442 7ff7b6c82144 2439->2442 2444 7ff7b6c8216c 2439->2444 2445 7ff7b6c82137 2439->2445 2462 7ff7b6c817e0 2440->2462 2453 7ff7b6c82690 2442->2453 2443 7ff7b6c8221d 2447 7ff7b6c81720 Concurrency::cancel_current_task 4 API calls 2443->2447 2450 7ff7b6c82690 5 API calls 2444->2450 2451 7ff7b6c82155 BuildCatchObjectHelperInternal 2444->2451 2445->2442 2445->2443 2448 7ff7b6c82223 2447->2448 2449 7ff7b6c821e0 _invalid_parameter_noinfo_noreturn 2452 7ff7b6c821d3 BuildCatchObjectHelperInternal 2449->2452 2450->2451 2451->2449 2451->2452 2452->2428 2454 7ff7b6c826aa malloc 2453->2454 2455 7ff7b6c8269b 2454->2455 2456 7ff7b6c826b4 2454->2456 2455->2454 2457 7ff7b6c826ba 2455->2457 2456->2451 2459 7ff7b6c82b30 Concurrency::cancel_current_task 2 API calls 2457->2459 2461 7ff7b6c826c5 2457->2461 2458 7ff7b6c81720 Concurrency::cancel_current_task 4 API calls 2460 7ff7b6c826cb 2458->2460 2459->2461 2460->2451 2461->2458 2475 7ff7b6c834d4 2462->2475 2480 7ff7b6c833f8 2475->2480 2478 7ff7b6c83f84 std::_Xinvalid_argument 2 API calls 2479 7ff7b6c834f6 2478->2479 2481 7ff7b6c83cc0 __std_exception_copy 2 API calls 2480->2481 2482 7ff7b6c8342c 2481->2482 2482->2478 2484 7ff7b6c82aae RtlLookupFunctionEntry 2483->2484 2485 7ff7b6c829eb 2484->2485 2486 7ff7b6c82ac4 RtlVirtualUnwind 2484->2486 2487 7ff7b6c82984 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2485->2487 2486->2484 2486->2485 2488->2391 2986 7ff7b6c874a7 2989 7ff7b6c85cc0 2986->2989 2994 7ff7b6c85c38 2989->2994 2992 7ff7b6c85ce0 2993 7ff7b6c843d0 ExFilterRethrow 10 API calls 2993->2992 2995 7ff7b6c85ca3 2994->2995 2996 7ff7b6c85c5a 2994->2996 2995->2992 2995->2993 2996->2995 2997 7ff7b6c843d0 ExFilterRethrow 10 API calls 2996->2997 2997->2995 2489 7ff7b6c85f75 2497 7ff7b6c85e35 __GSHandlerCheck_EH 2489->2497 2490 7ff7b6c85f92 2502 7ff7b6c843d0 2490->2502 2492 7ff7b6c85f97 2493 7ff7b6c843d0 ExFilterRethrow 10 API calls 2492->2493 2495 7ff7b6c85fa2 2492->2495 2493->2495 2494 7ff7b6c82660 __GSHandlerCheck_EH 8 API calls 2496 7ff7b6c85fb5 2494->2496 2495->2494 2497->2490 2499 7ff7b6c83bd0 2497->2499 2500 7ff7b6c843d0 ExFilterRethrow 10 API calls 2499->2500 2501 7ff7b6c83bde 2500->2501 2501->2497 2505 7ff7b6c843ec 2502->2505 2504 7ff7b6c843d9 2504->2492 2506 7ff7b6c8440b GetLastError 2505->2506 2507 7ff7b6c84404 2505->2507 2519 7ff7b6c86678 2506->2519 2507->2504 2520 7ff7b6c86498 __vcrt_InitializeCriticalSectionEx 5 API calls 2519->2520 2521 7ff7b6c8669f TlsGetValue 2520->2521 2523 7ff7b6c87372 2524 7ff7b6c843d0 ExFilterRethrow 10 API calls 2523->2524 2525 7ff7b6c87389 2524->2525 2526 7ff7b6c843d0 ExFilterRethrow 10 API calls 2525->2526 2527 7ff7b6c873a4 2526->2527 2528 7ff7b6c843d0 ExFilterRethrow 10 API calls 2527->2528 2529 7ff7b6c873ad 2528->2529 2534 7ff7b6c85414 2529->2534 2532 7ff7b6c843d0 ExFilterRethrow 10 API calls 2533 7ff7b6c873f8 2532->2533 2535 7ff7b6c85443 __except_validate_context_record 2534->2535 2536 7ff7b6c843d0 ExFilterRethrow 10 API calls 2535->2536 2538 7ff7b6c85448 2536->2538 2537 7ff7b6c85498 2540 7ff7b6c8559f 2537->2540 2547 7ff7b6c854f3 __GSHandlerCheck_EH 2537->2547 2549 7ff7b6c85551 2537->2549 2538->2537 2541 7ff7b6c855b2 __GSHandlerCheck_EH 2538->2541 2538->2549 2539 7ff7b6c855f7 2539->2549 2581 7ff7b6c849a4 2539->2581 2574 7ff7b6c83678 2540->2574 2541->2539 2541->2549 2578 7ff7b6c83bbc 2541->2578 2544 7ff7b6c856a2 abort 2546 7ff7b6c85543 2550 7ff7b6c85cf0 2546->2550 2547->2544 2547->2546 2549->2532 2634 7ff7b6c83ba8 2550->2634 2552 7ff7b6c85d40 __GSHandlerCheck_EH 2553 7ff7b6c85d5b 2552->2553 2554 7ff7b6c85d72 2552->2554 2556 7ff7b6c843d0 ExFilterRethrow 10 API calls 2553->2556 2555 7ff7b6c843d0 ExFilterRethrow 10 API calls 2554->2555 2557 7ff7b6c85d77 2555->2557 2558 7ff7b6c85d60 2556->2558 2559 7ff7b6c85d6a 2557->2559 2561 7ff7b6c843d0 ExFilterRethrow 10 API calls 2557->2561 2558->2559 2560 7ff7b6c85fd0 abort 2558->2560 2562 7ff7b6c843d0 ExFilterRethrow 10 API calls 2559->2562 2563 7ff7b6c85d82 2561->2563 2572 7ff7b6c85d96 __GSHandlerCheck_EH 2562->2572 2564 7ff7b6c843d0 ExFilterRethrow 10 API calls 2563->2564 2564->2559 2565 7ff7b6c85f92 2566 7ff7b6c843d0 ExFilterRethrow 10 API calls 2565->2566 2567 7ff7b6c85f97 2566->2567 2568 7ff7b6c85fa2 2567->2568 2569 7ff7b6c843d0 ExFilterRethrow 10 API calls 2567->2569 2570 7ff7b6c82660 __GSHandlerCheck_EH 8 API calls 2568->2570 2569->2568 2571 7ff7b6c85fb5 2570->2571 2571->2549 2572->2565 2573 7ff7b6c83bd0 __GSHandlerCheck_EH 10 API calls 2572->2573 2573->2572 2575 7ff7b6c8368a 2574->2575 2576 7ff7b6c85cf0 __GSHandlerCheck_EH 19 API calls 2575->2576 2577 7ff7b6c836a5 2576->2577 2577->2549 2579 7ff7b6c843d0 ExFilterRethrow 10 API calls 2578->2579 2580 7ff7b6c83bc5 2579->2580 2580->2539 2582 7ff7b6c84a01 __GSHandlerCheck_EH 2581->2582 2583 7ff7b6c84a09 2582->2583 2584 7ff7b6c84a20 2582->2584 2585 7ff7b6c843d0 ExFilterRethrow 10 API calls 2583->2585 2586 7ff7b6c843d0 ExFilterRethrow 10 API calls 2584->2586 2594 7ff7b6c84a0e 2585->2594 2587 7ff7b6c84a25 2586->2587 2589 7ff7b6c843d0 ExFilterRethrow 10 API calls 2587->2589 2587->2594 2588 7ff7b6c84e99 abort 2590 7ff7b6c84a30 2589->2590 2591 7ff7b6c843d0 ExFilterRethrow 10 API calls 2590->2591 2591->2594 2592 7ff7b6c84b54 __GSHandlerCheck_EH 2593 7ff7b6c84def 2592->2593 2628 7ff7b6c84b90 __GSHandlerCheck_EH 2592->2628 2593->2588 2607 7ff7b6c84ded 2593->2607 2673 7ff7b6c84ea0 2593->2673 2594->2588 2594->2592 2595 7ff7b6c843d0 ExFilterRethrow 10 API calls 2594->2595 2596 7ff7b6c84ac0 2595->2596 2598 7ff7b6c84e37 2596->2598 2601 7ff7b6c843d0 ExFilterRethrow 10 API calls 2596->2601 2597 7ff7b6c843d0 ExFilterRethrow 10 API calls 2600 7ff7b6c84e30 2597->2600 2602 7ff7b6c82660 __GSHandlerCheck_EH 8 API calls 2598->2602 2600->2588 2600->2598 2603 7ff7b6c84ad0 2601->2603 2604 7ff7b6c84e43 2602->2604 2606 7ff7b6c843d0 ExFilterRethrow 10 API calls 2603->2606 2604->2549 2605 7ff7b6c84dd4 __GSHandlerCheck_EH 2605->2607 2608 7ff7b6c84e81 2605->2608 2609 7ff7b6c84ad9 2606->2609 2607->2597 2610 7ff7b6c843d0 ExFilterRethrow 10 API calls 2608->2610 2637 7ff7b6c83be8 2609->2637 2612 7ff7b6c84e86 2610->2612 2614 7ff7b6c843d0 ExFilterRethrow 10 API calls 2612->2614 2615 7ff7b6c84e8f terminate 2614->2615 2615->2588 2616 7ff7b6c843d0 ExFilterRethrow 10 API calls 2617 7ff7b6c84b16 2616->2617 2617->2592 2618 7ff7b6c843d0 ExFilterRethrow 10 API calls 2617->2618 2619 7ff7b6c84b22 2618->2619 2621 7ff7b6c843d0 ExFilterRethrow 10 API calls 2619->2621 2620 7ff7b6c83bbc 10 API calls BuildCatchObjectHelperInternal 2620->2628 2622 7ff7b6c84b2b 2621->2622 2640 7ff7b6c85fd8 2622->2640 2626 7ff7b6c84b3f 2647 7ff7b6c860c8 2626->2647 2628->2605 2628->2620 2651 7ff7b6c852d0 2628->2651 2665 7ff7b6c848d0 2628->2665 2629 7ff7b6c84e7b terminate 2629->2608 2631 7ff7b6c84b47 std::bad_alloc::bad_alloc __GSHandlerCheck_EH 2631->2629 2632 7ff7b6c83f84 std::_Xinvalid_argument 2 API calls 2631->2632 2633 7ff7b6c84e7a 2632->2633 2633->2629 2635 7ff7b6c843d0 ExFilterRethrow 10 API calls 2634->2635 2636 7ff7b6c83bb1 2635->2636 2636->2552 2638 7ff7b6c843d0 ExFilterRethrow 10 API calls 2637->2638 2639 7ff7b6c83bf6 2638->2639 2639->2588 2639->2616 2641 7ff7b6c860bf abort 2640->2641 2645 7ff7b6c86003 2640->2645 2642 7ff7b6c84b3b 2642->2592 2642->2626 2643 7ff7b6c83bbc 10 API calls BuildCatchObjectHelperInternal 2643->2645 2644 7ff7b6c83ba8 BuildCatchObjectHelperInternal 10 API calls 2644->2645 2645->2642 2645->2643 2645->2644 2689 7ff7b6c85190 2645->2689 2648 7ff7b6c86135 2647->2648 2650 7ff7b6c860e5 Is_bad_exception_allowed 2647->2650 2648->2631 2649 7ff7b6c83ba8 10 API calls BuildCatchObjectHelperInternal 2649->2650 2650->2648 2650->2649 2652 7ff7b6c852fd 2651->2652 2663 7ff7b6c8538d 2651->2663 2653 7ff7b6c83ba8 BuildCatchObjectHelperInternal 10 API calls 2652->2653 2654 7ff7b6c85306 2653->2654 2655 7ff7b6c83ba8 BuildCatchObjectHelperInternal 10 API calls 2654->2655 2656 7ff7b6c8531f 2654->2656 2654->2663 2655->2656 2657 7ff7b6c8534c 2656->2657 2658 7ff7b6c83ba8 BuildCatchObjectHelperInternal 10 API calls 2656->2658 2656->2663 2659 7ff7b6c83bbc BuildCatchObjectHelperInternal 10 API calls 2657->2659 2658->2657 2660 7ff7b6c85360 2659->2660 2661 7ff7b6c85379 2660->2661 2662 7ff7b6c83ba8 BuildCatchObjectHelperInternal 10 API calls 2660->2662 2660->2663 2664 7ff7b6c83bbc BuildCatchObjectHelperInternal 10 API calls 2661->2664 2662->2661 2663->2628 2664->2663 2666 7ff7b6c8490d __GSHandlerCheck_EH 2665->2666 2667 7ff7b6c84933 2666->2667 2703 7ff7b6c8480c 2666->2703 2669 7ff7b6c83ba8 BuildCatchObjectHelperInternal 10 API calls 2667->2669 2670 7ff7b6c84945 2669->2670 2712 7ff7b6c83838 RtlUnwindEx 2670->2712 2674 7ff7b6c85169 2673->2674 2675 7ff7b6c84ef4 2673->2675 2676 7ff7b6c82660 __GSHandlerCheck_EH 8 API calls 2674->2676 2677 7ff7b6c843d0 ExFilterRethrow 10 API calls 2675->2677 2678 7ff7b6c85175 2676->2678 2679 7ff7b6c84ef9 2677->2679 2678->2607 2680 7ff7b6c84f0e EncodePointer 2679->2680 2681 7ff7b6c84f60 __GSHandlerCheck_EH 2679->2681 2682 7ff7b6c843d0 ExFilterRethrow 10 API calls 2680->2682 2681->2674 2683 7ff7b6c85189 abort 2681->2683 2688 7ff7b6c84f82 __GSHandlerCheck_EH 2681->2688 2684 7ff7b6c84f1e 2682->2684 2684->2681 2736 7ff7b6c834f8 2684->2736 2686 7ff7b6c83ba8 10 API calls BuildCatchObjectHelperInternal 2686->2688 2687 7ff7b6c848d0 __GSHandlerCheck_EH 21 API calls 2687->2688 2688->2674 2688->2686 2688->2687 2690 7ff7b6c851bd 2689->2690 2701 7ff7b6c8524c 2689->2701 2691 7ff7b6c83ba8 BuildCatchObjectHelperInternal 10 API calls 2690->2691 2692 7ff7b6c851c6 2691->2692 2693 7ff7b6c83ba8 BuildCatchObjectHelperInternal 10 API calls 2692->2693 2694 7ff7b6c851df 2692->2694 2692->2701 2693->2694 2695 7ff7b6c8520b 2694->2695 2696 7ff7b6c83ba8 BuildCatchObjectHelperInternal 10 API calls 2694->2696 2694->2701 2697 7ff7b6c83bbc BuildCatchObjectHelperInternal 10 API calls 2695->2697 2696->2695 2698 7ff7b6c8521f 2697->2698 2699 7ff7b6c85238 2698->2699 2700 7ff7b6c83ba8 BuildCatchObjectHelperInternal 10 API calls 2698->2700 2698->2701 2702 7ff7b6c83bbc BuildCatchObjectHelperInternal 10 API calls 2699->2702 2700->2699 2701->2645 2702->2701 2704 7ff7b6c8482f 2703->2704 2715 7ff7b6c84608 2704->2715 2706 7ff7b6c84840 2707 7ff7b6c84845 __AdjustPointer 2706->2707 2708 7ff7b6c84881 __AdjustPointer 2706->2708 2710 7ff7b6c83bbc BuildCatchObjectHelperInternal 10 API calls 2707->2710 2711 7ff7b6c84864 BuildCatchObjectHelperInternal 2707->2711 2709 7ff7b6c83bbc BuildCatchObjectHelperInternal 10 API calls 2708->2709 2708->2711 2709->2711 2710->2711 2711->2667 2713 7ff7b6c82660 __GSHandlerCheck_EH 8 API calls 2712->2713 2714 7ff7b6c8394e 2713->2714 2714->2628 2716 7ff7b6c84635 2715->2716 2718 7ff7b6c8463e 2715->2718 2717 7ff7b6c83ba8 BuildCatchObjectHelperInternal 10 API calls 2716->2717 2717->2718 2719 7ff7b6c83ba8 BuildCatchObjectHelperInternal 10 API calls 2718->2719 2720 7ff7b6c8465d 2718->2720 2726 7ff7b6c846c2 __AdjustPointer BuildCatchObjectHelperInternal 2718->2726 2719->2720 2721 7ff7b6c846aa 2720->2721 2722 7ff7b6c846ca 2720->2722 2720->2726 2725 7ff7b6c847e9 abort abort 2721->2725 2721->2726 2723 7ff7b6c8474a 2722->2723 2724 7ff7b6c83bbc BuildCatchObjectHelperInternal 10 API calls 2722->2724 2722->2726 2723->2726 2728 7ff7b6c83bbc BuildCatchObjectHelperInternal 10 API calls 2723->2728 2724->2723 2727 7ff7b6c8480c 2725->2727 2726->2706 2729 7ff7b6c84608 BuildCatchObjectHelperInternal 10 API calls 2727->2729 2728->2726 2730 7ff7b6c84840 2729->2730 2731 7ff7b6c84845 __AdjustPointer 2730->2731 2732 7ff7b6c84881 __AdjustPointer 2730->2732 2734 7ff7b6c83bbc BuildCatchObjectHelperInternal 10 API calls 2731->2734 2735 7ff7b6c84864 BuildCatchObjectHelperInternal 2731->2735 2733 7ff7b6c83bbc BuildCatchObjectHelperInternal 10 API calls 2732->2733 2732->2735 2733->2735 2734->2735 2735->2706 2737 7ff7b6c843d0 ExFilterRethrow 10 API calls 2736->2737 2738 7ff7b6c83524 2737->2738 2738->2681 2739 7ff7b6c82970 2742 7ff7b6c82da0 2739->2742 2743 7ff7b6c82979 2742->2743 2744 7ff7b6c82dc3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 2742->2744 2744->2743 2745 7ff7b6c816f0 2748 7ff7b6c83d50 2745->2748 2749 7ff7b6c8170c 2748->2749 2750 7ff7b6c83d5f free 2748->2750 2750->2749 2751 7ff7b6c872f0 2752 7ff7b6c87303 2751->2752 2753 7ff7b6c87310 2751->2753 2755 7ff7b6c81e80 2752->2755 2756 7ff7b6c81e93 2755->2756 2758 7ff7b6c81eb7 2755->2758 2757 7ff7b6c81ed8 _invalid_parameter_noinfo_noreturn 2756->2757 2756->2758 2758->2753 2998 7ff7b6c843b0 2999 7ff7b6c843ca 2998->2999 3000 7ff7b6c843b9 2998->3000 3000->2999 3001 7ff7b6c843c5 free 3000->3001 3001->2999 3002 7ff7b6c87130 3003 7ff7b6c87168 __GSHandlerCheckCommon 3002->3003 3004 7ff7b6c87194 3003->3004 3006 7ff7b6c83c00 3003->3006 3007 7ff7b6c843d0 ExFilterRethrow 10 API calls 3006->3007 3008 7ff7b6c83c42 3007->3008 3009 7ff7b6c843d0 ExFilterRethrow 10 API calls 3008->3009 3010 7ff7b6c83c4f 3009->3010 3011 7ff7b6c843d0 ExFilterRethrow 10 API calls 3010->3011 3012 7ff7b6c83c58 __GSHandlerCheck_EH 3011->3012 3013 7ff7b6c85414 __GSHandlerCheck_EH 31 API calls 3012->3013 3014 7ff7b6c83ca9 3013->3014 3014->3004 2759 7ff7b6c8756f 2760 7ff7b6c843d0 ExFilterRethrow 10 API calls 2759->2760 2761 7ff7b6c8757d 2760->2761 2762 7ff7b6c87588 2761->2762 2763 7ff7b6c843d0 ExFilterRethrow 10 API calls 2761->2763 2763->2762 3018 7ff7b6c8191a 3019 7ff7b6c8194d 3018->3019 3027 7ff7b6c818a0 3018->3027 3020 7ff7b6c820c0 21 API calls 3019->3020 3020->3027 3021 7ff7b6c81d76 3022 7ff7b6c82660 __GSHandlerCheck_EH 8 API calls 3021->3022 3025 7ff7b6c81d87 3022->3025 3023 7ff7b6c81dd0 3026 7ff7b6c81450 6 API calls 3023->3026 3024 7ff7b6c820c0 21 API calls 3024->3027 3026->3021 3027->3021 3027->3023 3027->3024 3028 7ff7b6c8291a 3029 7ff7b6c83020 __scrt_is_managed_app GetModuleHandleW 3028->3029 3030 7ff7b6c82921 3029->3030 3031 7ff7b6c82925 3030->3031 3032 7ff7b6c82960 _exit 3030->3032 2764 7ff7b6c87559 2767 7ff7b6c84158 2764->2767 2768 7ff7b6c84182 2767->2768 2769 7ff7b6c84170 2767->2769 2770 7ff7b6c843d0 ExFilterRethrow 10 API calls 2768->2770 2769->2768 2771 7ff7b6c84178 2769->2771 2772 7ff7b6c84187 2770->2772 2773 7ff7b6c84180 2771->2773 2774 7ff7b6c843d0 ExFilterRethrow 10 API calls 2771->2774 2772->2773 2775 7ff7b6c843d0 ExFilterRethrow 10 API calls 2772->2775 2776 7ff7b6c841a7 2774->2776 2775->2773 2777 7ff7b6c843d0 ExFilterRethrow 10 API calls 2776->2777 2778 7ff7b6c841b4 terminate 2777->2778 3033 7ff7b6c81b18 _time64 3034 7ff7b6c81b34 3033->3034 3035 7ff7b6c81ee0 22 API calls 3034->3035 3036 7ff7b6c81bf1 3034->3036 3035->3036 3037 7ff7b6c82230 22 API calls 3036->3037 3038 7ff7b6c81c34 BuildCatchObjectHelperInternal 3036->3038 3037->3038 3039 7ff7b6c81da2 _invalid_parameter_noinfo_noreturn 3038->3039 3040 7ff7b6c818a0 3038->3040 3041 7ff7b6c81da9 WSAGetLastError 3039->3041 3043 7ff7b6c81d76 3040->3043 3045 7ff7b6c81dd0 3040->3045 3046 7ff7b6c820c0 21 API calls 3040->3046 3042 7ff7b6c81450 6 API calls 3041->3042 3042->3043 3044 7ff7b6c82660 __GSHandlerCheck_EH 8 API calls 3043->3044 3047 7ff7b6c81d87 3044->3047 3048 7ff7b6c81450 6 API calls 3045->3048 3046->3040 3048->3043 3049 7ff7b6c84024 3056 7ff7b6c8642c 3049->3056 3052 7ff7b6c84031 3068 7ff7b6c86714 3056->3068 3059 7ff7b6c86460 __vcrt_uninitialize_locks DeleteCriticalSection 3060 7ff7b6c8402d 3059->3060 3060->3052 3061 7ff7b6c844ac 3060->3061 3073 7ff7b6c865e8 3061->3073 3069 7ff7b6c86498 __vcrt_InitializeCriticalSectionEx 5 API calls 3068->3069 3070 7ff7b6c8674a 3069->3070 3071 7ff7b6c86444 3070->3071 3072 7ff7b6c8675f InitializeCriticalSectionAndSpinCount 3070->3072 3071->3059 3071->3060 3072->3071 3074 7ff7b6c86498 __vcrt_InitializeCriticalSectionEx 5 API calls 3073->3074 3075 7ff7b6c8660d TlsAlloc 3074->3075 2782 7ff7b6c81ce0 2783 7ff7b6c82688 5 API calls 2782->2783 2784 7ff7b6c81cea gethostname 2783->2784 2785 7ff7b6c81da9 WSAGetLastError 2784->2785 2786 7ff7b6c81d08 2784->2786 2787 7ff7b6c81450 6 API calls 2785->2787 2796 7ff7b6c82040 2786->2796 2789 7ff7b6c81d76 2787->2789 2790 7ff7b6c82660 __GSHandlerCheck_EH 8 API calls 2789->2790 2791 7ff7b6c81d87 2790->2791 2792 7ff7b6c818a0 2792->2789 2793 7ff7b6c81dd0 2792->2793 2794 7ff7b6c820c0 21 API calls 2792->2794 2795 7ff7b6c81450 6 API calls 2793->2795 2794->2792 2795->2789 2797 7ff7b6c820a2 2796->2797 2798 7ff7b6c82063 BuildCatchObjectHelperInternal 2796->2798 2801 7ff7b6c82230 2797->2801 2798->2792 2800 7ff7b6c820b5 2800->2792 2802 7ff7b6c823ab 2801->2802 2804 7ff7b6c8225e 2801->2804 2803 7ff7b6c817e0 21 API calls 2802->2803 2805 7ff7b6c823b0 2803->2805 2806 7ff7b6c822be 2804->2806 2808 7ff7b6c822e6 2804->2808 2809 7ff7b6c822b1 2804->2809 2810 7ff7b6c81720 Concurrency::cancel_current_task 4 API calls 2805->2810 2807 7ff7b6c82690 5 API calls 2806->2807 2814 7ff7b6c822cf BuildCatchObjectHelperInternal 2807->2814 2812 7ff7b6c82690 5 API calls 2808->2812 2808->2814 2809->2805 2809->2806 2813 7ff7b6c823b6 2810->2813 2811 7ff7b6c82364 _invalid_parameter_noinfo_noreturn 2815 7ff7b6c82357 BuildCatchObjectHelperInternal 2811->2815 2812->2814 2814->2811 2814->2815 2815->2800 2816 7ff7b6c85860 2817 7ff7b6c843d0 ExFilterRethrow 10 API calls 2816->2817 2818 7ff7b6c858ad 2817->2818 2819 7ff7b6c843d0 ExFilterRethrow 10 API calls 2818->2819 2820 7ff7b6c858bb __except_validate_context_record 2819->2820 2821 7ff7b6c843d0 ExFilterRethrow 10 API calls 2820->2821 2822 7ff7b6c85914 2821->2822 2823 7ff7b6c843d0 ExFilterRethrow 10 API calls 2822->2823 2824 7ff7b6c8591d 2823->2824 2825 7ff7b6c843d0 ExFilterRethrow 10 API calls 2824->2825 2826 7ff7b6c85926 2825->2826 2845 7ff7b6c83b18 2826->2845 2829 7ff7b6c843d0 ExFilterRethrow 10 API calls 2830 7ff7b6c85959 2829->2830 2831 7ff7b6c85aa9 abort 2830->2831 2832 7ff7b6c85991 2830->2832 2852 7ff7b6c83b54 2832->2852 2834 7ff7b6c85a5a __GSHandlerCheck_EH 2835 7ff7b6c843d0 ExFilterRethrow 10 API calls 2834->2835 2836 7ff7b6c85a6d 2835->2836 2837 7ff7b6c843d0 ExFilterRethrow 10 API calls 2836->2837 2840 7ff7b6c85a76 2837->2840 2841 7ff7b6c843d0 ExFilterRethrow 10 API calls 2840->2841 2842 7ff7b6c85a7f 2841->2842 2843 7ff7b6c843d0 ExFilterRethrow 10 API calls 2842->2843 2844 7ff7b6c85a8e 2843->2844 2846 7ff7b6c843d0 ExFilterRethrow 10 API calls 2845->2846 2847 7ff7b6c83b29 2846->2847 2848 7ff7b6c83b34 2847->2848 2849 7ff7b6c843d0 ExFilterRethrow 10 API calls 2847->2849 2850 7ff7b6c843d0 ExFilterRethrow 10 API calls 2848->2850 2849->2848 2851 7ff7b6c83b45 2850->2851 2851->2829 2851->2830 2853 7ff7b6c843d0 ExFilterRethrow 10 API calls 2852->2853 2854 7ff7b6c83b66 2853->2854 2855 7ff7b6c83ba1 abort 2854->2855 2856 7ff7b6c843d0 ExFilterRethrow 10 API calls 2854->2856 2857 7ff7b6c83b71 2856->2857 2857->2855 2858 7ff7b6c83b8d 2857->2858 2859 7ff7b6c843d0 ExFilterRethrow 10 API calls 2858->2859 2860 7ff7b6c83b92 2859->2860 2860->2834 2861 7ff7b6c84104 2860->2861 2862 7ff7b6c843d0 ExFilterRethrow 10 API calls 2861->2862 2863 7ff7b6c84112 2862->2863 2863->2834 2864 7ff7b6c87260 2865 7ff7b6c87273 2864->2865 2866 7ff7b6c87280 2864->2866 2867 7ff7b6c81e80 _invalid_parameter_noinfo_noreturn 2865->2867 2867->2866 2868 7ff7b6c8195f 2869 7ff7b6c8196d 2868->2869 2870 7ff7b6c81a23 2869->2870 2884 7ff7b6c81ee0 2869->2884 2872 7ff7b6c82230 22 API calls 2870->2872 2873 7ff7b6c81a67 BuildCatchObjectHelperInternal 2870->2873 2872->2873 2874 7ff7b6c81da2 _invalid_parameter_noinfo_noreturn 2873->2874 2875 7ff7b6c818a0 2873->2875 2876 7ff7b6c81da9 WSAGetLastError 2874->2876 2878 7ff7b6c81d76 2875->2878 2880 7ff7b6c81dd0 2875->2880 2881 7ff7b6c820c0 21 API calls 2875->2881 2877 7ff7b6c81450 6 API calls 2876->2877 2877->2878 2879 7ff7b6c82660 __GSHandlerCheck_EH 8 API calls 2878->2879 2882 7ff7b6c81d87 2879->2882 2883 7ff7b6c81450 6 API calls 2880->2883 2881->2875 2883->2878 2887 7ff7b6c81f04 BuildCatchObjectHelperInternal 2884->2887 2888 7ff7b6c81f25 2884->2888 2885 7ff7b6c82031 2886 7ff7b6c817e0 21 API calls 2885->2886 2889 7ff7b6c82036 2886->2889 2887->2870 2888->2885 2890 7ff7b6c81fa9 2888->2890 2891 7ff7b6c81f74 2888->2891 2893 7ff7b6c81720 Concurrency::cancel_current_task 4 API calls 2889->2893 2896 7ff7b6c82690 5 API calls 2890->2896 2897 7ff7b6c81f92 BuildCatchObjectHelperInternal 2890->2897 2891->2889 2892 7ff7b6c82690 5 API calls 2891->2892 2892->2897 2894 7ff7b6c8203c 2893->2894 2895 7ff7b6c8202a _invalid_parameter_noinfo_noreturn 2895->2885 2896->2897 2897->2887 2897->2895 3080 7ff7b6c848c7 abort 3081 7ff7b6c874d6 3082 7ff7b6c83b54 11 API calls 3081->3082 3085 7ff7b6c874e9 3082->3085 3083 7ff7b6c843d0 ExFilterRethrow 10 API calls 3084 7ff7b6c8752e 3083->3084 3086 7ff7b6c843d0 ExFilterRethrow 10 API calls 3084->3086 3088 7ff7b6c84104 10 API calls 3085->3088 3091 7ff7b6c8751a __GSHandlerCheck_EH 3085->3091 3087 7ff7b6c8753b 3086->3087 3089 7ff7b6c843d0 ExFilterRethrow 10 API calls 3087->3089 3088->3091 3090 7ff7b6c87548 3089->3090 3091->3083 2898 7ff7b6c87411 2899 7ff7b6c87495 2898->2899 2900 7ff7b6c87429 2898->2900 2900->2899 2901 7ff7b6c843d0 ExFilterRethrow 10 API calls 2900->2901 2902 7ff7b6c87476 2901->2902 2903 7ff7b6c843d0 ExFilterRethrow 10 API calls 2902->2903 2904 7ff7b6c8748b terminate 2903->2904 2904->2899 2911 7ff7b6c81510 2912 7ff7b6c83cc0 __std_exception_copy 2 API calls 2911->2912 2913 7ff7b6c81539 2912->2913 2914 7ff7b6c87090 2915 7ff7b6c870d2 __GSHandlerCheckCommon 2914->2915 2916 7ff7b6c870fa 2915->2916 2918 7ff7b6c83d78 2915->2918 2920 7ff7b6c83da8 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 2918->2920 2919 7ff7b6c83e99 2919->2916 2920->2919 2921 7ff7b6c83e64 RtlUnwindEx 2920->2921 2921->2920 2929 7ff7b6c83090 2930 7ff7b6c830a8 2929->2930 2931 7ff7b6c830c4 2929->2931 2930->2931 2936 7ff7b6c841c0 2930->2936 2935 7ff7b6c830e2 2937 7ff7b6c843d0 ExFilterRethrow 10 API calls 2936->2937 2938 7ff7b6c830d6 2937->2938 2939 7ff7b6c841d4 2938->2939 2940 7ff7b6c843d0 ExFilterRethrow 10 API calls 2939->2940 2941 7ff7b6c841dd 2940->2941 2941->2935 3092 7ff7b6c827d0 3096 7ff7b6c83074 SetUnhandledExceptionFilter 3092->3096 3097 7ff7b6c81550 3098 7ff7b6c83d50 __std_exception_destroy free 3097->3098 3099 7ff7b6c81567 3098->3099 3103 7ff7b6c8733c _seh_filter_exe 3104 7ff7b6c81d39 3105 7ff7b6c81d40 3104->3105 3105->3105 3106 7ff7b6c82040 22 API calls 3105->3106 3110 7ff7b6c818a0 3105->3110 3106->3110 3107 7ff7b6c81d76 3108 7ff7b6c82660 __GSHandlerCheck_EH 8 API calls 3107->3108 3112 7ff7b6c81d87 3108->3112 3109 7ff7b6c81dd0 3113 7ff7b6c81450 6 API calls 3109->3113 3110->3107 3110->3109 3111 7ff7b6c820c0 21 API calls 3110->3111 3111->3110 3113->3107 2945 7ff7b6c82700 2946 7ff7b6c82710 2945->2946 2958 7ff7b6c82bd8 2946->2958 2948 7ff7b6c82ecc 7 API calls 2949 7ff7b6c827b5 2948->2949 2950 7ff7b6c82734 _RTC_Initialize 2955 7ff7b6c82797 2950->2955 2966 7ff7b6c82e64 InitializeSListHead 2950->2966 2955->2948 2957 7ff7b6c827a5 2955->2957 2959 7ff7b6c82be9 2958->2959 2963 7ff7b6c82c1b 2958->2963 2960 7ff7b6c82c58 2959->2960 2964 7ff7b6c82bee __scrt_release_startup_lock 2959->2964 2961 7ff7b6c82ecc 7 API calls 2960->2961 2962 7ff7b6c82c62 2961->2962 2963->2950 2964->2963 2965 7ff7b6c82c0b _initialize_onexit_table 2964->2965 2965->2963

                                                    Executed Functions

                                                    Function 00007FF7B6C81060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214stringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 7ff7b6c81060-7ff7b6c810ae 1 7ff7b6c81386-7ff7b6c81394 call 7ff7b6c81450 0->1 2 7ff7b6c810b4-7ff7b6c810c6 0->2 5 7ff7b6c81399 1->5 4 7ff7b6c810d0-7ff7b6c810d6 2->4 6 7ff7b6c810dc-7ff7b6c810df 4->6 7 7ff7b6c8127f-7ff7b6c81283 4->7 8 7ff7b6c8139e-7ff7b6c813b7 5->8 10 7ff7b6c810ed 6->10 11 7ff7b6c810e1-7ff7b6c810e5 6->11 7->4 9 7ff7b6c81289-7ff7b6c81299 7->9 9->1 13 7ff7b6c8129f-7ff7b6c812b7 call 7ff7b6c82688 9->13 12 7ff7b6c810f0-7ff7b6c810fc 10->12 11->10 14 7ff7b6c810e7-7ff7b6c810eb 11->14 16 7ff7b6c810fe-7ff7b6c81102 12->16 17 7ff7b6c81110-7ff7b6c81113 12->17 26 7ff7b6c8132a-7ff7b6c81336 call 7ff7b6c823c0 13->26 27 7ff7b6c812b9-7ff7b6c812c9 GetTempPathA 13->27 14->10 15 7ff7b6c81104-7ff7b6c8110b 14->15 19 7ff7b6c8127b 15->19 16->12 16->15 20 7ff7b6c81125-7ff7b6c81136 strcmp 17->20 21 7ff7b6c81115-7ff7b6c81119 17->21 19->7 24 7ff7b6c8113c-7ff7b6c8113f 20->24 25 7ff7b6c81267-7ff7b6c8126e 20->25 21->20 23 7ff7b6c8111b-7ff7b6c8111f 21->23 23->20 23->25 29 7ff7b6c81151-7ff7b6c81162 strcmp 24->29 30 7ff7b6c81141-7ff7b6c81145 24->30 28 7ff7b6c81276 25->28 43 7ff7b6c81338-7ff7b6c81344 call 7ff7b6c813c0 26->43 44 7ff7b6c81346 26->44 32 7ff7b6c812cb-7ff7b6c812e7 GetLastError call 7ff7b6c81450 GetLastError 27->32 33 7ff7b6c812e9-7ff7b6c81302 strcat_s 27->33 28->19 38 7ff7b6c81258-7ff7b6c81265 29->38 39 7ff7b6c81168-7ff7b6c8116b 29->39 30->29 36 7ff7b6c81147-7ff7b6c8114b 30->36 50 7ff7b6c81313-7ff7b6c81323 call 7ff7b6c82680 32->50 34 7ff7b6c81325 33->34 35 7ff7b6c81304-7ff7b6c81312 call 7ff7b6c81450 33->35 34->26 35->50 36->29 36->38 38->19 45 7ff7b6c8117d-7ff7b6c8118e strcmp 39->45 46 7ff7b6c8116d-7ff7b6c81171 39->46 47 7ff7b6c8134b-7ff7b6c81384 __acrt_iob_func fflush __acrt_iob_func fflush call 7ff7b6c82680 43->47 44->47 48 7ff7b6c81247-7ff7b6c81256 45->48 49 7ff7b6c81194-7ff7b6c81197 45->49 46->45 53 7ff7b6c81173-7ff7b6c81177 46->53 47->8 48->28 55 7ff7b6c81199-7ff7b6c8119d 49->55 56 7ff7b6c811a5-7ff7b6c811af 49->56 50->8 53->45 53->48 55->56 60 7ff7b6c8119f-7ff7b6c811a3 55->60 61 7ff7b6c811b0-7ff7b6c811bb 56->61 60->56 63 7ff7b6c811c3-7ff7b6c811d2 60->63 64 7ff7b6c811bd-7ff7b6c811c1 61->64 65 7ff7b6c811d7-7ff7b6c811da 61->65 63->28 64->61 64->63 66 7ff7b6c811ec-7ff7b6c811f6 65->66 67 7ff7b6c811dc-7ff7b6c811e0 65->67 69 7ff7b6c81200-7ff7b6c8120b 66->69 67->66 68 7ff7b6c811e2-7ff7b6c811e6 67->68 68->19 68->66 70 7ff7b6c8120d-7ff7b6c81211 69->70 71 7ff7b6c81215-7ff7b6c81218 69->71 70->69 72 7ff7b6c81213 70->72 73 7ff7b6c8121a-7ff7b6c8121e 71->73 74 7ff7b6c81226-7ff7b6c81237 strcmp 71->74 72->19 73->74 75 7ff7b6c81220-7ff7b6c81224 73->75 74->19 76 7ff7b6c81239-7ff7b6c81245 atoi 74->76 75->19 75->74 76->19
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
                                                    • String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
                                                    • API String ID: 2647627392-2367407095
                                                    • Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                    • Instruction ID: 0a876bd7ef65e6cf477470e8a08dfb9d16b5d695eb7a0a470dff3b48b0c64d9d
                                                    • Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                    • Instruction Fuzzy Hash: F4A15151D0C68355FB71AB28AC4C2BBE6E4AB67F54F8461B5CB4E4299DDE3CF8448320
                                                    Function 00007FF7B6C827EC Relevance: 13.6, APIs: 9, Instructions: 102COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                    • String ID:
                                                    • API String ID: 2308368977-0
                                                    • Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                    • Instruction ID: f07ab046a910e77c2e0292e326a88023080cc87731b9e141f53962e9b5beaf67
                                                    • Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                    • Instruction Fuzzy Hash: 05310C11A0824241FA34BF689C1D3BB9291BF63F84FC450B5EB4D476DBDE2DB84582B4
