Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
E8vC8KRIp1.msi

Overview

General Information

Sample name:E8vC8KRIp1.msi
renamed because original name is a hash value
Original sample name:9df778cfa48c5988fa1f817e6edc91882e5de20addba0b5e6a4ff5fca701d24e.msi
Analysis ID:1580398
MD5:c5080f60e79b1b30d3867848856f4eb3
SHA1:52883bed5c40f588b47a1f4df35d8131cc153e21
SHA256:9df778cfa48c5988fa1f817e6edc91882e5de20addba0b5e6a4ff5fca701d24e
Tags:denimcard-comLegionLoadermsiRobotDropperuser-johnk3r
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
AI detected suspicious sample
Bypasses PowerShell execution policy
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious MsiExec Embedding Parent
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6244 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\E8vC8KRIp1.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 6432 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 3652 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B6FC27F7B452802029F995C7B4F25DAE MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 6064 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 2740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6576 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ImporterREDServer.exe (PID: 6048 cmdline: "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" MD5: F67792E08586EA936EBCAE43AAB0388D)
        • conhost.exe (PID: 5024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • createdump.exe (PID: 2124 cmdline: "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)
      • conhost.exe (PID: 6384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding B6FC27F7B452802029F995C7B4F25DAE, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 3652, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6064, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding B6FC27F7B452802029F995C7B4F25DAE, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 3652, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6064, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding B6FC27F7B452802029F995C7B4F25DAE, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 3652, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6064, ProcessName: powershell.exe
Sigma detected: Suspicious MsiExec Embedding Parent
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding B6FC27F7B452802029F995C7B4F25DAE, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 3652, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6064, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding B6FC27F7B452802029F995C7B4F25DAE, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 3652, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6064, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://denimcard.com/updater.phpxAvira URL Cloud: Label: malware
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 84.4% probability
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C1C254C4-A6C9-4D2E-9E24-5442C42C20F9}Jump to behavior
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1866060831.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: E8vC8KRIp1.msi
Source: Binary string: ucrtbase.pdb source: E8vC8KRIp1.msi
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1874142696.00007FFE1A525000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: E8vC8KRIp1.msi
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: E8vC8KRIp1.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: E8vC8KRIp1.msi
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000A.00000002.1873546260.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: E8vC8KRIp1.msi
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: E8vC8KRIp1.msi
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_system\lib\win\release\64\boost_system.pdb source: boost_system.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000000.1869353199.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: E8vC8KRIp1.msi
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1866060831.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: E8vC8KRIp1.msi
Source: Binary string: ucrtbase.pdbUGP source: E8vC8KRIp1.msi
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: E8vC8KRIp1.msi, MSI6204.tmp.1.dr, MSI5FFB.tmp.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: E8vC8KRIp1.msi
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000000.1869353199.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: E8vC8KRIp1.msi
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: E8vC8KRIp1.msi
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: E8vC8KRIp1.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: E8vC8KRIp1.msi, MSI6195.tmp.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: E8vC8KRIp1.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: E8vC8KRIp1.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: E8vC8KRIp1.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: E8vC8KRIp1.msi
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: E8vC8KRIp1.msi
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: E8vC8KRIp1.msi
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: E8vC8KRIp1.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: E8vC8KRIp1.msi
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: E8vC8KRIp1.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: E8vC8KRIp1.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: E8vC8KRIp1.msi, MSI6195.tmp.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: E8vC8KRIp1.msi
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0141A330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,10_2_00007FFE0141A330
Source: unknownDNS traffic detected: query: denimcard.com replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: denimcard.com
Source: E8vC8KRIp1.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: E8vC8KRIp1.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: E8vC8KRIp1.msiString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: powershell.exe, 00000003.00000002.1819270070.0000000007378000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
Source: E8vC8KRIp1.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: E8vC8KRIp1.msiString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: E8vC8KRIp1.msiString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: E8vC8KRIp1.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: E8vC8KRIp1.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: E8vC8KRIp1.msiString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
Source: E8vC8KRIp1.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000003.00000002.1818399068.0000000005F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: E8vC8KRIp1.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: E8vC8KRIp1.msiString found in binary or memory: http://ocsp.digicert.com0K
Source: E8vC8KRIp1.msiString found in binary or memory: http://ocsp.digicert.com0N
Source: E8vC8KRIp1.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000003.00000002.1815746508.0000000005046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: E8vC8KRIp1.msiString found in binary or memory: http://schemas.mick
Source: powershell.exe, 00000003.00000002.1815746508.0000000004EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1815746508.0000000005046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: E8vC8KRIp1.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ImporterREDServer.exe, 0000000A.00000002.1873546260.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.drString found in binary or memory: http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-
Source: powershell.exe, 00000003.00000002.1815746508.0000000004EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: E8vC8KRIp1.msiString found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
Source: powershell.exe, 00000003.00000002.1818399068.0000000005F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1818399068.0000000005F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1818399068.0000000005F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: E8vC8KRIp1.msiString found in binary or memory: https://denimcard.com/updater.phpx
Source: powershell.exe, 00000003.00000002.1815746508.0000000005046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1815746508.000000000534F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: classes_nocoops.jsa.1.drString found in binary or memory: https://java.oracle.com/
Source: powershell.exe, 00000003.00000002.1818399068.0000000005F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: E8vC8KRIp1.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: https://www.digicert.com/CPS0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\575731.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5FFB.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6098.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6106.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6146.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6195.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI61C5.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6204.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7E19.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{C1C254C4-A6C9-4D2E-9E24-5442C42C20F9}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI86A5.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI86B6.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\575734.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\575734.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI5FFB.tmpJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_000000014001222010_2_0000000140012220
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_000000014000839010_2_0000000140008390
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_0000000140007FC010_2_0000000140007FC0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0141F9B010_2_00007FFE0141F9B0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0143220810_2_00007FFE01432208
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0144F9DA10_2_00007FFE0144F9DA
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0144288010_2_00007FFE01442880
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0141E8B010_2_00007FFE0141E8B0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE014260D010_2_00007FFE014260D0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0142ABB010_2_00007FFE0142ABB0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0143434010_2_00007FFE01434340
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0144A27C10_2_00007FFE0144A27C
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0143633810_2_00007FFE01436338
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0144BDA010_2_00007FFE0144BDA0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE014495A810_2_00007FFE014495A8
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE01442D7010_2_00007FFE01442D70
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0142CDF010_2_00007FFE0142CDF0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE01436C8410_2_00007FFE01436C84
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0142644010_2_00007FFE01426440
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0143547010_2_00007FFE01435470
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0142946010_2_00007FFE01429460
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE01430C6010_2_00007FFE01430C60
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0142BCD010_2_00007FFE0142BCD0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE014444E010_2_00007FFE014444E0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0143478010_2_00007FFE01434780
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0141C78010_2_00007FFE0141C780
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE01428FB010_2_00007FFE01428FB0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0141D81010_2_00007FFE0141D810
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0144B69810_2_00007FFE0144B698
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0142DF1010_2_00007FFE0142DF10
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0143071010_2_00007FFE01430710
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE01433F0010_2_00007FFE01433F00
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE1A53750810_2_00007FFE1A537508
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: String function: 000000014000BC30 appears 53 times
Source: api-ms-win-core-handle-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: E8vC8KRIp1.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs E8vC8KRIp1.msi
Source: E8vC8KRIp1.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs E8vC8KRIp1.msi
Source: E8vC8KRIp1.msiBinary or memory string: OriginalFilenameDataUploader.dllF vs E8vC8KRIp1.msi
Source: E8vC8KRIp1.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs E8vC8KRIp1.msi
Source: E8vC8KRIp1.msiBinary or memory string: OriginalFilenameucrtbase.dllj% vs E8vC8KRIp1.msi