                                                    Function 00007FF7B6C81450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                    • String ID: [createdump]
                                                    • API String ID: 3735572767-2657508301
                                                    • Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                    • Instruction ID: 65aa7321363e3590596ed4be36496cba289a637e81a95924c011b4e6f606f179
                                                    • Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                    • Instruction Fuzzy Hash: 26012C21A19B8282E620AB54FC0D17BE364EB96BD1F804575DB8D03B6D9F3CE455C714

                                                    Non-executed Functions

                                                    Function 00007FF7B6C82ECC Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                    • String ID:
                                                    • API String ID: 3140674995-0
                                                    • Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                    • Instruction ID: 2b0e1a0c05dd4a98bb2b05ae80e65491d6f60ea032fe5f8519a55dd1a5775f10
                                                    • Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                    • Instruction Fuzzy Hash: 4E316F72619A8186EB709F64E8483FAB361FB55B44F804039DB4E47A98EF3CE548C724
                                                    Function 00007FF7B6C83074 Relevance: .0, Instructions: 2COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                    • Instruction ID: 3acee5cffed1c118b90cc4f42b9e5247ec6545c89b23f46bb2c9bba0b3d8cf40
                                                    • Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                    • Instruction Fuzzy Hash: 7DA0023191EC82D0E674AB58EC5C133A330FB72B01BD015B1D70D414A89F3CB444D324
                                                    Function 00007FF7B6C823C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7B6C8242D
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7B6C8243B
                                                      • Part of subcall function 00007FF7B6C81450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B6C81475
                                                      • Part of subcall function 00007FF7B6C81450: fprintf.MSPDB140-MSVCRT ref: 00007FF7B6C81485
                                                      • Part of subcall function 00007FF7B6C81450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B6C81494
                                                      • Part of subcall function 00007FF7B6C81450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B6C814B3
                                                      • Part of subcall function 00007FF7B6C81450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B6C814BE
                                                      • Part of subcall function 00007FF7B6C81450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B6C814C7
                                                    • K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7B6C82466
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7B6C82470
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7B6C82487
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7B6C825F3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
                                                    • String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
                                                    • API String ID: 3971781330-1292085346
                                                    • Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                    • Instruction ID: 838a9d2a7469d91d40e36b5bf5c3def1967a0bb5495fe8203304f4a56b527194
                                                    • Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                    • Instruction Fuzzy Hash: B961613160964281E630AF19A85C67BB7A1FBA6B90F900174DB9E03AADCF3CF445D750
                                                    Function 00007FF7B6C849A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 177 7ff7b6c849a4-7ff7b6c84a07 call 7ff7b6c84518 180 7ff7b6c84a09-7ff7b6c84a12 call 7ff7b6c843d0 177->180 181 7ff7b6c84a20-7ff7b6c84a29 call 7ff7b6c843d0 177->181 188 7ff7b6c84e99-7ff7b6c84e9f abort 180->188 189 7ff7b6c84a18-7ff7b6c84a1e 180->189 186 7ff7b6c84a2b-7ff7b6c84a38 call 7ff7b6c843d0 * 2 181->186 187 7ff7b6c84a3f-7ff7b6c84a42 181->187 186->187 187->188 191 7ff7b6c84a48-7ff7b6c84a54 187->191 189->187 193 7ff7b6c84a56-7ff7b6c84a7d 191->193 194 7ff7b6c84a7f 191->194 196 7ff7b6c84a81-7ff7b6c84a83 193->196 194->196 196->188 198 7ff7b6c84a89-7ff7b6c84a8f 196->198 199 7ff7b6c84b59-7ff7b6c84b6f call 7ff7b6c85724 198->199 200 7ff7b6c84a95-7ff7b6c84a99 198->200 205 7ff7b6c84b75-7ff7b6c84b79 199->205 206 7ff7b6c84def-7ff7b6c84df3 199->206 200->199 202 7ff7b6c84a9f-7ff7b6c84aaa 200->202 202->199 204 7ff7b6c84ab0-7ff7b6c84ab5 202->204 204->199 207 7ff7b6c84abb-7ff7b6c84ac5 call 7ff7b6c843d0 204->207 205->206 210 7ff7b6c84b7f-7ff7b6c84b8a 205->210 208 7ff7b6c84e2b-7ff7b6c84e35 call 7ff7b6c843d0 206->208 209 7ff7b6c84df5-7ff7b6c84dfc 206->209 218 7ff7b6c84acb-7ff7b6c84af1 call 7ff7b6c843d0 * 2 call 7ff7b6c83be8 207->218 219 7ff7b6c84e37-7ff7b6c84e56 call 7ff7b6c82660 207->219 208->188 208->219 209->188 213 7ff7b6c84e02-7ff7b6c84e26 call 7ff7b6c84ea0 209->213 210->206 215 7ff7b6c84b90-7ff7b6c84b94 210->215 213->208 216 7ff7b6c84b9a-7ff7b6c84bd1 call 7ff7b6c836d0 215->216 217 7ff7b6c84dd4-7ff7b6c84dd8 215->217 216->217 231 7ff7b6c84bd7-7ff7b6c84be2 216->231 217->208 225 7ff7b6c84dda-7ff7b6c84de7 call 7ff7b6c83670 217->225 246 7ff7b6c84af3-7ff7b6c84af7 218->246 247 7ff7b6c84b11-7ff7b6c84b1b call 7ff7b6c843d0 218->247 233 7ff7b6c84ded 225->233 234 7ff7b6c84e81-7ff7b6c84e98 call 7ff7b6c843d0 * 2 terminate 225->234 235 7ff7b6c84be6-7ff7b6c84bf6 231->235 233->208 234->188 238 7ff7b6c84bfc-7ff7b6c84c02 235->238 239 7ff7b6c84d2f-7ff7b6c84dce 235->239 238->239 242 7ff7b6c84c08-7ff7b6c84c31 call 7ff7b6c856a8 238->242 239->217 239->235 242->239 252 7ff7b6c84c37-7ff7b6c84c7e call 7ff7b6c83bbc * 2 242->252 246->247 250 7ff7b6c84af9-7ff7b6c84b04 246->250 247->199 256 7ff7b6c84b1d-7ff7b6c84b3d call 7ff7b6c843d0 * 2 call 7ff7b6c85fd8 247->256 250->247 253 7ff7b6c84b06-7ff7b6c84b0b 250->253 264 7ff7b6c84cba-7ff7b6c84cd0 call 7ff7b6c85ab0 252->264 265 7ff7b6c84c80-7ff7b6c84ca5 call 7ff7b6c83bbc call 7ff7b6c852d0 252->265 253->188 253->247 273 7ff7b6c84b54 256->273 274 7ff7b6c84b3f-7ff7b6c84b49 call 7ff7b6c860c8 256->274 275 7ff7b6c84d2b 264->275 276 7ff7b6c84cd2 264->276 279 7ff7b6c84cd7-7ff7b6c84d26 call 7ff7b6c848d0 265->279 280 7ff7b6c84ca7-7ff7b6c84cb3 265->280 273->199 283 7ff7b6c84e7b-7ff7b6c84e80 terminate 274->283 284 7ff7b6c84b4f-7ff7b6c84e7a call 7ff7b6c84090 call 7ff7b6c85838 call 7ff7b6c83f84 274->284 275->239 276->252 279->275 280->265 282 7ff7b6c84cb5 280->282 282->264 283->234 284->283
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                    • String ID: csm$csm$csm
                                                    • API String ID: 695522112-393685449
                                                    • Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                    • Instruction ID: 3c81d785f5018587f22d96b58ea03f884305892db58f8e9705039bead955326f
                                                    • Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                    • Instruction Fuzzy Hash: 5EE183739086828AE720EB28D84C3BEB7A0FB66B48F548175DB4D47659DF38F485C750
                                                    Function 00007FF7B6C813C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                    • String ID: [createdump]
                                                    • API String ID: 3735572767-2657508301
                                                    • Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                    • Instruction ID: e0d96b83afa38435b6045ea5c45e32cc5db7ceb1c6c2f001c4a7006a6057999d
                                                    • Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                    • Instruction Fuzzy Hash: 49012C31A19B8282E620AB54FC1C1BBA360EB96BD1F804175DB8D03B6D9F7CE495C754
                                                    Function 00007FF7B6C81800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • WSAStartup.WS2_32 ref: 00007FF7B6C8186C
                                                      • Part of subcall function 00007FF7B6C81450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B6C81475
                                                      • Part of subcall function 00007FF7B6C81450: fprintf.MSPDB140-MSVCRT ref: 00007FF7B6C81485
                                                      • Part of subcall function 00007FF7B6C81450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B6C81494
                                                      • Part of subcall function 00007FF7B6C81450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B6C814B3
                                                      • Part of subcall function 00007FF7B6C81450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B6C814BE
                                                      • Part of subcall function 00007FF7B6C81450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B6C814C7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
                                                    • String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
                                                    • API String ID: 3378602911-3973674938
                                                    • Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                    • Instruction ID: 712ecd304e6c64822a0cbe65b65d0894fc16dbef0e09c536452166eec8f10358
                                                    • Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                    • Instruction Fuzzy Hash: 5331D362A08AC286E765AF199C5D7FAA791BB67B84F8510B3DF4D03699CE3CF044C310
                                                    Function 00007FF7B6C86498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF7B6C8669F,?,?,?,00007FF7B6C8441E,?,?,?,00007FF7B6C843D9), ref: 00007FF7B6C8651D
                                                    • GetLastError.KERNEL32(?,00000000,00007FF7B6C8669F,?,?,?,00007FF7B6C8441E,?,?,?,00007FF7B6C843D9,?,?,?,?,00007FF7B6C83524), ref: 00007FF7B6C8652B
                                                    • LoadLibraryExW.KERNEL32(?,00000000,00007FF7B6C8669F,?,?,?,00007FF7B6C8441E,?,?,?,00007FF7B6C843D9,?,?,?,?,00007FF7B6C83524), ref: 00007FF7B6C86555
                                                    • FreeLibrary.KERNEL32(?,00000000,00007FF7B6C8669F,?,?,?,00007FF7B6C8441E,?,?,?,00007FF7B6C843D9,?,?,?,?,00007FF7B6C83524), ref: 00007FF7B6C8659B
                                                    • GetProcAddress.KERNEL32(?,00000000,00007FF7B6C8669F,?,?,?,00007FF7B6C8441E,?,?,?,00007FF7B6C843D9,?,?,?,?,00007FF7B6C83524), ref: 00007FF7B6C865A7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID: Library$Load$AddressErrorFreeLastProc
                                                    • String ID: api-ms-
                                                    • API String ID: 2559590344-2084034818
                                                    • Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                    • Instruction ID: 3724c6f8a90f143de888e5139cbf30da6aba329802b39ab4c51712d789d05759
                                                    • Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                    • Instruction Fuzzy Hash: 08318021A1A74291EE31AB1A9C0C576A294BF66F60F994675DF1D0678DDF3CF4448320
                                                    Function 00007FF7B6C81B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 360 7ff7b6c81b18-7ff7b6c81b32 _time64 361 7ff7b6c81b34-7ff7b6c81b37 360->361 362 7ff7b6c81b80-7ff7b6c81ba8 360->362 363 7ff7b6c81b40-7ff7b6c81b68 361->363 362->362 364 7ff7b6c81baa-7ff7b6c81bd8 362->364 363->363 365 7ff7b6c81b6a-7ff7b6c81b71 363->365 366 7ff7b6c81bfa-7ff7b6c81c32 364->366 367 7ff7b6c81bda-7ff7b6c81bf5 call 7ff7b6c81ee0 364->367 365->364 369 7ff7b6c81c64-7ff7b6c81c78 call 7ff7b6c82230 366->369 370 7ff7b6c81c34-7ff7b6c81c43 366->370 367->366 378 7ff7b6c81c7d-7ff7b6c81c88 369->378 372 7ff7b6c81c48-7ff7b6c81c62 call 7ff7b6c868c0 370->372 373 7ff7b6c81c45 370->373 372->378 373->372 379 7ff7b6c81cbb-7ff7b6c81cde 378->379 380 7ff7b6c81c8a-7ff7b6c81c98 378->380 381 7ff7b6c81d55-7ff7b6c81d70 379->381 382 7ff7b6c81c9a-7ff7b6c81cad 380->382 383 7ff7b6c81cb3-7ff7b6c81cb6 call 7ff7b6c82680 380->383 387 7ff7b6c81d76 381->387 388 7ff7b6c818a0-7ff7b6c818a3 381->388 382->383 385 7ff7b6c81da2-7ff7b6c81dce _invalid_parameter_noinfo_noreturn WSAGetLastError call 7ff7b6c81450 call 7ff7b6c82680 382->385 383->379 391 7ff7b6c81d78-7ff7b6c81da1 call 7ff7b6c82660 385->391 387->391 392 7ff7b6c818a5-7ff7b6c818b7 388->392 393 7ff7b6c818f3-7ff7b6c818fe 388->393 398 7ff7b6c818b9-7ff7b6c818c8 392->398 399 7ff7b6c818e2-7ff7b6c818ee call 7ff7b6c820c0 392->399 396 7ff7b6c81904-7ff7b6c81915 393->396 397 7ff7b6c81dd0-7ff7b6c81dde call 7ff7b6c81450 393->397 396->381 397->391 404 7ff7b6c818cd-7ff7b6c818dd 398->404 405 7ff7b6c818ca 398->405 399->381 404->381 405->404
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID: _time64
                                                    • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                    • API String ID: 1670930206-4114407318
                                                    • Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                    • Instruction ID: cb64c858491196f5848068a655625a0b68945ef5e6652dabb7130c3d6d0754d5
                                                    • Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                    • Instruction Fuzzy Hash: 9851C662A18B8246EB109F2DD84C3BAA7A1FB62BD0F801175DB5D17BA9DF3CE041D750
                                                    Function 00007FF7B6C84EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID: EncodePointerabort
                                                    • String ID: MOC$RCC
                                                    • API String ID: 1188231555-2084237596
                                                    • Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                    • Instruction ID: 0edec18bf06e07b6394cfc12502e818d8a227bf541f9c12271435fc1a9daf4f5
                                                    • Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                    • Instruction Fuzzy Hash: F591C573A047818AE760DF68D8882BEB7A0F755B88F944129EB4D17759DF38E551C700
                                                    Function 00007FF7B6C85414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 459 7ff7b6c85414-7ff7b6c85461 call 7ff7b6c863f4 call 7ff7b6c843d0 464 7ff7b6c8548e-7ff7b6c85492 459->464 465 7ff7b6c85463-7ff7b6c85469 459->465 467 7ff7b6c85498-7ff7b6c8549b 464->467 468 7ff7b6c855b2-7ff7b6c855c7 call 7ff7b6c85724 464->468 465->464 466 7ff7b6c8546b-7ff7b6c8546e 465->466 470 7ff7b6c85480-7ff7b6c85483 466->470 471 7ff7b6c85470-7ff7b6c85474 466->471 472 7ff7b6c854a1-7ff7b6c854d1 467->472 473 7ff7b6c85680 467->473 479 7ff7b6c855c9-7ff7b6c855cc 468->479 480 7ff7b6c855d2-7ff7b6c855d8 468->480 470->464 477 7ff7b6c85485-7ff7b6c85488 470->477 476 7ff7b6c85476-7ff7b6c8547e 471->476 471->477 472->473 478 7ff7b6c854d7-7ff7b6c854de 472->478 474 7ff7b6c85685-7ff7b6c856a1 473->474 476->464 476->470 477->464 477->473 478->473 481 7ff7b6c854e4-7ff7b6c854e8 478->481 479->473 479->480 482 7ff7b6c855da-7ff7b6c855de 480->482 483 7ff7b6c85647-7ff7b6c8567b call 7ff7b6c849a4 480->483 484 7ff7b6c854ee-7ff7b6c854f1 481->484 485 7ff7b6c8559f-7ff7b6c855ad call 7ff7b6c83678 481->485 482->483 486 7ff7b6c855e0-7ff7b6c855e7 482->486 483->473 489 7ff7b6c85556-7ff7b6c85559 484->489 490 7ff7b6c854f3-7ff7b6c85508 call 7ff7b6c84520 484->490 485->473 486->483 492 7ff7b6c855e9-7ff7b6c855f0 486->492 489->485 493 7ff7b6c8555b-7ff7b6c85563 489->493 498 7ff7b6c856a2-7ff7b6c856a7 abort 490->498 499 7ff7b6c8550e-7ff7b6c85511 490->499 492->483 496 7ff7b6c855f2-7ff7b6c85605 call 7ff7b6c83bbc 492->496 497 7ff7b6c85569-7ff7b6c85593 493->497 493->498 496->483 508 7ff7b6c85607-7ff7b6c85645 496->508 497->498 501 7ff7b6c85599-7ff7b6c8559d 497->501 502 7ff7b6c8553a-7ff7b6c8553d 499->502 503 7ff7b6c85513-7ff7b6c85538 499->503 505 7ff7b6c85546-7ff7b6c85551 call 7ff7b6c85cf0 501->505 502->498 506 7ff7b6c85543 502->506 503->502 505->473 506->505 508->474
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID: __except_validate_context_recordabort
                                                    • String ID: csm$csm
                                                    • API String ID: 746414643-3733052814
                                                    • Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                    • Instruction ID: 055be24240ac830f5388dfddcf2c7db31108c8da779085e144eace93027dc5c0
                                                    • Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                    • Instruction Fuzzy Hash: C071C5325086918ADBB0AF19984C67AB7A0FB52F95FC48175DB8C47B89DF7CE850C710
                                                    Function 00007FF7B6C8195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                    • API String ID: 0-4114407318
                                                    • Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                    • Instruction ID: 15eaceabe57845545b10eb5557120ea35fc181d5e6adebe67b5dfeae7bfe0b75
                                                    • Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                    • Instruction Fuzzy Hash: 6C51C822A1878646D7209F2DE84C7BBA7A1EB92BD0F801175DB9D13B99CF3DE041D750
                                                    Function 00007FF7B6C85860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID: CreateFrameInfo__except_validate_context_record
                                                    • String ID: csm
                                                    • API String ID: 2558813199-1018135373
                                                    • Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                    • Instruction ID: 9a6701aa6b11d48747406893ef24d9c8aefa2f01834eb9f85c61457873806a6d
                                                    • Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                    • Instruction Fuzzy Hash: 4C516C3761874286D670AB19A88827FB7B4F79AF90F444174DB8D07B59EF78E860CB10
                                                    Function 00007FF7B6C817E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 00007FF7B6C817EB
                                                    • WSAStartup.WS2_32 ref: 00007FF7B6C8186C
                                                      • Part of subcall function 00007FF7B6C81450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B6C81475
                                                      • Part of subcall function 00007FF7B6C81450: fprintf.MSPDB140-MSVCRT ref: 00007FF7B6C81485
                                                      • Part of subcall function 00007FF7B6C81450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B6C81494
                                                      • Part of subcall function 00007FF7B6C81450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B6C814B3
                                                      • Part of subcall function 00007FF7B6C81450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B6C814BE
                                                      • Part of subcall function 00007FF7B6C81450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B6C814C7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
                                                    • String ID: --name$Pipe syntax in dump name not supported$string too long
                                                    • API String ID: 1412700758-3183687674
                                                    • Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                    • Instruction ID: f997a8d45c73431e3cb7c4327893a22b7b2045b936b47cf6678ed953ff2ce9c2
                                                    • Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                    • Instruction Fuzzy Hash: 1701F922A0458195F771AF15EC4D7F7A390BB9AB98F801072DF0D06655CE3CE481C700
                                                    Function 00007FF7B6C81CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastgethostname
                                                    • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                    • API String ID: 3782448640-4114407318
                                                    • Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                    • Instruction ID: f1ca160e5d345a187414a002fa4b651ffae1b8337d70a0713933cc1530c52bde
                                                    • Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                    • Instruction Fuzzy Hash: F511E611A0814346E665BF28AC5C3BBA2D0AF93FA4F802175DB5F176DACE3CF0424360
                                                    Function 00007FF7B6C84158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID: terminate
                                                    • String ID: MOC$RCC$csm
                                                    • API String ID: 1821763600-2671469338
                                                    • Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                    • Instruction ID: c4b9a6aad5636072dc64efa92559cb69a13b27d2cc91bcb4699d77422fa97d7b
                                                    • Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                    • Instruction Fuzzy Hash: 37F0D13B80820681E3747B58A94C1BEB664EF69F05F8890B0C7080724ADF7CF8A08611
                                                    Function 00007FF7B6C820C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF7B6C818EE), ref: 00007FF7B6C821E0
                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B6C8221E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                    • String ID: Invalid process id '%d' error %d
                                                    • API String ID: 73155330-4244389950
                                                    • Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                    • Instruction ID: c3e81e2ea9dc9b8b2bcc9c473367f7cbfe1ff5f3bf4e4b1635788570971f50a1
                                                    • Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                    • Instruction Fuzzy Hash: DD31F42270978285EA20AF199D0C2BAE3A1FB16FD0F940671DB5D07BD9CE7DF4508360
                                                    Function 00007FF7B6C83F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7B6C8173F), ref: 00007FF7B6C83FC8
                                                    • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7B6C8173F), ref: 00007FF7B6C8400E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1879868109.00007FF7B6C81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B6C80000, based on PE: true
                                                    • Associated: 00000007.00000002.1879841128.00007FF7B6C80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879887432.00007FF7B6C88000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879905453.00007FF7B6C8C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1879926252.00007FF7B6C8D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff7b6c80000_createdump.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFileHeaderRaise
                                                    • String ID: csm
                                                    • API String ID: 2573137834-1018135373
                                                    • Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                    • Instruction ID: 13b4a31b17b67f09734500adab434fa6aeb64c1d1af367f17b0d34e905123d26
                                                    • Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                    • Instruction Fuzzy Hash: 6E115432619B8182EB209F19F84826AB7A0FB95F94F584270DF8D07B58DF3DD555C740

                                                    Non-executed Functions

                                                    Function 00007FFE0130C0C0 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$HandleModule
                                                    • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                    • API String ID: 667068680-295688737
                                                    • Opcode ID: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                    • Instruction ID: 13faafaa79b11d291190921f60e0072ca138bbc96d9fac4fc6efb195c66ca1e6
                                                    • Opcode Fuzzy Hash: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                    • Instruction Fuzzy Hash: F6A194B4A49B0792EB04AB51FC656B43365BF68B85BD69035C80E0B234EF7CB259C391
                                                    Function 00007FFE1A537508 Relevance: 90.2, APIs: 36, Strings: 15, Instructions: 913COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID: /$[thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
                                                    • API String ID: 2943138195-2884338863
                                                    • Opcode ID: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
                                                    • Instruction ID: 61b4edc47fc50d0b2ac50615fc8390a472214838c67a08255218c020092db5a1
                                                    • Opcode Fuzzy Hash: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
                                                    • Instruction Fuzzy Hash: 8D925162B1CE8286E741CB15E4802BEB7A0FF85764F5011B6FA8E47AA9DF7CD544CB40
                                                    Function 00007FFE0130F9DA Relevance: 34.3, APIs: 16, Strings: 3, Instructions: 1065COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                    • API String ID: 2003779279-1866435925
                                                    • Opcode ID: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
                                                    • Instruction ID: 2f94d3e26226998a448cbc734b5111a65d32ccff220771df8d859c3b99a06b38
                                                    • Opcode Fuzzy Hash: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
                                                    • Instruction Fuzzy Hash: 9DA27B32609B85C2EB24DB19E4903A9B7A0FB99F90F568036DA8D4BB75DF3DD485C700
                                                    Function 00007FFE01302D70 Relevance: 27.7, APIs: 14, Strings: 1, Instructions: 1490COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memchr.VCRUNTIME140 ref: 00007FFE013030AA
                                                    • memchr.VCRUNTIME140 ref: 00007FFE01303470
                                                    • memchr.VCRUNTIME140 ref: 00007FFE013036A5
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0130410D
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01304114
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0130411B
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01304122
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01304129
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01304130
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01304137
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0130413E
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01304145
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0130414C
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE013042D3
                                                      • Part of subcall function 00007FFE012E1DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE012DC320), ref: 00007FFE012E1DFB
                                                      • Part of subcall function 00007FFE012E1DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE012DC320), ref: 00007FFE012E1E08
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$memchr$memmovememset
                                                    • String ID: 0123456789-
                                                    • API String ID: 3572500260-3850129594
                                                    • Opcode ID: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
                                                    • Instruction ID: ee0947ec5d2b05ae0e28dab71ee193155905033af55b85be304b6a10d65c098a
                                                    • Opcode Fuzzy Hash: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
                                                    • Instruction Fuzzy Hash: A6E2CF22A09A8589EB028FA9D4A43BC37A1FB45B98F565139DE5E0B7F5DF3DD481C300
                                                    Function 0000000140008390 Relevance: 19.7, APIs: 13, Instructions: 152fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00000001400078C0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                      • Part of subcall function 00000001400078C0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                      • Part of subcall function 00000001400078C0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                      • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                      • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                      • Part of subcall function 00000001400078C0: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                      • Part of subcall function 00000001400078C0: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                    • OpenEventA.KERNEL32 ref: 00000001400083D0
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008411
                                                    • OpenEventA.KERNEL32 ref: 0000000140008454
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008495
                                                    • CloseHandle.KERNEL32 ref: 00000001400084B4
                                                      • Part of subcall function 0000000140007A80: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                      • Part of subcall function 0000000140007A80: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                      • Part of subcall function 0000000140007A80: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                      • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                      • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                      • Part of subcall function 0000000140007A80: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                      • Part of subcall function 0000000140007A80: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                    • OpenFileMappingA.KERNEL32 ref: 00000001400084F4
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008535
                                                    • CloseHandle.KERNEL32 ref: 0000000140008554
                                                    • CloseHandle.KERNEL32 ref: 0000000140008561
                                                    • MapViewOfFile.KERNEL32 ref: 0000000140008592
                                                    • CloseHandle.KERNEL32 ref: 00000001400085AB
                                                    • CloseHandle.KERNEL32 ref: 00000001400085B8
                                                    • CloseHandle.KERNEL32 ref: 00000001400085C5
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: U?$char_traits@$D@std@@@std@@$CloseHandle$??6?$basic_ostream@V01@$Open_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@D@std@@@1@_EventFileV?$basic_streambuf@$MappingView
                                                    • String ID:
                                                    • API String ID: 1089015687-0
                                                    • Opcode ID: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                    • Instruction ID: fd742db5588232a2ef73a73be7c7ffe6f8b637fdc8693f60d02eba1a373aa13c
                                                    • Opcode Fuzzy Hash: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                    • Instruction Fuzzy Hash: 93613DB1210A4482FB17DB27F85539963A2BB8EBE4F404215FB9E4B7B6DE3DC1818700
                                                    Function 0000000140007FC0 Relevance: 18.2, APIs: 12, Instructions: 159fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: File$CloseCreateHandleMappingView_invalid_parameter_noinfo_noreturnmemcpymemset$Unmap
                                                    • String ID:
                                                    • API String ID: 2074253140-0
                                                    • Opcode ID: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                    • Instruction ID: c383ff2e5a2ae1bd4c41fba5bb50c967b221784ccd91ddafc61d096c64d59825
                                                    • Opcode Fuzzy Hash: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                    • Instruction Fuzzy Hash: F471AA71305A4185FB22CB56F8907E973A2FB8DBD4F404225ABAD4B7B9DE3DC0818704
                                                    Function 00007FFE0130B698 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 225COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: iswdigit$btowclocaleconv
                                                    • String ID: 0$0
                                                    • API String ID: 240710166-203156872
                                                    • Opcode ID: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                    • Instruction ID: 201f1e120416ae63c79c7144a29f7fc8e66eeabd4173c2276c8e0af34485bffe
                                                    • Opcode Fuzzy Hash: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                    • Instruction Fuzzy Hash: 78813A76A1854687E7228F25D8603BAB7E1FF90F45F094139DB8A4A2B4EF3CE945C700
                                                    Function 00007FFE012DC780 Relevance: 17.0, APIs: 8, Strings: 1, Instructions: 1257COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0123456789-+Ee
                                                    • API String ID: 0-1347306980
                                                    • Opcode ID: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
                                                    • Instruction ID: 4c35482facf1370f068de35e4aecec4a361cfc2a7860caaa6c1a3d86b2d6e99d
                                                    • Opcode Fuzzy Hash: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
                                                    • Instruction Fuzzy Hash: A9C2AF26A09A8689EB518F69D15027C37E1EB91F94F548035DB9E0B7F1CF3DE866E300
                                                    Function 00007FFE0130A27C Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 247COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: memchr$isdigit$localeconv
                                                    • String ID: 0$0123456789abcdefABCDEF
                                                    • API String ID: 1981154758-1185640306
                                                    • Opcode ID: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                    • Instruction ID: 25893cb06f68bed769fda5a3ae7faae2bd50a81b36b7b874544020d351c3f5b0
                                                    • Opcode Fuzzy Hash: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                    • Instruction Fuzzy Hash: 58914B32A0C69646E7268F24F4203BA7BD0FB45B48F4A9038DE8A4B765DB3CE845C741
                                                    Function 00007FFE012DD810 Relevance: 15.3, APIs: 7, Strings: 1, Instructions: 1307COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: memchr$_invalid_parameter_noinfo_noreturn$localeconv
                                                    • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                    • API String ID: 2141594249-3606100449
                                                    • Opcode ID: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
                                                    • Instruction ID: e4307bb47a703f6cf1199545b1886b48f530c1a052c64b9e863283e088fd9e98
                                                    • Opcode Fuzzy Hash: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
                                                    • Instruction Fuzzy Hash: 87D28C32A09A8689EB518F69D09017C37A1FB91F94B559031DA9E0F7F1DF3DE862E310
                                                    Function 00007FFE012F2208 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1497COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _Find_elem.LIBCPMT ref: 00007FFE012F2C08
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F35B9
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F35C0
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F35C7
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F3776
                                                      • Part of subcall function 00007FFE012E1DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE012DC320), ref: 00007FFE012E1DFB
                                                      • Part of subcall function 00007FFE012E1DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE012DC320), ref: 00007FFE012E1E08
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
                                                    • String ID: 0123456789-
                                                    • API String ID: 2779821303-3850129594
                                                    • Opcode ID: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
                                                    • Instruction ID: fb23b9d421799a9fe217052b150a25bd63d76e1f9dbed1fb9ea835626ba9d35f
                                                    • Opcode Fuzzy Hash: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
                                                    • Instruction Fuzzy Hash: 03E29E26A19AC6C5EB50CF29D0502BD3B64FB86B94F559039EA4E2B7B4CF3DD881D700
                                                    Function 00007FFE012F0C60 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1497COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _Find_elem.LIBCPMT ref: 00007FFE012F1660
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F2011
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F2018
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F201F
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F21CE
                                                      • Part of subcall function 00007FFE012E1DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE012DC320), ref: 00007FFE012E1DFB
                                                      • Part of subcall function 00007FFE012E1DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE012DC320), ref: 00007FFE012E1E08
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
                                                    • String ID: 0123456789-
                                                    • API String ID: 2779821303-3850129594
                                                    • Opcode ID: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
                                                    • Instruction ID: 041120be562c35ba169aaa3fe037f4d8a0eb45a5d916bd29483ba9258b9b0c5c
                                                    • Opcode Fuzzy Hash: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
                                                    • Instruction Fuzzy Hash: 8EE2BF26A09AC6C5EB508F29D05027D3BB4FB86B94F949039DA4E2B7B5CF3DD891D700
                                                    Function 00007FFE0130BDA0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 239COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: iswdigit$localeconv
                                                    • String ID: 0$0$0123456789abcdefABCDEF
                                                    • API String ID: 2634821343-613610638
                                                    • Opcode ID: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                    • Instruction ID: 024b66d2c09738e443fa938a3c21806863265aed8556ad673993e54e32f1348c
                                                    • Opcode Fuzzy Hash: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                    • Instruction Fuzzy Hash: 60812B76E0855687EB228F64E82067A76E0FB54B44F099139DF8D4B7A4DB3CE845C740
                                                    Function 00007FFE012DA330 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Findmemmove$CloseFileFirst_invalid_parameter_noinfo_noreturnwcscpy_s
                                                    • String ID: .$.
                                                    • API String ID: 479945582-3769392785
                                                    • Opcode ID: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                    • Instruction ID: fb5d367daaef9fc134341dea0a36a97a3eb8f13b8a967533eb6f96d678235549
                                                    • Opcode Fuzzy Hash: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                    • Instruction Fuzzy Hash: CD41E632A1868285EB20DF65E8447BA73A0FB947A4F404235EBED0B6E4DF7CD585D700
                                                    Function 00007FFE012EABB0 Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1289COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0123456789-+Ee
                                                    • API String ID: 0-1347306980
                                                    • Opcode ID: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
                                                    • Instruction ID: d4089eef3e7975c1ef35ff5e0d3a9de791345d3ba003e885dd902ebb4848dd66
                                                    • Opcode Fuzzy Hash: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
                                                    • Instruction Fuzzy Hash: B0C26B26A0DA8789EB648F1AD15017D37A1FB95B84F549031DE4E0B7B8CF3DE8A5E310
                                                    Function 00007FFE012EBCD0 Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1289COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0123456789-+Ee
                                                    • API String ID: 0-1347306980
                                                    • Opcode ID: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
                                                    • Instruction ID: a1c2d507227476a918aff155bd8fca0933162be6095a43ffea658e1d2800f1f5
                                                    • Opcode Fuzzy Hash: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
                                                    • Instruction Fuzzy Hash: DCC27A36A0DA8389EB648F59D15017D37A1FB95B94B949031DE4E0B7B8CF3DE8A5E300
                                                    Function 00007FFE012F6338 Relevance: 9.6, APIs: 6, Instructions: 626COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F65AB
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F663D
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F66E0
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F6B9C
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F6BEE
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F6C35
                                                      • Part of subcall function 00007FFE012FEBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE012E923E), ref: 00007FFE012FEC08
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                    • String ID:
                                                    • API String ID: 15630516-0
                                                    • Opcode ID: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
                                                    • Instruction ID: b237880846164590c789101f5f6957c6a9f50965bfdb027322a29edea5df99d5
                                                    • Opcode Fuzzy Hash: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
                                                    • Instruction Fuzzy Hash: 3952B362A08BC685EB10CF29D4441BD7761FB95B98F109135EB8D2BBA9EF3CE584D340
                                                    Function 00007FFE012F6C84 Relevance: 9.6, APIs: 6, Instructions: 626COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F6EF7
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F6F89
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F702C
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F74E8
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F753A
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F7581
                                                      • Part of subcall function 00007FFE012FEBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE012E923E), ref: 00007FFE012FEC08
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                    • String ID:
                                                    • API String ID: 15630516-0
                                                    • Opcode ID: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
                                                    • Instruction ID: 0e879042fccc31f39688e147d1da3a2579175c83698bb2b037800082c3a79a00
                                                    • Opcode Fuzzy Hash: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
                                                    • Instruction Fuzzy Hash: BB52B022A08BC685EB108F29D4441BD7761FB95B98F509136EF8D2BBA5EF3CE584D340
                                                    Function 0000000140012220 Relevance: 8.9, APIs: 7, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ExceptionThrow$MemoryRecycle@Recycler@allocator@dvacore@@$_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 1799700165-0
                                                    • Opcode ID: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                    • Instruction ID: 3a6b280c2881091f38a62e61b74d670a019ca3ad59059a788fa850ef2ffa55ac
                                                    • Opcode Fuzzy Hash: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                    • Instruction Fuzzy Hash: D52112B5611A80CAE71DEE37A8523EA1362E79C7C4F149536BF594FAAEDE31C4218340
                                                    Function 00007FFE012ECDF0 Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 1331COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$localeconv
                                                    • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                    • API String ID: 1825414929-3606100449
                                                    • Opcode ID: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
                                                    • Instruction ID: 678f813d922cbd2b2bce87bce6649c5594b017feaa0c46492149e29861fa543a
                                                    • Opcode Fuzzy Hash: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
                                                    • Instruction Fuzzy Hash: 42D25B36A0DA8A85EB648F59D15017C37A1FB90F84B549031DE5E0B7B8DF3DE8A6E310
                                                    Function 00007FFE012EDF10 Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 1331COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$localeconv
                                                    • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                    • API String ID: 1825414929-3606100449
                                                    • Opcode ID: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
                                                    • Instruction ID: c12a251136bd5693c63fa342536378712f3d1b37ec6c770b1f2fcec0444d961e
                                                    • Opcode Fuzzy Hash: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
                                                    • Instruction Fuzzy Hash: 22D26936A0DA8785EB608F1AD09017C37A1FB94F84B569431DA5E0B7B8DF3DE895E310
                                                    Function 00007FFE012E9460 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                    • String ID:
                                                    • API String ID: 1326169664-0
                                                    • Opcode ID: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                    • Instruction ID: 3efe8f05ec1b473bc9d0c95b63da43a7328f6cf1fcce1725dd9891ec2297026c
                                                    • Opcode Fuzzy Hash: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                    • Instruction Fuzzy Hash: 05E16C32B09B8685EB10DFA5D4401AC73B1FB99B98B514136DE4D2BBA8DF3CD54AD300
                                                    Function 00007FFE012E8FB0 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                    • String ID:
                                                    • API String ID: 1326169664-0
                                                    • Opcode ID: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                    • Instruction ID: d4728cc4807735eb926009a4c7f972e30c13c196f7cd3d120ef36b77e2334e37
                                                    • Opcode Fuzzy Hash: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                    • Instruction Fuzzy Hash: 0CE16C32B09B8685EB10DBA5D4401AC73B1FB99B98F515136DE4D2BBA8DF3CD54AD300
                                                    Function 00007FFE012DE8B0 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 634COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$memchr
                                                    • String ID: 0123456789ABCDEFabcdef-+Xx
                                                    • API String ID: 2740501399-2799312399
                                                    • Opcode ID: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
                                                    • Instruction ID: dc4118de5b8312566a67e00f6c33bf0cd87d404b136cca92c43d0a8dfeea9612
                                                    • Opcode Fuzzy Hash: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
                                                    • Instruction Fuzzy Hash: 3852A022B09A8389EB518F29D19017C37E1BB95B98B558431CE9E1F7B5CF3DE466E300
                                                    Function 00007FFE012F5470 Relevance: 5.3, APIs: 3, Instructions: 815COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FFE01307600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE012D3887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0130760F
                                                      • Part of subcall function 00007FFE012DF6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FFE01304C66,?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE66), ref: 00007FFE012DF6FC
                                                    • _W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE77), ref: 00007FFE012F5F35
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE77), ref: 00007FFE012F5F4A
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE77), ref: 00007FFE012F5F58
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: free$Gettnames_lock_localesrealloc
                                                    • String ID:
                                                    • API String ID: 3705959680-0
                                                    • Opcode ID: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
                                                    • Instruction ID: 7eae0e0a0aab6718909b4fcfc843d8d6331911e8715a7e89d15dccabcac2c38e
                                                    • Opcode Fuzzy Hash: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
                                                    • Instruction Fuzzy Hash: 62824761A0DA4286EB519F25D8513B937A0BF95B84F8A4039EA4F5F3B6EF3CF4419340
                                                    Function 00007FFE012F4780 Relevance: 5.3, APIs: 3, Instructions: 815COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FFE01307600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE012D3887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0130760F
                                                      • Part of subcall function 00007FFE012DF6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FFE01304C66,?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE66), ref: 00007FFE012DF6FC
                                                    • _W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE88), ref: 00007FFE012F5245
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE88), ref: 00007FFE012F525A
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE88), ref: 00007FFE012F5268
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: free$Gettnames_lock_localesrealloc
                                                    • String ID:
                                                    • API String ID: 3705959680-0
                                                    • Opcode ID: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
                                                    • Instruction ID: fbb4d9859452a8d0e1814f620869941fc9c33cc3aecb34c758dd8dc45ba22d91
                                                    • Opcode Fuzzy Hash: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
                                                    • Instruction Fuzzy Hash: FE824961A0DA4285FB41EF25D8513BA37A0AF95B84F864139EA4E5F3B6EF3CF4419340