Source: E8vC8KRIp1.msiBinary or memory string: OriginalFilenamevcruntime140.dllT vs E8vC8KRIp1.msi
Source: E8vC8KRIp1.msiBinary or memory string: OriginalFilenamemsvcp140.dllT vs E8vC8KRIp1.msi
Source: E8vC8KRIp1.msiBinary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs E8vC8KRIp1.msi
Source: E8vC8KRIp1.msiBinary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs E8vC8KRIp1.msi
Source: E8vC8KRIp1.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs E8vC8KRIp1.msi
Source: dvacore.dll.1.drBinary string: Win.FileUtils path: Throw file exception with last error (HRESULT): $$$/dvacore/utility/FileUtils_WIN/Unknown=Unknown$$$/dvacore/utility/FileUtils_WIN/Invalid=Invalid$$$/dvacore/utility/FileUtils_WIN/Removable=Removable$$$/dvacore/utility/FileUtils_WIN/Fixed=Local Disk$$$/dvacore/utility/FileUtils_WIN/Network=Network$$$/dvacore/utility/FileUtils_WIN/CDROM=CD-ROM$$$/dvacore/utility/FileUtils_WIN/RAMDisk=RAM Disk_:\Device\Floppy\\?\\\?\UNC (error Unable to delete \/.\\127.0.0.1xt4
Source: classification engineClassification label: mal64.evad.winMSI@17/91@2/0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_0000000140010BE0 GetLastError,FormatMessageA,10_2_0000000140010BE0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0141A7B0 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn,10_2_00007FFE0141A7B0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML8EFA.tmpJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6384:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2740:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5024:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6380:120:WilError_03
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFA026166BCFF63B4F.TMPJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\E8vC8KRIp1.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B6FC27F7B452802029F995C7B4F25DAE
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B6FC27F7B452802029F995C7B4F25DAEJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dvacore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: libzip.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_system.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_date_time.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_threads.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_filesystem.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dvaunittesting.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: utest.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C1C254C4-A6C9-4D2E-9E24-5442C42C20F9}Jump to behavior
Source: E8vC8KRIp1.msiStatic file information: File size 60281856 > 1048576
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1866060831.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: E8vC8KRIp1.msi
Source: Binary string: ucrtbase.pdb source: E8vC8KRIp1.msi
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1874142696.00007FFE1A525000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: E8vC8KRIp1.msi
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: E8vC8KRIp1.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: E8vC8KRIp1.msi
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000A.00000002.1873546260.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: E8vC8KRIp1.msi
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: E8vC8KRIp1.msi
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_system\lib\win\release\64\boost_system.pdb source: boost_system.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000000.1869353199.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: E8vC8KRIp1.msi
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1866060831.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: E8vC8KRIp1.msi
Source: Binary string: ucrtbase.pdbUGP source: E8vC8KRIp1.msi
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: E8vC8KRIp1.msi, MSI6204.tmp.1.dr, MSI5FFB.tmp.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: E8vC8KRIp1.msi
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000000.1869353199.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: E8vC8KRIp1.msi
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: E8vC8KRIp1.msi
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: E8vC8KRIp1.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: E8vC8KRIp1.msi, MSI6195.tmp.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: E8vC8KRIp1.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: E8vC8KRIp1.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: E8vC8KRIp1.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: E8vC8KRIp1.msi
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: E8vC8KRIp1.msi
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: E8vC8KRIp1.msi
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: E8vC8KRIp1.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: E8vC8KRIp1.msi
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: E8vC8KRIp1.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: E8vC8KRIp1.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: E8vC8KRIp1.msi, MSI6195.tmp.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: E8vC8KRIp1.msi
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]
Source: vcruntime140.dll.1.drStatic PE information: section name: _RDATA
Source: UnRar.exe.1.drStatic PE information: section name: _RDATA
Source: BCUninstaller.exe.1.drStatic PE information: section name: _RDATA
Source: createdump.exe.1.drStatic PE information: section name: _RDATA
Source: MSI86B6.tmp.1.drStatic PE information: section name: .fptable
Source: MSI5FFB.tmp.1.drStatic PE information: section name: .fptable
Source: MSI6098.tmp.1.drStatic PE information: section name: .fptable
Source: MSI6106.tmp.1.drStatic PE information: section name: .fptable
Source: MSI6146.tmp.1.drStatic PE information: section name: .fptable
Source: MSI6195.tmp.1.drStatic PE information: section name: .fptable
Source: MSI61C5.tmp.1.drStatic PE information: section name: .fptable
Source: MSI6204.tmp.1.drStatic PE information: section name: .fptable
Source: MSI7E19.tmp.1.drStatic PE information: section name: .fptable
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_02DEBD82 push esp; ret 3_2_02DEBD93