                                                    Function 0000000140010BE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ErrorFormatLastMessage
                                                    • String ID: GetLastError() = 0x%X
                                                    • API String ID: 3479602957-3384952017
                                                    • Opcode ID: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                    • Instruction ID: 03957f339625c86e619908699dc07c15f857aa178ffe48bb474e222578fe156c
                                                    • Opcode Fuzzy Hash: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                    • Instruction Fuzzy Hash: 63219032A18BC083E7118B2AE400399B7A4F7D97A4F159315EBE8036E9EB78C545CB40
                                                    Function 00007FFE013044E0 Relevance: 5.0, APIs: 3, Instructions: 509COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FFE01301E70: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01301F72
                                                      • Part of subcall function 00007FFE01307600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE012D3887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0130760F
                                                    • _Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE66,?,?,?,?,?,?,?,00007FFE012DF7E7), ref: 00007FFE01304BCF
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE66,?,?,?,?,?,?,?,00007FFE012DF7E7), ref: 00007FFE01304BE4
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE66,?,?,?,?,?,?,?,00007FFE012DF7E7), ref: 00007FFE01304BF3
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: free$Gettnames_invalid_parameter_noinfo_noreturn_lock_locales
                                                    • String ID:
                                                    • API String ID: 962949324-0
                                                    • Opcode ID: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
                                                    • Instruction ID: 60f25cabc2a0f077097044d4cba8dff2f7b8207046c23d2e4aa091b9eabe0519
                                                    • Opcode Fuzzy Hash: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
                                                    • Instruction Fuzzy Hash: 6C324F65A09A0285FB42DF65D8612B537E0BF54B84F8A4039EA4E4F7B6EF3CF6418344
                                                    Function 00007FFE012F4340 Relevance: 3.3, APIs: 2, Instructions: 297COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F46ED
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F473B
                                                      • Part of subcall function 00007FFE012FEBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE012E923E), ref: 00007FFE012FEC08
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                    • String ID:
                                                    • API String ID: 15630516-0
                                                    • Opcode ID: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
                                                    • Instruction ID: a358dc986d1b9e19c34ebc3f7b1bbfb93985f89e5c690f702f5319da03e52c13
                                                    • Opcode Fuzzy Hash: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
                                                    • Instruction Fuzzy Hash: 81D19D22B09B8685FB10DFA5E4002AD7372EB99B98F414136DE4D2BBA8DF7CD545D340
                                                    Function 00007FFE012F3F00 Relevance: 3.3, APIs: 2, Instructions: 297COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F42AD
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F42FB
                                                      • Part of subcall function 00007FFE012FEBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE012E923E), ref: 00007FFE012FEC08
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                    • String ID:
                                                    • API String ID: 15630516-0
                                                    • Opcode ID: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
                                                    • Instruction ID: 04d54e026f9dcc3f7d0da72c328494dce16321c423b3816df2bcc020f2e0b39b
                                                    • Opcode Fuzzy Hash: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
                                                    • Instruction Fuzzy Hash: 13D19E22B09B8285FB10DFA5D4402AD7372EB99B98F454136DE4D2BBA8DF3CE545D340
                                                    Function 00007FFE012E60D0 Relevance: 3.3, APIs: 2, Instructions: 251COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                    • String ID:
                                                    • API String ID: 1654775311-0
                                                    • Opcode ID: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
                                                    • Instruction ID: f95d4a03c3b7b495d1b6f502de8a7ca50ff5384830e52a9edfd0ac424990b9aa
                                                    • Opcode Fuzzy Hash: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
                                                    • Instruction Fuzzy Hash: 72A19D62F0D69285FB109BA598506BC37A1BBA5F98F554035DE4D2FBA9CF3CE481E300
                                                    Function 00007FFE012E6440 Relevance: 3.3, APIs: 2, Instructions: 251COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                    • String ID:
                                                    • API String ID: 1654775311-0
                                                    • Opcode ID: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
                                                    • Instruction ID: c9e1ac4d1097c3fe67cf72d8d0b752e26f0be1b9a5640c6d366ee6ca7c7eda55
                                                    • Opcode Fuzzy Hash: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
                                                    • Instruction Fuzzy Hash: 1AA1BF62F086A289FB109B65A4506BC37B1FBA5B98F554035DE4D1FBA9DF3CA481E300
                                                    Function 00007FFE012DA7B0 Relevance: 3.1, APIs: 2, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: DiskFreeSpace_invalid_parameter_noinfo_noreturnmemcpymemmove
                                                    • String ID:
                                                    • API String ID: 1762017149-0
                                                    • Opcode ID: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                    • Instruction ID: 400c8b6f1c3f60da761f37db1a30001c90995c3f70e8721cc6385c4c1062a641
                                                    • Opcode Fuzzy Hash: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                    • Instruction Fuzzy Hash: B7415832B04B8198FB00CBA1D8416EC27B5BB88BA8F555626CE5D67BA8DF3CD185C340
                                                    Function 00007FFE012FEFC0 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: InfoLocale___lc_locale_name_func
                                                    • String ID:
                                                    • API String ID: 3366915261-0
                                                    • Opcode ID: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                    • Instruction ID: c9afd9bfa564ff51c22d1364f9a4d11f8e1146bfba0813409f6ac03efee6fdda
                                                    • Opcode Fuzzy Hash: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                    • Instruction Fuzzy Hash: F8F08C33E2C08382F3A85B18D6587782260FB95B05F40003EE10F6A6B8CF6CE544A741
                                                    Function 00007FFE012F0710 Relevance: .4, Instructions: 410COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
                                                    • Instruction ID: a1d6c9f3f130e96928a9ecf3d9ac4dfa4fdeddd6c78ad1b6f560d63523287f36
                                                    • Opcode Fuzzy Hash: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
                                                    • Instruction Fuzzy Hash: 85026026A09A8785EB608F15C45037D33A2FB85F88F559035EA4E2B3B6DF3CD846E314
                                                    Function 00007FFE01302880 Relevance: .4, Instructions: 391COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
                                                    • Instruction ID: 9b5cdd0eebcb3f5b8c36fb6d8ba9b0b7bea0124fb8a74adef33a7725899b3628
                                                    • Opcode Fuzzy Hash: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
                                                    • Instruction Fuzzy Hash: 3F025F22A09A4689EB528F69C46437E37E1EB54F98F569036CA4D4F7B5CF3DD882C310
                                                    Function 00007FFE012DF9B0 Relevance: .3, Instructions: 331COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _lock_locales
                                                    • String ID:
                                                    • API String ID: 3756862740-0
                                                    • Opcode ID: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
                                                    • Instruction ID: 0a2dedfa2c0f746c5d5ae0f45327bfb3f9957d3c2d23aa4ca4e474514b7026dc
                                                    • Opcode Fuzzy Hash: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
                                                    • Instruction Fuzzy Hash: A0E18721A09A4386EB16DF25E9502B932E0EF94BD0F564135E98E4F7B6EF3CF4429344
                                                    Function 0000000140004730 Relevance: 67.0, APIs: 5, Strings: 33, Instructions: 470COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memset.VCRUNTIME140 ref: 000000014000475B
                                                      • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                      • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                      • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                    • ?RationalApproximation@utility@dvacore@@YA?AV?$rational@H@boost@@N@Z.DVACORE ref: 0000000140004866
                                                      • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140004A15
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$memcmp$Approximation@utility@dvacore@@H@boost@@RationalV?$rational@memset
                                                    • String ID: brightness$camera_firmware_version$camera_id$channel_mask$clip_id$contrast$digital_gain_blue$digital_gain_green$digital_gain_red$exposure_compensation$exposure_time$framerate_denominator$framerate_numerator$genlock_setting$gmt_date$gmt_time$iso$jamsync_setting$local_date$local_time$pixel_aspect_ratio$reel_id_full$sample_size$samplerate$saturation$sensor_id$sensor_name$shutter_degrees$shutter_fractions$shutter_phase_offset$user_timecode_preference$white_balance_kelvin$white_balance_tint
                                                    • API String ID: 2423274481-1946953090
                                                    • Opcode ID: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                    • Instruction ID: 3df9d643723a61ec3293b9608ef6f05312d7ec0c5a500361e19cd6c4bd00b042
                                                    • Opcode Fuzzy Hash: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                    • Instruction Fuzzy Hash: 2C32FAB1204A4091EB07EF27E5913EA2762AB8EBD8F444522FB5D4F7B7EE39C5458340
                                                    Function 00007FFE1A538C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
                                                    • API String ID: 2943138195-1388207849
                                                    • Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                    • Instruction ID: a74bfa1425be8e96dd24e5497d60fb17a66e5bb6bc34b32ef3846cb1a1208c0c
                                                    • Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                    • Instruction Fuzzy Hash: 59F16EB2F1CE1294F7198B66D8542BC26B0BF82B64F4045FBCA1D56AB8DF3DA644C740
                                                    Function 00007FFE1A53C3C8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID: `anonymous namespace'
                                                    • API String ID: 2943138195-3062148218
                                                    • Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                    • Instruction ID: 5d80b17ffae3e599e4e4ee055236bd712223455a7a67871aac9c12fc7558e52c
                                                    • Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                    • Instruction Fuzzy Hash: 24E12972A0CF8695EB10CF26E4802BD77A0FB86B54F4480B6EA4D57B65EF38E554C700
                                                    Function 0000000140002630 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 290COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400026F4
                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002732
                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 000000014000274E
                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002782
                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00000001400027D4
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400028A8
                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00000001400028DE
                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 00000001400028FA
                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 000000014000292E
                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z.MSVCP140 ref: 000000014000295A
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002A28
                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A68
                                                    • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A72
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: U?$char_traits@$D@std@@@std@@$_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??6?$basic_ostream@D@std@@@1@@V01@V?$basic_streambuf@$??1?$basic_ios@??1?$basic_iostream@
                                                    • String ID: (
                                                    • API String ID: 703713002-3887548279
                                                    • Opcode ID: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                    • Instruction ID: baf078011914228b1285121be46ed74d2e86fc5146668a69ad3868f5cbe279a1
                                                    • Opcode Fuzzy Hash: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                    • Instruction Fuzzy Hash: 38D18DB2214B8495EB11CF6AE4903EE7761F789BD4F509206EB8E57BA9DF39C085C700
                                                    Function 00000001400107F0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 268libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn$Library$ByteCharErrorLastLoadMultiWide$AddressFreeProc
                                                    • String ID: [NOT FOUND ] %s
                                                    • API String ID: 2350601386-3340296899
                                                    • Opcode ID: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                    • Instruction ID: 89755aee4be5230680617513bdac96f2938001ccf8c1f4c7198f5862e1eb9078
                                                    • Opcode Fuzzy Hash: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                    • Instruction Fuzzy Hash: 84B1BE32605B9481FB169B26E54039D6761F788BE4F048615FBE90BBE6DFBAC5D0C340
                                                    Function 00007FFE1A53A83C Relevance: 22.9, APIs: 15, Instructions: 358COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID:
                                                    • API String ID: 2943138195-0
                                                    • Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                    • Instruction ID: accf7b66260b36f056dd3b3a3c587051a8ac1890e43df09590fc01197bf6995f
                                                    • Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                    • Instruction Fuzzy Hash: FCF17B72F0CA829AE711DF66D4901FC37B0AB86B58F4440F6EB4D67AA9DE38D519C340
                                                    Function 000000014001189C Relevance: 22.6, APIs: 15, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__p___argc__p___argv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                    • String ID:
                                                    • API String ID: 1818695170-0
                                                    • Opcode ID: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                    • Instruction ID: 023b0e87761b9852ca56ff973ea6cc8ec164607202ff5c8f9f76f90c0a7f0558
                                                    • Opcode Fuzzy Hash: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                    • Instruction Fuzzy Hash: BA315E3120520192FA5BEB67E5223E927A1AB9D7C4F444025BB994F2F7DE7FC805C351
                                                    Function 00007FFE1A53D20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
                                                    • API String ID: 2943138195-2309034085
                                                    • Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                    • Instruction ID: abdef68fee57e12a9e820628bd85960d1f71e23e4ef79095c2ffd812cbc038f9
                                                    • Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                    • Instruction Fuzzy Hash: 4AE18C63F0CE5294FB159B6699541FC27B0AF92F64F4409F7DA0E17AB9DE3CA9088340
                                                    Function 0000000140003320 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 422COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: memcmp$_invalid_parameter_noinfo_noreturn$clockmemcpymemset
                                                    • String ID: B8RB$MRDH$SideCarLut$flip_horizontal$flip_vertical
                                                    • API String ID: 140832405-680935841
                                                    • Opcode ID: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                    • Instruction ID: 18037ac5236aebefbc83965bda8a7e26ab6d0ca403e2fb1aff30bf3622b6eda0
                                                    • Opcode Fuzzy Hash: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                    • Instruction Fuzzy Hash: BD2270B2605BC485EB22DF2AE8413E93364F799798F449215EB9C5B7A6EF35C285C300
                                                    Function 00007FFE1A532CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                    • String ID: csm$csm$csm
                                                    • API String ID: 3436797354-393685449
                                                    • Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                    • Instruction ID: cfcbaf154ffb819716330ac0142327a91cc2e5afd221a82b6249c5b13df94228
                                                    • Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                    • Instruction Fuzzy Hash: DCD15E76B0CB4186EB109B66D4412BD77A4FF96BA8F0001B6DE8D57B66CF38E494C700
                                                    Function 00007FFE012D26E0 Relevance: 18.2, APIs: 12, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$__strncntfreemalloc$CompareInfoString
                                                    • String ID:
                                                    • API String ID: 3420081407-0
                                                    • Opcode ID: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                    • Instruction ID: 03ade9dd95e29c7e3a0fa10b11562d9147b2de52054919fe484d249022409bde
                                                    • Opcode Fuzzy Hash: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                    • Instruction Fuzzy Hash: F7A1D072A08683C6FB358F20C5003BA66D1EF84BA4F598231DA9D5EBE4DF3CE5459352
                                                    Function 00007FFE012E692C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FFE0130B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                      • Part of subcall function 00007FFE0130B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                      • Part of subcall function 00007FFE0130B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                      • Part of subcall function 00007FFE0130B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                    • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE012EA87E), ref: 00007FFE012E6971
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE012EA87E), ref: 00007FFE012E698E
                                                    • _Maklocstr.LIBCPMT ref: 00007FFE012E69AA
                                                    • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE012EA87E), ref: 00007FFE012E69B3
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE012EA87E), ref: 00007FFE012E69D0
                                                    • _Maklocstr.LIBCPMT ref: 00007FFE012E69EC
                                                    • _Maklocstr.LIBCPMT ref: 00007FFE012E6A01
                                                      • Part of subcall function 00007FFE012D4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D72
                                                      • Part of subcall function 00007FFE012D4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D98
                                                      • Part of subcall function 00007FFE012D4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4DB0
                                                    Strings
                                                    • :AM:am:PM:pm, xrefs: 00007FFE012E69FA
                                                    • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE012E6999
                                                    • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE012E69DB
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Maklocstrfree$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                    • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                    • API String ID: 2460671452-35662545
                                                    • Opcode ID: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                    • Instruction ID: d996e843333251ec09f4318feb0690a4e4d20de808819430a2e2125768a33762
                                                    • Opcode Fuzzy Hash: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                    • Instruction Fuzzy Hash: 5F213032E08B4282EB10DF21E4542A973A1FBA9F94F454235DB4D5B76AEF3CE585C380
                                                    Function 00007FFE012D2B20 Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiStringWide$freemalloc$__strncnt
                                                    • String ID:
                                                    • API String ID: 1733283546-0
                                                    • Opcode ID: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                    • Instruction ID: 466b6e293d749c21daa2e829c63b123a536a834e2871068326681afb7eced456
                                                    • Opcode Fuzzy Hash: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                    • Instruction Fuzzy Hash: 24919132A08B82C6EB208F11D44077A77E1FB94BA8F544235EA9D5BBE8DF7CE5459700
                                                    Function 00007FFE01309350 Relevance: 16.7, APIs: 11, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Xp_setw$Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                    • String ID:
                                                    • API String ID: 3166507417-0
                                                    • Opcode ID: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                    • Instruction ID: 033a00515b61a03d448d612e33d0db01f1d5f86c9569008e22c9b6a491dac280
                                                    • Opcode Fuzzy Hash: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                    • Instruction Fuzzy Hash: 36618422F085429AF712DAE2D4902FD27A1AB5474CF524139DE0D6BBA6DE3DE50AC700
                                                    Function 00000001400071E0 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetDllDirectoryW.KERNEL32 ref: 000000014000721A
                                                    • ?AppDir@Dir@filesupport@dvacore@@SA?AV123@XZ.DVACORE ref: 0000000140007225
                                                    • ?FullPath@Dir@filesupport@dvacore@@QEBA?AV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@std@@XZ.DVACORE ref: 0000000140007236
                                                    • ?UTF16to8@string@dvacore@@YA?AV?$basic_string@EU?$char_traits@E@std@@U?$SBAAllocator@E@allocator@dvacore@@@std@@AEBV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@4@@Z.DVACORE ref: 0000000140007245
                                                    • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140007275
                                                    • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 00000001400072A6
                                                    • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400072B6
                                                    • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007362
                                                    • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007372
                                                    • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 000000014000738A
                                                      • Part of subcall function 0000000140008300: WaitForMultipleObjects.KERNEL32 ref: 0000000140008346
                                                      • Part of subcall function 0000000140008300: ResetEvent.KERNEL32 ref: 0000000140008355
                                                      • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007859
                                                      • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007866
                                                      • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007873
                                                      • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007880
                                                      • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000788D
                                                      • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000789A
                                                    • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400073F6
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Dir@filesupport@dvacore@@$CloseHandle$Allocator@_Allocator@allocator@dvacore@@BlockDispose@FileSmallU?$char_traits@_UnmapV?$basic_string@_ViewW@std@@atoi$Allocator@Dir@DirectoryE@allocator@dvacore@@@std@@E@std@@EventF16to8@string@dvacore@@FullMultipleObjectsPath@ResetU?$char_traits@V123@V?$basic_string@W@allocator@dvacore@@@4@@W@allocator@dvacore@@@std@@Wait
                                                    • String ID:
                                                    • API String ID: 2702579277-0
                                                    • Opcode ID: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                    • Instruction ID: 4e02132fa2518a481f17a5c3ad5963577c23686a774b89ce01035fe16d76d46e
                                                    • Opcode Fuzzy Hash: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                    • Instruction Fuzzy Hash: 09618EB2608A4082FB12CB26F8947EA67A2F78EBD0F505121FB9D476B5DF3DC5498700
                                                    Function 00007FFE01319BC0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 229COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                    • API String ID: 2003779279-1866435925
                                                    • Opcode ID: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                    • Instruction ID: 4bf4acb633d8c11482d61b3eafabcebb4fea7e69ef3b6aecb13286d7906d5ebb
                                                    • Opcode Fuzzy Hash: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                    • Instruction Fuzzy Hash: 9391C032A18A46C5EF64DB19E4913B937A0FB94F98F868036CA4E0B7B5DF2DD446C340
                                                    Function 00007FFE1A53E350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                    • API String ID: 0-3207858774
                                                    • Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                    • Instruction ID: 8f065517ab70d0ae427be357836a4a98134a18e91ecd485643e0fb1f1122e358
                                                    • Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                    • Instruction Fuzzy Hash: E2913962B0CE8699EB118B22E4502BC37E1AF96FA4B4840F6DE4D037A5EF3CE505D750
                                                    Function 00007FFE1A53A13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+$Name::operator+=
                                                    • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                    • API String ID: 179159573-1464470183
                                                    • Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                    • Instruction ID: 6a2766d51977583a39626436be29324422dba0c85a325b472a095d8587eff7ad
                                                    • Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                    • Instruction Fuzzy Hash: 97513A31F1CE6699FB14CB66E8405BC37B0BF46BA4F5041BAEA0D57A68EF2AD541C700
                                                    Function 00007FFE0130B440 Relevance: 15.2, APIs: 10, Instructions: 167COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Xp_setw$Xp_setn$Xp_addx$iswspaceiswxdigit
                                                    • String ID:
                                                    • API String ID: 3781602613-0
                                                    • Opcode ID: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                    • Instruction ID: 2700a91e2ba12d49783791975b32591f0156896a651a49214e5b3b373edb1ebe
                                                    • Opcode Fuzzy Hash: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                    • Instruction Fuzzy Hash: ED61F626F085469AF712DFE1C4A02FD67A1AB54748F524539DE0D3BBA9DE3CE50AC700
                                                    Function 00007FFE1A5388E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID:
                                                    • API String ID: 2943138195-0
                                                    • Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                    • Instruction ID: 629e02eea09fd4d18619713f9e6fc1c533e88526bd0e2091754f5c20e8f3d606
                                                    • Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                    • Instruction Fuzzy Hash: C3615062F08F5698F701DBA2D8801FC27B1BF85BA8B4044B6EE4D6BA69DF78D545C340
                                                    Function 00007FFE1A5331A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                    • String ID: csm$csm$csm
                                                    • API String ID: 211107550-393685449
                                                    • Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                    • Instruction ID: c3993220d239acd2e0d04f3a0dc45fd37d4f02613580c51f2be66476aaeff4e1
                                                    • Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                    • Instruction Fuzzy Hash: C6E17372B0CA818AE7109F66D4802BD7BA1FF86F68F1441B6DA9D47766DF38E485C700
                                                    Function 00007FFE0130A080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: memchrtolower$_errnoisspace
                                                    • String ID: 0$0123456789abcdefghijklmnopqrstuvwxyz
                                                    • API String ID: 3508154992-2692187688
                                                    • Opcode ID: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                    • Instruction ID: 89b8b8290ea1178db5f8f89e0b72bc005d89ad8b92c61596034c61661d1e9166
                                                    • Opcode Fuzzy Hash: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                    • Instruction Fuzzy Hash: 4E512722A0D7D645EB268FA4B8203B976D07F55BE0F4A4038CD9D4F7A5DF3CA9428301
                                                    Function 00007FFE1A53BE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                    • API String ID: 2943138195-2239912363
                                                    • Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                    • Instruction ID: 5ca46681bb3f7eb7439df5bacf718e3a570f5ee832898dc38f2dfaa22618fc2a
                                                    • Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                    • Instruction Fuzzy Hash: 2A514962F1CF9598FB118B62D8412BC77B0BF8AB64F4540FACA4D12AA5EF3C9144C710
                                                    Function 00000001400078C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                    • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                      • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                      • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                      • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                      • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                      • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                      • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                      • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                    • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                    • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                    • String ID: ImptRED_CEvent_
                                                    • API String ID: 2242036409-942587184
                                                    • Opcode ID: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                    • Instruction ID: 9b405900c275d478bf9193c59fc3990d56eeb31e22b03c6e117ca8d8066cf312
                                                    • Opcode Fuzzy Hash: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                    • Instruction Fuzzy Hash: 1D519AB2204B8096EB11CB6AE89079E7B70F389B98F504111EF8D57BA9DF3DC549CB00
                                                    Function 0000000140007E00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E41
                                                    • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007E60
                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E94
                                                      • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                      • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                      • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                      • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007ECB
                                                      • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                      • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                      • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007EE5
                                                    • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F92
                                                    • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F9C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                    • String ID: ImptRED_SEvent_
                                                    • API String ID: 2242036409-1609572862
                                                    • Opcode ID: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                    • Instruction ID: 8a97eb910a4fcdb6b4de6865597d3f36b8df7ed7ebbeccb018c797ebbaee1b0b
                                                    • Opcode Fuzzy Hash: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                    • Instruction Fuzzy Hash: 15519A72204B8096EB11CB6AE8907AE7B70F389B98F504111EF8D17BA8DF3DC549CB40
                                                    Function 0000000140007A80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                    • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                      • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                      • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                      • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                      • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                      • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                      • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                      • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                    • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                    • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                    • String ID: ImptRED_CmdMap_
                                                    • API String ID: 2242036409-3276274529
                                                    • Opcode ID: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                    • Instruction ID: 80f30c22282736ca9dbe0986c54b36137faedd7c3a9fa85d2e807ed86ae44cad
                                                    • Opcode Fuzzy Hash: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                    • Instruction Fuzzy Hash: BC518972204B8096EB11CB6AE8907DE7B70F389B98F504111EF8D17BA8DF79C449CB00
                                                    Function 0000000140007C40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007C81
                                                    • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007CA0
                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007CD4
                                                      • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                      • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                      • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                      • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D0B
                                                      • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                      • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                      • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D25
                                                    • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DD2
                                                    • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DDC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                    • String ID: ImptRED_DMap_
                                                    • API String ID: 2242036409-2879874026
                                                    • Opcode ID: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                    • Instruction ID: 0bc148500ed73b7892a49071eae52613f37d732fbc5d9ce32192ec441dd01905
                                                    • Opcode Fuzzy Hash: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                    • Instruction Fuzzy Hash: F9518BB2204B4096EB11CB56E8807AE7B70F789B98F504116EF8D17BA8DF7DC549CB00
                                                    Function 00007FFE012D6C20 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                    • API String ID: 1099746521-1866435925
                                                    • Opcode ID: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                    • Instruction ID: 97a17ee5f0f70926f1d1d13e73c3f24de56a661bbc9da200bc37e30f21a67f7b
                                                    • Opcode Fuzzy Hash: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                    • Instruction Fuzzy Hash: 2621C161E1950BA5EF14E710E8866FA23A1FFB0740F984036D58E0E5B6EF2DE149D741
                                                    Function 0000000140004FF0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 275stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                      • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                      • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                    • strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00000001400050DF
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140005233
                                                      • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                    • memcmp.VCRUNTIME140 ref: 00000001400052B4
                                                    • memcmp.VCRUNTIME140 ref: 0000000140005325
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400053DA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturnmemcmp$strcmp
                                                    • String ID: MRDH$SideCarLut
                                                    • API String ID: 916663099-3852011117
                                                    • Opcode ID: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                    • Instruction ID: 38950fd8b35224f21f2e144008351fd49fe11793fcade85143d264d05d5c62af
                                                    • Opcode Fuzzy Hash: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                    • Instruction Fuzzy Hash: 4DD192B2204A8496EB62DF26E8843DE2761F74A7D5F841212FB5D4BAF6EF74C645C300
                                                    Function 00007FFE01319940 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                    • API String ID: 2003779279-1866435925
                                                    • Opcode ID: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                    • Instruction ID: 4efadb8599297638e2d754eb113ead64accda5fb0a33a64403f38d365d060119
                                                    • Opcode Fuzzy Hash: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                    • Instruction Fuzzy Hash: A8619F22A08A46C5EF64DB15E4A13B97760FB94F98F568036CA4E4B7B5DF2DD44AC300
                                                    Function 00007FFE012E43F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ExceptionThrowfputwcfwritestd::ios_base::failure::failure
                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                    • API String ID: 1428583292-1866435925
                                                    • Opcode ID: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                    • Instruction ID: d1dca043b3b13659ccad22122f4e7f7b45402261d9aa742a60f9fdc483a7b144
                                                    • Opcode Fuzzy Hash: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                    • Instruction Fuzzy Hash: 8C71B173A08A82D9EB50DF25E4802BD33A0FB94B88F954032EA4D8BB68DF3DD555D740
                                                    Function 00007FFE1A535F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
                                                    • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                    • API String ID: 1852475696-928371585
                                                    • Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                    • Instruction ID: 013cd142a6995ac864fa583159ae1beaf80749e4ddf302ae3493ce6572dbce35
                                                    • Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                    • Instruction Fuzzy Hash: 9551AE62B1CE4696DA20CB26E4912BA6360FF85FA8F0054F6DA4E07A75EF3CE105C300
                                                    Function 00007FFE013196E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 160COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::ios_base::failure::failure.LIBCPMT ref: 00007FFE013198D3
                                                    • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE0130C678), ref: 00007FFE013198E4
                                                    • std::ios_base::failure::failure.LIBCPMT ref: 00007FFE01319927
                                                    • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE0130C678), ref: 00007FFE01319938
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                    • API String ID: 2003779279-1866435925
                                                    • Opcode ID: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                    • Instruction ID: 02b81eea3190659a65618eed90352b9552b4e2289c5eb2de8683dcd8d46b0ece
                                                    • Opcode Fuzzy Hash: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                    • Instruction Fuzzy Hash: DD617B22A08A46C5EB64DB19D4A13B93BA0FF94F98F468036CA4E4B7B5DF2DD446C341
                                                    Function 00007FFE01309E70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: memchrtolower$_errnoisspace
                                                    • String ID: 0123456789abcdefghijklmnopqrstuvwxyz
                                                    • API String ID: 3508154992-4256519037
                                                    • Opcode ID: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                    • Instruction ID: 924b6efaceab18c9d4edc0677a41bf7d6a47414d5b76816da63a431a698314f0
                                                    • Opcode Fuzzy Hash: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                    • Instruction Fuzzy Hash: 4E512C22A0D78646F7229E64A4203B976D1BF54B99F0A403CDD8D4B7B6DF3CE846C700
                                                    Function 00007FFE012DB280 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                    • API String ID: 2003779279-1866435925
                                                    • Opcode ID: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                    • Instruction ID: 9b424ca3cd4f36dfc650c6de72f4b0bfc1f07da4876aeda759bbc9f0bbf40854
                                                    • Opcode Fuzzy Hash: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                    • Instruction Fuzzy Hash: 0951BB32A08A4A81EF50DB19D4D12A973A0FF94B98F564132DA9E8B7B4DF3CE845D340
                                                    Function 00007FFE1A53E148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+$Name::operator+=
                                                    • String ID: {for
                                                    • API String ID: 179159573-864106941
                                                    • Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                    • Instruction ID: 2f68bad466aacad969667c7b83dca1f850f10dba4ab56afa6acb3d17ffcba425
                                                    • Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                    • Instruction Fuzzy Hash: 24513972B0CA85A9E7119F26D4413FC63A1EB86B68F4480F6EA4C47BA5EF7CE554C310
                                                    Function 00007FFE1A5368AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A536931
                                                    • GetLastError.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A53693F
                                                    • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A536958
                                                    • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A53696A
                                                    • FreeLibrary.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A5369B0
                                                    • GetProcAddress.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A5369BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                    • String ID: api-ms-
                                                    • API String ID: 916704608-2084034818
                                                    • Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                    • Instruction ID: 6bee55ca76f33367972f73decf52de0ff214f3acd376dc3f719c00d5ae84bead
                                                    • Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                    • Instruction Fuzzy Hash: 66319222B1EF4295EE159B0398001B662A4BF86FB0F5945FADD1E077A4EF3CE144C320
                                                    Function 00007FFE013012C4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FFE0130B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                      • Part of subcall function 00007FFE0130B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                      • Part of subcall function 00007FFE0130B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                      • Part of subcall function 00007FFE0130B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                    • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE01301309
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE01301326
                                                    • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE0130134B
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE01301368
                                                      • Part of subcall function 00007FFE012D4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D72
                                                      • Part of subcall function 00007FFE012D4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D98
                                                      • Part of subcall function 00007FFE012D4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4DB0
                                                    Strings
                                                    • :AM:am:PM:pm, xrefs: 00007FFE01301392
                                                    • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE01301331
                                                    • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE01301373
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                    • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                    • API String ID: 1539549574-35662545
                                                    • Opcode ID: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                    • Instruction ID: 953b881eb36bfb2449f6e5069d28aff4e27fef90f824736f94d08e080fa4729d
                                                    • Opcode Fuzzy Hash: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                    • Instruction Fuzzy Hash: 4F214136A04B4182EB10DF21E4542A973A1FF99F94F468235DB4D4B766EF3CE585C380
                                                    Function 00007FFE012E6A20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FFE0130B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                      • Part of subcall function 00007FFE0130B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                      • Part of subcall function 00007FFE0130B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                      • Part of subcall function 00007FFE0130B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                    • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012E6A5E
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012E6A7B
                                                    • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012E6A9B
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012E6AB8
                                                      • Part of subcall function 00007FFE012D4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012E6AB5,?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012D4DF9
                                                      • Part of subcall function 00007FFE012D4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012E6AB5,?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012D4E28
                                                      • Part of subcall function 00007FFE012D4DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FFE012E6AB5,?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012D4E3F
                                                    Strings
                                                    • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE012E6AC3
                                                    • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE012E6A86
                                                    • :AM:am:PM:pm, xrefs: 00007FFE012E6AD4
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                    • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                    • API String ID: 1539549574-3743323925
                                                    • Opcode ID: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                    • Instruction ID: 1c58456a21a3ef6d3ae598be053b19ee848bbcb483eccf8dce16da8c04588139
                                                    • Opcode Fuzzy Hash: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                    • Instruction Fuzzy Hash: 74213132D08B4282EB20DF21E45427973B0FBA9B94F455234DA4E5B766EF7CE584C740
                                                    Function 00007FFE1A5325E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: abort$AdjustPointer
                                                    • String ID:
                                                    • API String ID: 1501936508-0
                                                    • Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                    • Instruction ID: b8b84502707dbb4a39dd8ddb30bd53527bc5a15179d70697402766f6ae676e2b
                                                    • Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                    • Instruction Fuzzy Hash: B9515AA2B0EE4281EA659B17954463C6394BFA6FE4B1584FBDA4E067A5DE3CE441C300
                                                    Function 00007FFE1A5327CC Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: abort$AdjustPointer
                                                    • String ID:
                                                    • API String ID: 1501936508-0
                                                    • Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                    • Instruction ID: 4c12f51f128d9c81e1833d6a26f9b931d0a21b71dd5c548733415ccb8a2fd3ae
                                                    • Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                    • Instruction Fuzzy Hash: DA519062F0DF4291EA658B17944463CA394AFA6FE0F0984FBDA4E067A5DF7CE481C310
                                                    Function 00007FFE01309950 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                    • String ID:
                                                    • API String ID: 578106097-0
                                                    • Opcode ID: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                    • Instruction ID: 0c02f1710fd6c2823f6052303a20d4229443865d517f3b0122be3017f4dbf859
                                                    • Opcode Fuzzy Hash: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                    • Instruction Fuzzy Hash: 90610A22F1CA4286EB12DF91E4907BE67A0FB84754F51413AEE4D1B7A6DE3CE549C700
                                                    Function 00007FFE013090D0 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                    • String ID:
                                                    • API String ID: 578106097-0
                                                    • Opcode ID: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                    • Instruction ID: 8f8e437d39758ef65fccfb4dbf4130aa6050519f76ecd8e3cd58ea4cc0ad809f
                                                    • Opcode Fuzzy Hash: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                    • Instruction Fuzzy Hash: EC61F722F1C54282E712DFA1E4907BE67A0FF94744F52013AEE4E5B6A6DE3CE546CB00
                                                    Function 000000014000C2E0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 164COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                      • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                      • Part of subcall function 000000014000C8A0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000014000C98E
                                                    • memmove.VCRUNTIME140 ref: 000000014000C3C8
                                                    • memmove.VCRUNTIME140 ref: 000000014000C427
                                                      • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0B6
                                                      • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0C4
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000C52F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: memcpy$memmove$__acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturn
                                                    • String ID: REDR3D-x64.dll$[LOAD PATH ] %s$[TEST TEST] IGNORING REDIRECT %s
                                                    • API String ID: 1084872782-103080910
                                                    • Opcode ID: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                    • Instruction ID: cfd617ef930489ab8aca6008b2e9167fc097850ba9bca21f1b358ae0caa8a91c
                                                    • Opcode Fuzzy Hash: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                    • Instruction Fuzzy Hash: 8E719AB2721A4086EB12CF66E8443DD37B1F749BD8F484622EF195BBA9DB38C181C340
                                                    Function 00007FFE1A535520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: FileHeader_local_unwind
                                                    • String ID: MOC$RCC$csm$csm
                                                    • API String ID: 2627209546-1441736206
                                                    • Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                    • Instruction ID: 98af42da1edb0a369400b7acc8aacb75340877a401e8efc4a43537c8acc532d0
                                                    • Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                    • Instruction Fuzzy Hash: B5515F72B0DA118AEA609F37904137D66A0FFC6FA8F5420F7EA4D467A5DE3CE4418A01
                                                    Function 00000001400074F0 Relevance: 10.6, APIs: 7, Instructions: 131COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                    • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                    • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                    • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                    • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                    • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                    • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                                    • String ID:
                                                    • API String ID: 1492985063-0
                                                    • Opcode ID: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                    • Instruction ID: c8404d0b7dac135a461826d57f818375c200501a51cfbfcecc82e8383ca51cf8
                                                    • Opcode Fuzzy Hash: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                    • Instruction Fuzzy Hash: 11515F72600A4082EB62CF1BE5947A9A7A0F789FE5F15C611EF9E477F1CB7AC5468300
                                                    Function 00007FFE012DBA68 Relevance: 10.6, APIs: 7, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBB38
                                                    • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBB48
                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBB5D
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBB91
                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBB9B
                                                    • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBBAB
                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBBBB
                                                      • Part of subcall function 00007FFE013225AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5AF8), ref: 00007FFE013225C6
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: memcpy$memset$_invalid_parameter_noinfo_noreturnmalloc
                                                    • String ID:
                                                    • API String ID: 2538139528-0
                                                    • Opcode ID: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                    • Instruction ID: ccc3f9e203f92c69eabc5468e466859a478a0eb73cfb002282df873b722e9f78
                                                    • Opcode Fuzzy Hash: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                    • Instruction Fuzzy Hash: DB41E432B08A8291EF14EB16E8142AAA351FB85BC4F554532EF5D0FBAADE7CD041D341
                                                    Function 00007FFE012E58B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ExceptionThrowsetvbufstd::ios_base::failure::failure
                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                    • API String ID: 2924853686-1866435925
                                                    • Opcode ID: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                    • Instruction ID: 94236a99da15243a6010e2be58c98065c7613529d6971494aeb0de6f4dec5813
                                                    • Opcode Fuzzy Hash: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                    • Instruction Fuzzy Hash: 5941AD72A28B8696EB54CF25E5403A933E0FB64B98F544131DB4C4B6A9DF3CE5A4C780
                                                    Function 00007FFE012E2FAC Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: CurrentThread$xtime_get
                                                    • String ID:
                                                    • API String ID: 1104475336-0
                                                    • Opcode ID: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                    • Instruction ID: 3cd050f3313de52465f0037c4c81d34e3aada4b2924f751427463620b7aeadb2
                                                    • Opcode Fuzzy Hash: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                    • Instruction Fuzzy Hash: 49410832A0CA4786EB60DB16E44027977E0FB94B56F518032CB4E8B6B5DF3DE885D701
                                                    Function 00007FFE012F3B28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE012F3B56
                                                      • Part of subcall function 00007FFE0130B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                      • Part of subcall function 00007FFE0130B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                      • Part of subcall function 00007FFE0130B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                      • Part of subcall function 00007FFE0130B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                    • _Maklocstr.LIBCPMT ref: 00007FFE012F3BCF
                                                    • _Maklocstr.LIBCPMT ref: 00007FFE012F3BE5
                                                    • _Getvals.LIBCPMT ref: 00007FFE012F3C8A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Maklocstr$Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                    • String ID: false$true
                                                    • API String ID: 2626534690-2658103896
                                                    • Opcode ID: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                    • Instruction ID: 7478850f57c47a99beb2a1cd0f7a63fa0af0688cc8110ad0952ff6669ec937e3
                                                    • Opcode Fuzzy Hash: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                    • Instruction Fuzzy Hash: 3A415C36B08A819AF711DF74E4502ED33B0FB98748B45522AEE4D2BA69EF3CD556C340
                                                    Function 00007FFE1A53D740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: NameName::atol
                                                    • String ID: `template-parameter$void
                                                    • API String ID: 2130343216-4057429177
                                                    • Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                    • Instruction ID: 8f50cac90c26c8a1d22a0b8bc4d53e193e35bae95b6bd2238095fd8f5ccf0a26
                                                    • Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                    • Instruction Fuzzy Hash: AF414922F0CF5688FB009BA2D8512BC2371BF4ABA4F5454BACE0D17A65EF78A509C350
                                                    Function 00007FFE1A538624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                    • API String ID: 2943138195-2211150622
                                                    • Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                    • Instruction ID: dfee26fb4fea986748f878a99bbc57f1da13dbde16fa75e52a9c869253554502
                                                    • Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                    • Instruction Fuzzy Hash: 25413772B1CF8688FB168B66E8402BC37A0BF4AB58F4441BADA4D53764EF3CA545C750
                                                    Function 00007FFE1A53A31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID: char $int $long $short $unsigned
                                                    • API String ID: 2943138195-3894466517
                                                    • Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                    • Instruction ID: 8db53833b7a01839e029b66513b7da1be11942a1800b005db6759b0eca91be54
                                                    • Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                    • Instruction Fuzzy Hash: 65414932F1CA6689F7158B6AE8441BC37B1BF8AB64F4481F6CA0C56B68DF3D9544C710
                                                    Function 00007FFE012DC0A0 Relevance: 9.3, APIs: 6, Instructions: 318stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturnmemsetstrcspn$localeconvmemmove
                                                    • String ID:
                                                    • API String ID: 3009415009-0
                                                    • Opcode ID: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                    • Instruction ID: 854f8db8d62ba2c8760b1178e32babb3f88cec59ef0f07a70614b44acdfded75
                                                    • Opcode Fuzzy Hash: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                    • Instruction Fuzzy Hash: E2E18E22B09B8685FB10DBA5D4402AC33B1FB88B98F514135DE9D2BBA9DF3CD54AD300
                                                    Function 00007FFE013000EC Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Dunscale$_errno
                                                    • String ID:
                                                    • API String ID: 2900277114-0
                                                    • Opcode ID: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                    • Instruction ID: 501cc2a511f7d4584444cda4ec489159804120fe5d4ed9bb5fdc85c596da458a
                                                    • Opcode Fuzzy Hash: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                    • Instruction Fuzzy Hash: 51A10433E086869BE70ACEA685902BD6391FF553C8F564338F70A2A1E5DF3CB0959740
                                                    Function 00007FFE013086F0 Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Dunscale$_errno
                                                    • String ID:
                                                    • API String ID: 2900277114-0
                                                    • Opcode ID: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                    • Instruction ID: a42470cbbdecd94d42c35edfb266275cd6764c12749123c24744342e3266e570
                                                    • Opcode Fuzzy Hash: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                    • Instruction Fuzzy Hash: 00A11723D18E8A86E706DEB485601BD17A2FF567D4F514379EA4E2E5A5EF3CE0928300
                                                    Function 000000014000AF60 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 192COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: memmove$memcpy$_invalid_parameter_noinfo_noreturn
                                                    • String ID: R3DAPI 7.3.1-44A14 (20200513 W64S)
                                                    • API String ID: 100741404-1215215629
                                                    • Opcode ID: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                    • Instruction ID: 1f94f83d43c849715069b53280c3cf1e8531b19b99bc01c412034d7b6d4e24df
                                                    • Opcode Fuzzy Hash: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                    • Instruction Fuzzy Hash: B19122B1211A8499EB22DF27F8503DA7361F74ABD4F884222EB490B7B9DB7EC141C701
                                                    Function 00007FFE012D8F20 Relevance: 9.2, APIs: 6, Instructions: 185COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: fgetc
                                                    • String ID:
                                                    • API String ID: 2807381905-0
                                                    • Opcode ID: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                    • Instruction ID: 5c2d93fd9551d56d0bafe9e7db239aa6b2048fa6161b48b889e8d76567ff2fe7
                                                    • Opcode Fuzzy Hash: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                    • Instruction Fuzzy Hash: 90913B72605A42C9EB108F35D4942AC33A1FB98B9CF551236EA4E4BBA9DF3ED594D300
                                                    Function 00007FFE0130B960 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                    • String ID:
                                                    • API String ID: 3490103321-0
                                                    • Opcode ID: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                    • Instruction ID: fd14722d1b4bfca783929a32ed3f70ee6e157fa66ab204fd7c91ce9b4d2832e0
                                                    • Opcode Fuzzy Hash: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                    • Instruction Fuzzy Hash: AC610926F1CA4287E722DF91E4906BEA7A0FB94744F51413AEE4D1B7A9DE3CE449C700
                                                    Function 00007FFE0130B1C0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                    • String ID:
                                                    • API String ID: 3490103321-0
                                                    • Opcode ID: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                    • Instruction ID: 8ea0b75d6a4dcabfb262bcabda3646ca16ee1f6b5d0889214450ae34bb228609
                                                    • Opcode Fuzzy Hash: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                    • Instruction Fuzzy Hash: 6A612B26F1C54282E712DF91E4906FEA7A0FF95744F51013AEE4D5BAA9DF3CE44A8700
                                                    Function 00007FFE012D9A58 Relevance: 9.1, APIs: 6, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 1775671525-0
                                                    • Opcode ID: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                    • Instruction ID: 4ac55cb4741cc84bd7f2e8a8a43313f514bd41e52319079668081b652d940be4
                                                    • Opcode Fuzzy Hash: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                    • Instruction Fuzzy Hash: E241E67271864691EF14DB16E8042AAA391EB44FE4F554631EFAD0FBE5EE3CE081D301
                                                    Function 00007FFE012DA000 Relevance: 9.1, APIs: 6, Instructions: 93fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: FileHandle$CloseCreateInformation
                                                    • String ID:
                                                    • API String ID: 1240749428-0
                                                    • Opcode ID: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                    • Instruction ID: 9847f1b01f3c2c94c28c08b2e3446aa3bfa4b563d3f01bd425a4060935356f74
                                                    • Opcode Fuzzy Hash: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                    • Instruction Fuzzy Hash: 42419332F086428AF760CF75E8517B933A0AB947A8F019735ED5C4BAA4DF3CD5958740
                                                    Function 00007FFE1A5362D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                    • String ID:
                                                    • API String ID: 3741236498-0
                                                    • Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                    • Instruction ID: 441f241423cfb34a15b79d0cf8f282f0e25f341d526130a1db0268484af0c1fc
                                                    • Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                    • Instruction Fuzzy Hash: AC31B221B1DB9590EA118B27A80457A73A0FF8AFE4B5555FADE2D037A0EE3DD442C310
                                                    Function 00000001400117B8 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_configthreadlocale_initialize_narrow_environment_initialize_onexit_table_onexit
                                                    • String ID:
                                                    • API String ID: 2153537742-0
                                                    • Opcode ID: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                    • Instruction ID: 534899ad21150968aac174715d7514135b35f9473fc5e80356d1b8ef46292b69
                                                    • Opcode Fuzzy Hash: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                    • Instruction Fuzzy Hash: 95115E38A0024155FA5FB7F398173EC11969FAC3C4F454524BB498F2F3EE7B88658662
                                                    Function 00007FFE012D2F50 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE012D5F96), ref: 00007FFE012D2F59
                                                    • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5F96), ref: 00007FFE012D2F6B
                                                    • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE012D5F96), ref: 00007FFE012D2F7A
                                                    • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE012D5F96), ref: 00007FFE012D2FE0
                                                    • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE012D5F96), ref: 00007FFE012D2FEE
                                                    • _wcsdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE012D5F96), ref: 00007FFE012D3001
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: __pctype_func$___lc_codepage_func___lc_locale_name_func_wcsdupcalloc
                                                    • String ID:
                                                    • API String ID: 490008815-0
                                                    • Opcode ID: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                    • Instruction ID: b848e591e5d025739749442dc40ba7ce9521494a6fd2e7fbf398f0ea8b64074a
                                                    • Opcode Fuzzy Hash: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                    • Instruction Fuzzy Hash: 66213E62D18B8583E7059F38D5052B873A0FBA9B49F15A224CF8C1A222EF7DF6D5C340
                                                    Function 0000000140007850 Relevance: 9.0, APIs: 6, Instructions: 21fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle$FileUnmapView
                                                    • String ID:
                                                    • API String ID: 260491571-0
                                                    • Opcode ID: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                    • Instruction ID: e4157fc547da492297a5d265050bc8fab675aa544c6886f43f24823cbbcadd6d
                                                    • Opcode Fuzzy Hash: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                    • Instruction Fuzzy Hash: 1DF01438616E00D5FA07DB63ECA83A427A1BB8DBD9F440211EB4E4B331DE3F85998300
                                                    Function 00007FFE1A5338A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: abort$CallEncodePointerTranslator
                                                    • String ID: MOC$RCC
                                                    • API String ID: 2889003569-2084237596
                                                    • Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                    • Instruction ID: 55dbf0f9a6f14d12056fcb565902045fecf3254740b3f942bf11110ca60b9df2
                                                    • Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                    • Instruction Fuzzy Hash: C6916373B08B858AE710CB66E4402BD7BA0FB45BA8F1441AAEE8D57765DF38D195C700
                                                    Function 00007FFE1A53BB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                    • API String ID: 2943138195-757766384
                                                    • Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                    • Instruction ID: 9f74497f2fc56d1a7475553cacc5e65d7be2e0b4612b24877036a67dda4f10f9
                                                    • Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                    • Instruction Fuzzy Hash: AE716C71B0CE8684EB248F26D9552BC66A0BF46BA4F4445FBDA4D07AB9DF3CA250C310
                                                    Function 000000014000ABD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 150COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memcmp.VCRUNTIME140 ref: 000000014000AD12
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000ADD5
                                                      • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                      • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: __acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnmemcmp
                                                    • String ID: @$[FAIL INT. ] path '%s' already exists at index %u$[FAIL INT. ] too many paths
                                                    • API String ID: 3207467095-2931640462
                                                    • Opcode ID: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                    • Instruction ID: 2da19ac7c4dfbac8c42f28ebd32a6b72bd3b2cb838895640dc67fbc0c8e08b7c
                                                    • Opcode Fuzzy Hash: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                    • Instruction Fuzzy Hash: DC5169B2B10A5489EB11CF6AE8407DD37B1F709BA8F504216EF2A67BE9DB74C581C740
                                                    Function 00007FFE1A533690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: abort$CallEncodePointerTranslator
                                                    • String ID: MOC$RCC
                                                    • API String ID: 2889003569-2084237596
                                                    • Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                    • Instruction ID: 1a411bf3eebd0cf35ff1481b0f3d1a66eb583ef3b722ff249820aa8b9cc95aa6
                                                    • Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                    • Instruction Fuzzy Hash: C7617976B09B858AE714CF66D0803BD77A0FB85BA8F0442A6EE4D17B69CF78E155C700
                                                    Function 00007FFE0130BBD8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0130B212), ref: 00007FFE0130BBFE
                                                    • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0130B212), ref: 00007FFE0130BC0F
                                                    • iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0130B212), ref: 00007FFE0130BC76
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: iswspace$iswxdigit
                                                    • String ID: (
                                                    • API String ID: 3812816871-3887548279
                                                    • Opcode ID: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                    • Instruction ID: e6fa179b95cf3ff185fe2fc6f3aac53f9d6ffd3322a4df5ee2bf55db3a09f1e8
                                                    • Opcode Fuzzy Hash: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                    • Instruction Fuzzy Hash: C051C66AD04553C2EF259FA1D5242FAF2E5EF20B84F4A8039DA494E0B8FF3DE841D211
                                                    Function 00007FFE01309CD4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01309122), ref: 00007FFE01309CFA
                                                    • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01309122), ref: 00007FFE01309D0B
                                                    • isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01309122), ref: 00007FFE01309D64
                                                    • isalnum.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01309122), ref: 00007FFE01309E14
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: isspace$isalnumisxdigit
                                                    • String ID: (
                                                    • API String ID: 3355161242-3887548279
                                                    • Opcode ID: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                    • Instruction ID: ddcc190cd7882eb24c4b6642996ba14ea032fda5fd9553a23dbbd53b457c1fe6
                                                    • Opcode Fuzzy Hash: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                    • Instruction Fuzzy Hash: 2E41C517D0C18256EB224FB1A9753F56BD29F25B88F0AA039CA9C0F1A7DE1DEC06C711
                                                    Function 00007FFE012F39E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FFE0130B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                      • Part of subcall function 00007FFE0130B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                      • Part of subcall function 00007FFE0130B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                      • Part of subcall function 00007FFE0130B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                    • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFE012EA22C), ref: 00007FFE012F3A25
                                                      • Part of subcall function 00007FFE012DB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01301347,?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE012DB7BF
                                                      • Part of subcall function 00007FFE012DB794: memcpy.VCRUNTIME140(?,?,00000000,00007FFE01301347,?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE012DB7DB
                                                    • _Getvals.LIBCPMT ref: 00007FFE012F3A61
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                    • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                    • API String ID: 3848194746-3573081731
                                                    • Opcode ID: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                    • Instruction ID: ef6788c1b185db575d8ac64797a6d61dfc9d644ba37ebaeb0323322c5fe37dfd
                                                    • Opcode Fuzzy Hash: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                    • Instruction Fuzzy Hash: 0C41CD32A08BC297E724CF22D19056D7BA0FB86781B054239DB8967E21DF7CF566DB00
                                                    Function 00007FFE012F3CB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE012F3CE2
                                                      • Part of subcall function 00007FFE0130B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                      • Part of subcall function 00007FFE0130B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                      • Part of subcall function 00007FFE0130B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                      • Part of subcall function 00007FFE0130B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                    • _Maklocstr.LIBCPMT ref: 00007FFE012F3D5B
                                                    • _Maklocstr.LIBCPMT ref: 00007FFE012F3D71
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                    • String ID: false$true
                                                    • API String ID: 309754672-2658103896
                                                    • Opcode ID: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                    • Instruction ID: c7479058d66a42e7cdccc8b6aee281f22f470a52c986f3ab8bb9e0bea09fe002
                                                    • Opcode Fuzzy Hash: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                    • Instruction Fuzzy Hash: 13416A26B18B459AE710DFB0E4501ED33B0FB98748B415126EE4D2BB69EF3CD595C390
                                                    Function 00007FFE012D83E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                    • API String ID: 2003779279-1866435925
                                                    • Opcode ID: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                    • Instruction ID: c1ce28ad8ad113b2ee44a712aea37ef0fb0df18ec9d87f10b60bba69810f0c47
                                                    • Opcode Fuzzy Hash: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                    • Instruction Fuzzy Hash: F921C262A0868796EF14DB25E5413B963A0FFA0784F844035E78D4FAB5DF3CE1A5D340
                                                    Function 00007FFE012D8D10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                    • API String ID: 2003779279-1866435925
                                                    • Opcode ID: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                    • Instruction ID: 4a510f2d8903fa1e67bf62fcfe4ede6903bd7b0820d8c1bb3292bbe7d7d32692
                                                    • Opcode Fuzzy Hash: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                    • Instruction Fuzzy Hash: 7FF0D161A1850B96EF18E710D8826F92361FBA0744FA44531D28E0F5F5EF3DE14AC781
                                                    Function 0000000140006B70 Relevance: 7.8, APIs: 5, Instructions: 255COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ?Recycle@MemoryRecycler@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140006CC6
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140006CF5
                                                    • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006D52
                                                    • memcpy.VCRUNTIME140 ref: 0000000140006DD5
                                                    • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006E6E
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: D@std@@@std@@Pninc@?$basic_streambuf@U?$char_traits@$MemoryRecycle@Recycler@allocator@dvacore@@_invalid_parameter_noinfo_noreturnmemcpy
                                                    • String ID:
                                                    • API String ID: 3275830057-0
                                                    • Opcode ID: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                    • Instruction ID: 3173563bc62d35887f7c9779bdd612006aafe20ffacca945d5b8f48763ffbb63
                                                    • Opcode Fuzzy Hash: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                    • Instruction Fuzzy Hash: 5CA16BB2704B8485EB16CF2AE5443A977A2F389FE8F584516EF8D177A4DB38C895C340
                                                    Function 00007FFE012E4A60 Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: fgetwc
                                                    • String ID:
                                                    • API String ID: 2948136663-0
                                                    • Opcode ID: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                    • Instruction ID: 38e42cc01f34616d9fff52603d292eb9ce3a649526e1bbefd883eef4b4f3d175
                                                    • Opcode Fuzzy Hash: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                    • Instruction Fuzzy Hash: 05813F72A09A82C8DB10DF65C0903AC33E1FB98B98F555636EA4D8BBA9DF3DD554D300
                                                    Function 0000000140009FD0 Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 2665656946-0
                                                    • Opcode ID: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                    • Instruction ID: 6f8685d0ee64a854513a2710a76b76ebba126a19a16799565d604b2c87d49ee9
                                                    • Opcode Fuzzy Hash: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                    • Instruction Fuzzy Hash: 884191B2304B8495EE16DB27B9043D9A395A74EBE0F440625BF6D0B7E5DE7CC081C304
                                                    Function 00007FFE012DB90C Relevance: 7.6, APIs: 5, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DB9D3
                                                    • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DB9E1
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBA1A
                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBA24
                                                    • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBA32
                                                      • Part of subcall function 00007FFE013225AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5AF8), ref: 00007FFE013225C6
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: memcpymemset$_invalid_parameter_noinfo_noreturnmalloc
                                                    • String ID:
                                                    • API String ID: 3375828981-0
                                                    • Opcode ID: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                    • Instruction ID: 5b6d50271de4be59124b76868fa4fdc8408e79e605fb5ae3fb8306f79e14092a
                                                    • Opcode Fuzzy Hash: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                    • Instruction Fuzzy Hash: 1531D421B0868391EF14AF16E5143BAA391FB45BD0F594531EF9D0FBAADE7CE0819301
                                                    Function 00007FFE1A539FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: NameName::$Name::operator+
                                                    • String ID:
                                                    • API String ID: 826178784-0
                                                    • Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                    • Instruction ID: 609a5f5545df136b8435a2d2338e33e32412857adb40e1dcaf06d2dd9b2951fc
                                                    • Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                    • Instruction Fuzzy Hash: FC412722F0DE9688EB10CB22D8801B837A4BF96FA0B5440F7DA5D537A5EF39E955C300
                                                    Function 00007FFE012D4C30 Relevance: 7.5, APIs: 6, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FFE012E2160: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FFE012D4C3E,?,?,00000000,00007FFE012D5B5B), ref: 00007FFE012E216F
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5B5B), ref: 00007FFE012D4C47
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5B5B), ref: 00007FFE012D4C5B
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5B5B), ref: 00007FFE012D4C6F
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5B5B), ref: 00007FFE012D4C83
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5B5B), ref: 00007FFE012D4C97
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5B5B), ref: 00007FFE012D4CAB
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: free$setlocale
                                                    • String ID:
                                                    • API String ID: 294139027-0
                                                    • Opcode ID: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                    • Instruction ID: 02be1a525fa9713a1af93c4f78f6452b9bf9a4c3b3c1009480e0544d25111e80
                                                    • Opcode Fuzzy Hash: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                    • Instruction Fuzzy Hash: 08111B22A06A4681FB19AFA1C0F533923E1EF94F18F181134CA0E0D568CF7DE894E3C1
                                                    Function 00007FFE012E3380 Relevance: 7.5, APIs: 5, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: __acrt_iob_func$abortfputcfputs
                                                    • String ID:
                                                    • API String ID: 2697642930-0
                                                    • Opcode ID: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                    • Instruction ID: eb75b078fecf4ed78343adf5c9bf5e7a9a9ed2ed3969bcc3f9be600a7f0b060b
                                                    • Opcode Fuzzy Hash: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                    • Instruction Fuzzy Hash: 0EE0ECB4A08646C6E7087F61FC1D374A3269F68F62F350038C90F8A375CE2C65884212
                                                    Function 00007FFE012FC480 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                    • String ID: %.0Lf$0123456789-
                                                    • API String ID: 4032823789-3094241602
                                                    • Opcode ID: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                    • Instruction ID: 4184f1e5456e1fd7d7c2638d5595a96fb05cf256abeb742d4f5044a212386e78
                                                    • Opcode Fuzzy Hash: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                    • Instruction Fuzzy Hash: 76717F62B09B9689EB00CF65E4546AC3371FB89B98F404036DE4D2BBA8DE3CD559D340
                                                    Function 00007FFE01306E40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturnmemchrmemmove
                                                    • String ID: 0123456789-
                                                    • API String ID: 2457263114-3850129594
                                                    • Opcode ID: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                    • Instruction ID: ef900e26d95d00fc7b0167d473e48d8ca315643c4ed2f5a682ac50b34ae7884a
                                                    • Opcode Fuzzy Hash: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                    • Instruction Fuzzy Hash: B771A072B09B8589FB11DBB5D4602AC77B1EB59B98F450039DE4D2BBA9CE3CD45AC300
                                                    Function 000000014000CA70 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 174COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CB86
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CCD1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                    • String ID: gfffffff$gfffffff
                                                    • API String ID: 3668304517-161084747
                                                    • Opcode ID: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                    • Instruction ID: 0937b4d6cc115db4af66b3ecbb46b401b0ea56f4de858bbb036e92e46f157e0a
                                                    • Opcode Fuzzy Hash: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                    • Instruction Fuzzy Hash: D151B5B2311B8942EE25CB17F945799B355E748BE4F048226AFAD8B7E4DF38D081C301
                                                    Function 00007FFE013070C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: memset$_invalid_parameter_noinfo_noreturnswprintf_s
                                                    • String ID: %.0Lf
                                                    • API String ID: 1248405305-1402515088
                                                    • Opcode ID: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                    • Instruction ID: 563a3a759f4000057c8ee8c1dbc61e128b92dca3567ee5f7aaddce415b7ae98a
                                                    • Opcode Fuzzy Hash: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                    • Instruction Fuzzy Hash: 7061B422B08B8585EB01DBB5E8502ED7771FB59B94F154135EE8D2BB69DE3CE046C340
                                                    Function 00007FFE1A534044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FFE1A536710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A53239E), ref: 00007FFE1A53671E
                                                    • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A5341C3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: abort
                                                    • String ID: $csm$csm
                                                    • API String ID: 4206212132-1512788406
                                                    • Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                    • Instruction ID: f94bd2f6ee013b0f5ef064bd4bf5aa4cd285101840c6bae28b81c84547c3d211
                                                    • Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                    • Instruction Fuzzy Hash: AD71923A70CA8186D7648B1694507797FA0FF86FA6F0481B6EF8D47AA6CE3CD451C740
                                                    Function 00007FFE1A533E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FFE1A536710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A53239E), ref: 00007FFE1A53671E
                                                    • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A533F13
                                                    • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE1A533F23
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Frameabort$EmptyHandler3::StateUnwind
                                                    • String ID: csm$csm
                                                    • API String ID: 4108983575-3733052814
                                                    • Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                    • Instruction ID: d97c5460246ee17a826f15377bd7d26be3eb26be9688e44686fc9df53f140255
                                                    • Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                    • Instruction Fuzzy Hash: E4512C32B0CA8286EA648B16944427976A0FF96FB5F5441B7DA8D47BA6CF3CE451CB00
                                                    Function 00007FFE012D2500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Exception$RaiseThrowabort
                                                    • String ID: csm
                                                    • API String ID: 3758033050-1018135373
                                                    • Opcode ID: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                    • Instruction ID: 9b1d79431955005ba25bc5c992d1cfc7274eaeba9b0521cff523b6ac0ef5295e
                                                    • Opcode Fuzzy Hash: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                    • Instruction Fuzzy Hash: 15514F22904B86CAEB15CF28D4502E833A0FB98B58F159325DB9D1B7A6DF3DE5D5C340
                                                    Function 00007FFE012DF950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE012DF8D4
                                                    • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE012DF8E6
                                                    • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE012DF96B
                                                      • Part of subcall function 00007FFE012D4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D72
                                                      • Part of subcall function 00007FFE012D4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D98
                                                      • Part of subcall function 00007FFE012D4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4DB0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: setlocale$freemallocmemcpy
                                                    • String ID: bad locale name
                                                    • API String ID: 1663771476-1405518554
                                                    • Opcode ID: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                    • Instruction ID: ac71526880d578b23e44f05458b308ec9ba1973a68ba2bb81653269911571c29
                                                    • Opcode Fuzzy Hash: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                    • Instruction Fuzzy Hash: 0331F722F0868341FB55DB16E54117AA3D1AFD5BC0F588035DA9E8F7B5DE3CE8829341
                                                    Function 00007FFE012F38A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FFE0130B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                      • Part of subcall function 00007FFE0130B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                      • Part of subcall function 00007FFE0130B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                      • Part of subcall function 00007FFE0130B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                    • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFE012EA07C), ref: 00007FFE012F38E1
                                                      • Part of subcall function 00007FFE012DB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01301347,?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE012DB7BF
                                                      • Part of subcall function 00007FFE012DB794: memcpy.VCRUNTIME140(?,?,00000000,00007FFE01301347,?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE012DB7DB
                                                      • Part of subcall function 00007FFE012E67B0: _Maklocstr.LIBCPMT ref: 00007FFE012E67E0
                                                      • Part of subcall function 00007FFE012E67B0: _Maklocstr.LIBCPMT ref: 00007FFE012E67FF
                                                      • Part of subcall function 00007FFE012E67B0: _Maklocstr.LIBCPMT ref: 00007FFE012E681E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                    • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                    • API String ID: 2904694926-3573081731
                                                    • Opcode ID: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                    • Instruction ID: 676944a6fdcba66a80d6d162a8708c1e52dc3c083097e967072da96239933756
                                                    • Opcode Fuzzy Hash: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                    • Instruction Fuzzy Hash: 8741CC72A08BC297E724CF21919056EBBA1FB85781B054239CB8D67A21DF7CF562DB00
                                                    Function 00007FFE0130430C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FFE0130B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                      • Part of subcall function 00007FFE0130B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                      • Part of subcall function 00007FFE0130B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                      • Part of subcall function 00007FFE0130B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                    • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,0000003F,?,00000001,00007FFE01302278), ref: 00007FFE0130434D
                                                      • Part of subcall function 00007FFE012DB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01301347,?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE012DB7BF
                                                      • Part of subcall function 00007FFE012DB794: memcpy.VCRUNTIME140(?,?,00000000,00007FFE01301347,?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE012DB7DB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                    • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                    • API String ID: 3376215315-3573081731
                                                    • Opcode ID: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                    • Instruction ID: 71f39a14d54bc8f54c7cccf911282f93b8a664d664ff95171a0124f9274303d6
                                                    • Opcode Fuzzy Hash: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                    • Instruction Fuzzy Hash: CA41C072A08B8297E725CF21919016D7BE0FB44B81B064139CB8957E21DB3CF672CB00
                                                    Function 00007FFE1A53A714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: NameName::
                                                    • String ID: %lf
                                                    • API String ID: 1333004437-2891890143
                                                    • Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                    • Instruction ID: d1cb95642941fd45f01bff71cc34e70669a6f8dbc50eb8b6b98e7dac3ba66477
                                                    • Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                    • Instruction Fuzzy Hash: AF318022B0CE8585EA20CB26A85027A6360FF86F94F4481F7EA9E47665DF3CE5428740
                                                    Function 00007FFE012DA4C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: FileFindNext$wcscpy_s
                                                    • String ID: .
                                                    • API String ID: 544952861-248832578
                                                    • Opcode ID: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                    • Instruction ID: 44dcc48c591e7f899d7062e86ff5411a2167c0246c86213e7ad3e89335a421bd
                                                    • Opcode Fuzzy Hash: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                    • Instruction Fuzzy Hash: F6218462E0C68282FB709B25F8047B963A0EB94B94F884131DACD4B6A4DF3CD4559740
                                                    Function 00007FFE012D6C00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                    • String ID: ios_base::badbit set
                                                    • API String ID: 1099746521-3882152299
                                                    • Opcode ID: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                    • Instruction ID: cd60e37100690f45ce499feee6f9b34e9a19da9e90c2ec76aabab192adcf2bf4
                                                    • Opcode Fuzzy Hash: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                    • Instruction Fuzzy Hash: 55014961F2C60791FB18D725D845ABD2392EFE0744F148136D58E0E9B9DE3DE10A9340
                                                    Function 00007FFE1A532400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FFE1A536710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A53239E), ref: 00007FFE1A53671E
                                                    • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A53243E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: abortterminate
                                                    • String ID: MOC$RCC$csm
                                                    • API String ID: 661698970-2671469338
                                                    • Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                    • Instruction ID: 71b0fc6e5e28853ddfe2614336c8319ef393e8049bc7849868c0392f889cfc5a
                                                    • Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                    • Instruction Fuzzy Hash: 4CF08C36A0CE4681EB505F23A18007D3261FF99FA0F0850F7D74802262CF3CD4A0C611
                                                    Function 00007FFE1A53E9E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __C_specific_handler.LIBVCRUNTIME ref: 00007FFE1A53E9F0
                                                      • Part of subcall function 00007FFE1A53EC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1A53ECF0
                                                      • Part of subcall function 00007FFE1A53EC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1A53E9F5), ref: 00007FFE1A53ED3F
                                                      • Part of subcall function 00007FFE1A536710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A53239E), ref: 00007FFE1A53671E
                                                    • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A53EA1A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
                                                    • String ID: csm$f
                                                    • API String ID: 2451123448-629598281
                                                    • Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                    • Instruction ID: fe0d4b3af82a2f3562fd1e2f783c302dc6d51a382ce8b4787ba6c53bdc702396
                                                    • Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                    • Instruction Fuzzy Hash: E3E06575F1CB4681E7206BA3B18513D26E5BF96F74F1480FADE4807666CE3CE8D09601
                                                    Function 00007FFE1A539CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID:
                                                    • API String ID: 2943138195-0
                                                    • Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                    • Instruction ID: de3f9428d105a4ed303fede87917347479305529f309faa4fec75df94d2a6e69
                                                    • Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                    • Instruction Fuzzy Hash: D8917CA2F0CE96C9F7118B62D8503BC27B0BF82B68F5440F6DA4D576A5DF78A845C340
                                                    Function 00007FFE1A53A44C Relevance: 6.1, APIs: 4, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+$NameName::
                                                    • String ID:
                                                    • API String ID: 168861036-0
                                                    • Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                    • Instruction ID: a639e284ee3b93c8ada01ab0927e6416d7c231f45bed8e4c2a68f0a66268a526
                                                    • Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                    • Instruction Fuzzy Hash: BB513972F1DA9688EB11CF62E8403BC37A0BB96B64F5440B6DA0E47BA5DF3AD441C750
                                                    Function 0000000140001ED0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: memset$_invalid_parameter_noinfo_noreturnmemmove
                                                    • String ID:
                                                    • API String ID: 48703092-0
                                                    • Opcode ID: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                    • Instruction ID: 948ad675966271c9991ceaad39470193d7d81f5c1b48440d7dc352eab6ab828f
                                                    • Opcode Fuzzy Hash: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                    • Instruction Fuzzy Hash: B431B4B2711A9451EA06DF66F5443EDA291A788BE0F548635AF6C077E5EF38C4E2C300
                                                    Function 00007FFE012E6DC8 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memcpy.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE012E67E5), ref: 00007FFE012E6EA1
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE012E67E5), ref: 00007FFE012E6EF2
                                                    • memcpy.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE012E67E5), ref: 00007FFE012E6EFC
                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE012E6F3D
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 1775671525-0
                                                    • Opcode ID: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                    • Instruction ID: bed8513207c166ed610fd5db417012316db63a553c028b902d40f1d869414a69
                                                    • Opcode Fuzzy Hash: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                    • Instruction Fuzzy Hash: D0411222B0864791EF14DB12E50457A6391EBA8BE4F594631EE6D0FBE9EE3CE041D300
                                                    Function 00007FFE012D9BE8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 1775671525-0
                                                    • Opcode ID: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                    • Instruction ID: 37643df6eb11e843059efeb38ff5179763550ec03501f562ce0d44dab138b053
                                                    • Opcode Fuzzy Hash: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                    • Instruction Fuzzy Hash: FA31C371B0864685EF14AB16E544269A395AF88BE8F548231EEAD0FBF5DE7CE0819300
                                                    Function 00007FFE012FFD50 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Xp_movx$Xp_setw_errnoldexpmemcpy
                                                    • String ID:
                                                    • API String ID: 2233944734-0
                                                    • Opcode ID: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                    • Instruction ID: 434fcbd10dcda23cb936b3b73fc304f480fe9227867378a87fd933018ac97939
                                                    • Opcode Fuzzy Hash: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                    • Instruction Fuzzy Hash: 1C41E623E1CA8786F351AF2590512B963A0AFDAB40F154239EE4D2B7B6DF3DF5098600
                                                    Function 00007FFE012D3160 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcislower
                                                    • String ID:
                                                    • API String ID: 2234106055-0
                                                    • Opcode ID: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                    • Instruction ID: d3613d687c4cd34ce03c015b07126c369437ff23aec1694e5e748358c12556a8
                                                    • Opcode Fuzzy Hash: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                    • Instruction Fuzzy Hash: 8B3193A2A0C74382F7258B26E85437D6AE1FBD0B91F184035DEC94B7A9DE3CE845D712
                                                    Function 00007FFE012D3020 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcisupper
                                                    • String ID:
                                                    • API String ID: 3857474680-0
                                                    • Opcode ID: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                    • Instruction ID: 9636869b89ba470db1b9570eb1024bfa2e795bd3c73d7b1697c04979452efe31
                                                    • Opcode Fuzzy Hash: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                    • Instruction Fuzzy Hash: 3631C3B2A0C69382F715CB15E45437D6AE1FBD0B92F184035DACA0B7A9DE2CE484D712
                                                    Function 00007FFE1A53C87C Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID:
                                                    • API String ID: 2943138195-0
                                                    • Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                    • Instruction ID: 66b11d71bcb604f444492588a7f3d036d757cea31ad410e0699a2a9156765480
                                                    • Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                    • Instruction Fuzzy Hash: 44416773A08B9589E701CF66E8413BC37A0FB86B68F5480A6DA4E57769DF78A445C310
                                                    Function 00007FFE0130AF70 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,00000000,?,?,?,00007FFE012FE921), ref: 00007FFE0130AFB7
                                                    • memcpy.VCRUNTIME140(?,00000000,?,?,?,00007FFE012FE921), ref: 00007FFE0130AFDB
                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE012FE921), ref: 00007FFE0130AFE8
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE012FE921), ref: 00007FFE0130B05B
                                                      • Part of subcall function 00007FFE012D2E30: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE012D2E5A
                                                      • Part of subcall function 00007FFE012D2E30: LCMapStringEx.KERNEL32 ref: 00007FFE012D2E9E
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: String___lc_locale_name_funcfreemallocmemcpywcsnlen
                                                    • String ID:
                                                    • API String ID: 2888714520-0
                                                    • Opcode ID: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                    • Instruction ID: 40c39bd48465b3c3360cf9607e097e19b5bd81d3eea4d63873a3631032a16e92
                                                    • Opcode Fuzzy Hash: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                    • Instruction Fuzzy Hash: 77210661B08BD285E721DF12A81056AAAD0FB55FE4F594239DE6D1BBF8DF3CE0028300
                                                    Function 00007FFE012DABB4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _wfsopen$fclosefseek
                                                    • String ID:
                                                    • API String ID: 1261181034-0
                                                    • Opcode ID: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                    • Instruction ID: d3aa9314673e869771e13c33934eff78fae593217f2a64f88b5eaa025da7119d
                                                    • Opcode Fuzzy Hash: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                    • Instruction Fuzzy Hash: F231D221B1964682EB68CB16E484A7A23D1FFD4F94F194534CE8E4BBB0DE3CE9419740
                                                    Function 00007FFE012DAAA0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _fsopen$fclosefseek
                                                    • String ID:
                                                    • API String ID: 410343947-0
                                                    • Opcode ID: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                    • Instruction ID: 8747be0aa7ae8d28e12994da5cf88fedd16a72c4068268a25d80143102dcee90
                                                    • Opcode Fuzzy Hash: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                    • Instruction Fuzzy Hash: 7C31E921B2874641EB68C716E455A7572D2FFE4F84F194934CE4E8B7B0EE3CE5429300
                                                    Function 0000000140010660 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$FormatFreeLibraryMessage
                                                    • String ID:
                                                    • API String ID: 4174221723-0
                                                    • Opcode ID: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                    • Instruction ID: 329cc6dd5267e1a20a6fc7da630ad77381380cdf8f0f417e816be49fa379c834
                                                    • Opcode Fuzzy Hash: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                    • Instruction Fuzzy Hash: F4315072A18B8441EB128B26E4453AE6751E79DBF4F249301F7FD0B6F9DBB9D5C08600
                                                    Function 00007FFE0130A5D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFE0130576B), ref: 00007FFE0130A604
                                                    • ___lc_collate_cp_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFE0130576B), ref: 00007FFE0130A60E
                                                      • Part of subcall function 00007FFE012D26E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE012D2728
                                                      • Part of subcall function 00007FFE012D26E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE012D274E
                                                      • Part of subcall function 00007FFE012D26E0: GetCPInfo.KERNEL32 ref: 00007FFE012D2792
                                                    • memcmp.VCRUNTIME140(?,?,?,?,?,?,?,00007FFE0130576B), ref: 00007FFE0130A631
                                                    • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FFE0130576B), ref: 00007FFE0130A66F
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: __strncnt$Info___lc_collate_cp_func___lc_locale_name_func_errnomemcmp
                                                    • String ID:
                                                    • API String ID: 3421985146-0
                                                    • Opcode ID: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                    • Instruction ID: 85d0c819db23b426542f222147530ad35a6e828a0f94466ea1b233ed34cbf7c0
                                                    • Opcode Fuzzy Hash: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                    • Instruction Fuzzy Hash: 9B21A731B0874686EB108F56E850029B7E4FBD4FE4B564239DE5D5B764CF3CE5018700
                                                    Function 000000014000FAA0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                      • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                      • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: __acrt_iob_func__stdio_common_vfprintfmemset
                                                    • String ID: [FINALIZE ] %08X %s$[UNLOAD LIB]$[UNLOAD LIB] %08X %s
                                                    • API String ID: 1351999747-1487749591
                                                    • Opcode ID: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                    • Instruction ID: 71482a23b425682d2a021b79c21f529c824127a60a25d7ce3ea3483a94a8a675
                                                    • Opcode Fuzzy Hash: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                    • Instruction Fuzzy Hash: 42213972215B8485E352DF22E5503DE37A4F74CF88F588129EB890BB69CF39C662D750
                                                    Function 00007FFE0130B090 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                    • ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                    • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                    • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_func
                                                    • String ID:
                                                    • API String ID: 3203701943-0
                                                    • Opcode ID: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                    • Instruction ID: b1ad7c0b150ff4c26969a88d454f772a478b1fdaff2f2aff604a3f517e09f7ba
                                                    • Opcode Fuzzy Hash: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                    • Instruction Fuzzy Hash: 3701A1B2E15B9186EB059F7A9804178E7E0FB68B88B159235DA4E8B624DA7CD1828700
                                                    Function 00007FFE01308620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: memmove$FormatFreeLocalMessage
                                                    • String ID: unknown error
                                                    • API String ID: 725469203-3078798498
                                                    • Opcode ID: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                    • Instruction ID: 83804c3a90c71e40909023663549e33d1ad2d69d22e9b04eef45f955e013eb59
                                                    • Opcode Fuzzy Hash: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                    • Instruction Fuzzy Hash: 87118E22A0878582E7119F25E50036DB7E0FB99BD8F098134DB8D0F7AACF7CC1548741
                                                    Function 00007FFE012D2468 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: malloc
                                                    • String ID: MOC$RCC$csm
                                                    • API String ID: 2803490479-2671469338
                                                    • Opcode ID: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                    • Instruction ID: 74f3813ccb9013ffeee046df45ab86a69e6e1423f6e9065ec320c944944edfe4
                                                    • Opcode Fuzzy Hash: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                    • Instruction Fuzzy Hash: 88018F21E08103C6EB649F15D58417E22F1EF98B88F585032DE8D0B7A5CE2CA891E612
                                                    Function 00007FFE012FC9A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                    • String ID: 0123456789-
                                                    • API String ID: 4032823789-3850129594
                                                    • Opcode ID: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                    • Instruction ID: e12c180568a43a60b6cb08a8930f8396f08f1466c7ff88a49694e84d4492df15
                                                    • Opcode Fuzzy Hash: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                    • Instruction Fuzzy Hash: 13718132B09B9A85EB10CFA5D4506AC3371FB49B98F414036DE4D2BBA8DE3CE55AD340
                                                    Function 00007FFE012FCC30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                    • String ID: %.0Lf
                                                    • API String ID: 296878162-1402515088
                                                    • Opcode ID: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                    • Instruction ID: 3aa83cd08aebcb1bb9fb07ba47564100c05e2efb56e8f8ed70625b3584de079e
                                                    • Opcode Fuzzy Hash: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                    • Instruction Fuzzy Hash: 9C719F32B08B8685EB11DB66E8406AD73B1EF95B98F114136EE4D2BBA9DF3CD055C340
                                                    Function 00007FFE012FC710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                    • String ID: %.0Lf
                                                    • API String ID: 296878162-1402515088
                                                    • Opcode ID: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                    • Instruction ID: d0d77ea40bb1da55aaee2c2b0e7cd9064b724d1fcc7ae7ce9a7073d1cf08b3fc
                                                    • Opcode Fuzzy Hash: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                    • Instruction Fuzzy Hash: 3271AE32B08B8685EB11DB65E8406AD73B1EF99B98F114136EE4D2BB69EF3CD055D300
                                                    Function 00007FFE01308F00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: rand_s
                                                    • String ID: invalid random_device value
                                                    • API String ID: 863162693-3926945683
                                                    • Opcode ID: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                    • Instruction ID: d98494970cc966d2ffd91393c4e3408dc239ca5c58e99e530a83aecb318b3f83
                                                    • Opcode Fuzzy Hash: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                    • Instruction Fuzzy Hash: CC511A22D18E4685F353DF3484612BA63A4BF253C8F12473AE65E3E5B6DF2DB0968340
                                                    Function 00007FFE1A534710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: abort$CreateFrameInfo
                                                    • String ID: csm
                                                    • API String ID: 2697087660-1018135373
                                                    • Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                    • Instruction ID: f7f131ed5dccea3007f1aa77877381869e52ecf36d6b516042412206feaeb24a
                                                    • Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                    • Instruction Fuzzy Hash: E9512B7671CB8186D620AB17A04127E77B5FB8ABA1F1405B6DB8D07B66CF38E461CB00
                                                    Function 00007FFE01307330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Strftime_invalid_parameter_noinfo_noreturn
                                                    • String ID: !%x
                                                    • API String ID: 1195835417-1893981228
                                                    • Opcode ID: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                    • Instruction ID: 62ea2f6d4b2dbb9fc2f45521c95913f8cc3a5efd87602901a1f92427ce511a42
                                                    • Opcode Fuzzy Hash: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                    • Instruction Fuzzy Hash: 4B41AC22F18A9189FB01CBA5D8507EC3B71BB54798F454535EE8D2BBA9DF3CE1858340
                                                    Function 00007FFE012D32D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE012D3305
                                                      • Part of subcall function 00007FFE013225AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5AF8), ref: 00007FFE013225C6
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE012D57FA,?,?,?,00007FFE012D4438), ref: 00007FFE012D32FE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                    • String ID: ios_base::failbit set
                                                    • API String ID: 1934640635-3924258884
                                                    • Opcode ID: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                    • Instruction ID: 26b9e2593801cf91b8d1ab8556d3ba5e825c1684d66e6feca9e4d1cd7d1ab806
                                                    • Opcode Fuzzy Hash: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                    • Instruction Fuzzy Hash: 7A21B471B09B8285DB60DB11E5402AAB3E4FB88BE0F544631EEDC4BBA9EF3CD5458740
                                                    Function 00007FFE1A539BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: Name::operator+
                                                    • String ID: void$void
                                                    • API String ID: 2943138195-3746155364
                                                    • Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                    • Instruction ID: 6d1d44f62ee5a8f2598de29236c61aeedd567e38c12f4c28790ba6cc887ffc0a
                                                    • Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                    • Instruction Fuzzy Hash: A7312762F1CE5988FB10CB62E8510FC37B0BB89B58B4405BADE4E53B69EF389144C750
                                                    Function 000000014000E370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 000000014000FAA0: memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000E441
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                    • String ID: [FAIL LOAD ] %s$[LOAD LIB ] %s
                                                    • API String ID: 1654775311-1428855073
                                                    • Opcode ID: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                    • Instruction ID: e1e0474e3a99f30cd742c56738cdfbd4506b2c38850e860c1e011aff6007d584
                                                    • Opcode Fuzzy Hash: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                    • Instruction Fuzzy Hash: EC218EB2714B8481FA16CB1AF44439A6362E78DBE4F544321BBA94BAF9DF38C181C740
                                                    Function 00007FFE012DF1B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFE012DC744), ref: 00007FFE012DF1D4
                                                      • Part of subcall function 00007FFE0130B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                      • Part of subcall function 00007FFE0130B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                      • Part of subcall function 00007FFE0130B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                      • Part of subcall function 00007FFE0130B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                    • String ID: false$true
                                                    • API String ID: 2502581279-2658103896
                                                    • Opcode ID: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                    • Instruction ID: 658422008463be6eb12ca5444aaa249887bb342f20a22b0da97ebfa9138561c9
                                                    • Opcode Fuzzy Hash: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                    • Instruction Fuzzy Hash: 9A219437608B8681E720DF21E4503A977A0FBACBA8F454536DA8C0B369DF3CD555C780
                                                    Function 00007FFE1A53604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: FileHeader$ExceptionRaise
                                                    • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                    • API String ID: 3685223789-3176238549
                                                    • Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                    • Instruction ID: 2e7033c215fcb6bc7fb7089690df9eaf4ea99f5ff855eece9ab13efdae4accf1
                                                    • Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                    • Instruction Fuzzy Hash: 3701B161B2DE4692EE009B16E4511B96320FFD1FA4F4060F7E60E07ABAEF6CD404C710
                                                    Function 00007FFE1A5363F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFileHeaderRaise
                                                    • String ID: csm
                                                    • API String ID: 2573137834-1018135373
                                                    • Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                    • Instruction ID: c4682dba150fd1e7b3611c8f821ee4c8cf76714fe250407acccca985c27949dd
                                                    • Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                    • Instruction Fuzzy Hash: 57112E32A1CB4182EB518F16E44026A7BA5FB85F94F1841B5DE8D07B64EF3DD5518700
                                                    Function 00007FFE012D69E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE012D69ED
                                                      • Part of subcall function 00007FFE012D4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012E6AB5,?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012D4DF9
                                                      • Part of subcall function 00007FFE012D4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012E6AB5,?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012D4E28
                                                      • Part of subcall function 00007FFE012D4DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FFE012E6AB5,?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012D4E3F
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE012D6A0A
                                                    Strings
                                                    • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE012D6A15
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: free$Getdaysmallocmemcpy
                                                    • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                    • API String ID: 1347072587-3283725177
                                                    • Opcode ID: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                    • Instruction ID: b9ae3ee86edea433ee43d7792133afd94736df8288ee79788b358fe209c6bd5a
                                                    • Opcode Fuzzy Hash: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                    • Instruction Fuzzy Hash: 16E0ED21A15B4292EB20AB12F58436973A0FF58BA4F545134DB4D0BB65DF3CE5A48701
                                                    Function 00007FFE012D6A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE012D6A3D
                                                      • Part of subcall function 00007FFE012D4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012E6AB5,?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012D4DF9
                                                      • Part of subcall function 00007FFE012D4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012E6AB5,?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012D4E28
                                                      • Part of subcall function 00007FFE012D4DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FFE012E6AB5,?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012D4E3F
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE012D6A5A
                                                    Strings
                                                    • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE012D6A65
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: free$Getmonthsmallocmemcpy
                                                    • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece
                                                    • API String ID: 1628830074-2030377133
                                                    • Opcode ID: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                    • Instruction ID: c3c12a03f94fc2660c134b7473e8fe8461dab79ca4a9bf3b2610f6ed785efb74
                                                    • Opcode Fuzzy Hash: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                    • Instruction Fuzzy Hash: 5CE0ED21A15B4292EB50AB52F58436963A0FF59B94F846034DB4E0BB65DF7CE5B4C301
                                                    Function 00007FFE012D62C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE012D62CD
                                                      • Part of subcall function 00007FFE012D4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D72
                                                      • Part of subcall function 00007FFE012D4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D98
                                                      • Part of subcall function 00007FFE012D4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4DB0
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE012D62EA
                                                    Strings
                                                    • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE012D62F5
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: free$Getdaysmallocmemcpy
                                                    • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                    • API String ID: 1347072587-3283725177
                                                    • Opcode ID: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                    • Instruction ID: a7e68cca9976ab3f2b71f1355aa5b496982764f33d20dbb5dc5349032cbc2643
                                                    • Opcode Fuzzy Hash: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                    • Instruction Fuzzy Hash: CAE01231B14B8292EF14AB12F598369A3A0FF58B90F959434DB5D0B765EF3CE5A4C700
                                                    Function 00007FFE012D6330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE012D633D
                                                      • Part of subcall function 00007FFE012D4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D72
                                                      • Part of subcall function 00007FFE012D4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D98
                                                      • Part of subcall function 00007FFE012D4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4DB0
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE012D635A
                                                    Strings
                                                    • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE012D6365
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: free$Getmonthsmallocmemcpy
                                                    • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
                                                    • API String ID: 1628830074-4232081075
                                                    • Opcode ID: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                    • Instruction ID: e0570ebbd2ae4a31e3beb914ab2531e83aaa6b335682b909cdee821d0d003aeb
                                                    • Opcode Fuzzy Hash: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                    • Instruction Fuzzy Hash: B1E0ED21A15B4292EF10AB52F58436963B0FF69B90F485034DB5D0B765DF3CE5E4C780
                                                    Function 0000000140012990 Relevance: 5.1, APIs: 4, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ExceptionThrow
                                                    • String ID:
                                                    • API String ID: 432778473-0
                                                    • Opcode ID: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                    • Instruction ID: 3f6ef9a8942bd25f1c030384d86529519749b139d31aef7b6ed3ba5bf9942206
                                                    • Opcode Fuzzy Hash: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                    • Instruction Fuzzy Hash: 582153B6610A8489E729EE37E8523E92311F78C7D8F149426BF4D4FBAECE31C4518340
                                                    Function 00000001400124D0 Relevance: 5.1, APIs: 4, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1883136147.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                    • Associated: 0000000A.00000002.1883098556.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883292752.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883340254.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883374626.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1883419248.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ExceptionThrow$_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 2822070131-0
                                                    • Opcode ID: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                    • Instruction ID: fb8aed582c15149af4c4f009e579fb1eee3dc1aedb4e9a74b926e9b9865ab3f7
                                                    • Opcode Fuzzy Hash: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                    • Instruction Fuzzy Hash: 331151B5710A40C9E71DEB73A8423EA1211EB887C4F149536BF480BA6ECE76C4518740
                                                    Function 00007FFE1A53672C Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,?,00007FFE1A5365B9,?,?,?,?,00007FFE1A53FB22,?,?,?,?,?), ref: 00007FFE1A53674B
                                                    • SetLastError.KERNEL32(?,?,?,00007FFE1A5365B9,?,?,?,?,00007FFE1A53FB22,?,?,?,?,?), ref: 00007FFE1A5367D4
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886821724.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886794391.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886857897.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886930559.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886992092.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1887016112.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast
                                                    • String ID:
                                                    • API String ID: 1452528299-0
                                                    • Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                    • Instruction ID: 0ee3973e0b358cfa8cd0812017aa008c343511199b665b3dec7f189b38af078c
                                                    • Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                    • Instruction Fuzzy Hash: FE113324F0DE5282FA549723A8141362691AF86FB0F5446FED96E07BF5EE2CA8418720
                                                    Function 00007FFE01301DB0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: free
                                                    • String ID:
                                                    • API String ID: 1294909896-0
                                                    • Opcode ID: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                    • Instruction ID: 0d9203cf52b7065a0cf309b4486876d554da35dbdb00ce4a844dedcc2e48a162
                                                    • Opcode Fuzzy Hash: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                    • Instruction Fuzzy Hash: 5AF03732A58B0292EB05AB16E9A42687360FF98FA0F154031CB4D0BB30DF2CE4A58301
                                                    Function 00007FFE012E8C60 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: free
                                                    • String ID:
                                                    • API String ID: 1294909896-0
                                                    • Opcode ID: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                    • Instruction ID: 069ecb6d7e6c5a195196fce75081fc0cea932f151188af4687dcbdb002f19c47
                                                    • Opcode Fuzzy Hash: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                    • Instruction Fuzzy Hash: 6CF03732A58B4292EB04AB16E9A42A87360FF98FA0F155031CB4D0BB30DF2CE4A58301
                                                    Function 00007FFE012E8CD0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: free
                                                    • String ID:
                                                    • API String ID: 1294909896-0
                                                    • Opcode ID: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                    • Instruction ID: 82c6af49b1ecde7a55f65884b4c0a6acd93b4b22ee4d51ace497864b928394cc
                                                    • Opcode Fuzzy Hash: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                    • Instruction Fuzzy Hash: E5F0FF31B58B4292DB44AB15E9942B873A0FF98FA0F155031CB4D4BB74DF7DE5A58301
                                                    Function 00007FFE012E8A08 Relevance: 5.0, APIs: 4, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1886336662.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                    • Associated: 0000000A.00000002.1886250114.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886537305.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886572387.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886685168.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886711858.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1886738655.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffe012d0000_ImporterREDServer.jbxd
                                                    Similarity
                                                    • API ID: free
                                                    • String ID:
                                                    • API String ID: 1294909896-0
                                                    • Opcode ID: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                    • Instruction ID: 58d41ec1d684bf7f8bd88d596ba4ee4fab07df26313e7707898e0fc87e549b40
                                                    • Opcode Fuzzy Hash: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                    • Instruction Fuzzy Hash: 18E0B672E54A0182EB14AF22D8A417863B0FFA8F69F192032CF0E4A334CE6CD9958341