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5FFB.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6204.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6106.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6195.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6098.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7E19.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI86B6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI61C5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6146.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6195.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6098.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI61C5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6146.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI86B6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7E19.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6204.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5FFB.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6106.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0144C0C0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_00007FFE0144C0C0
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3569Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1896Jump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6195.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6098.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7E19.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI86B6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5FFB.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI61C5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6146.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6204.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6106.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeAPI coverage: 8.2 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4428Thread sleep count: 3569 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4040Thread sleep count: 1896 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3332Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1608Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0141A330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,10_2_00007FFE0141A330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: classes_nocoops.jsa.1.drBinary or memory string: <"()Ljdk/vm/ci/runtime/JVMCIRuntime;
Source: classes_nocoops.jsa.1.drBinary or memory string: [Ljava/lang/VirtualMachineError;
Source: classes_nocoops.jsa.1.drBinary or memory string: java/lang/VirtualMachineError
Source: classes_nocoops.jsa.1.drBinary or memory string: %jdk/vm/ci/hotspot/HotSpotJVMCIRuntime
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk/vm/ci/hotspot/HotSpotJVMCIRuntime
Source: classes_nocoops.jsa.1.drBinary or memory string: [Ljava/lang/VirtualMachineError;
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk/vm/ci/runtime/JVMCI
Source: classes_nocoops.jsa.1.drBinary or memory string: )()Ljdk/vm/ci/hotspot/HotSpotJVMCIRuntime;
Source: classes_nocoops.jsa.1.drBinary or memory string: UG#java/lang/VirtualMachineError.class
Source: classes_nocoops.jsa.1.drBinary or memory string: ()Ljdk/vm/ci/runtime/JVMCICompiler;
Source: classes_nocoops.jsa.1.drBinary or memory string: #()Ljdk/vm/ci/runtime/JVMCICompiler;
Source: classes_nocoops.jsa.1.drBinary or memory string: VirtualMachineError.java
Source: MSI6195.tmp.1.drBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk/vm/ci/common/JVMCIError
Source: classes_nocoops.jsa.1.drBinary or memory string: ()Ljdk/vm/ci/runtime/JVMCIRuntime;
Source: classes_nocoops.jsa.1.drBinary or memory string: Ljava/lang/VirtualMachineError;
Source: classes_nocoops.jsa.1.drBinary or memory string: ()Ljdk/vm/ci/hotspot/HotSpotJVMCIRuntime;
Source: classes_nocoops.jsa.1.drBinary or memory string: java/lang/VirtualMachineError.class
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 7_2_00007FF6B1682ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF6B1682ECC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 7_2_00007FF6B1683074 SetUnhandledExceptionFilter,7_2_00007FF6B1683074
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 7_2_00007FF6B1682ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF6B1682ECC
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 7_2_00007FF6B1682984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF6B1682984
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_0000000140011004 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0000000140011004
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_0000000140011D78 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0000000140011D78
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_0000000140011F24 SetUnhandledExceptionFilter,10_2_0000000140011F24
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE01462CDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FFE01462CDC
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE1A524568 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FFE1A524568
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE1A54004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FFE1A54004C

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss874c.ps1" -propfile "c:\users\user\appdata\local\temp\msi8749.txt" -scriptfile "c:\users\user\appdata\local\temp\scr874a.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr874b.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss874c.ps1" -propfile "c:\users\user\appdata\local\temp\msi8749.txt" -scriptfile "c:\users\user\appdata\local\temp\scr874a.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr874b.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: ___lc_locale_name_func,GetLocaleInfoEx,10_2_00007FFE0143EFC0
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 7_2_00007FF6B1682DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_00007FF6B1682DA0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		1
Replication Through Removable Media		1
Command and Scripting Interpreter		1
Windows Service		1
Windows Service		21
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		1
Scripting		11
Process Injection		1
Disable or Modify Tools		LSASS Memory11
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS21
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Obfuscated Files or Information		Cached Domain Credentials11
Peripheral Device Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Timestomp		DCSync1
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc Filesystem24
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
File Deletion		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580398 Sample: E8vC8KRIp1.msi Startdate: 24/12/2024 Architecture: WINDOWS Score: 64 48 denimcard.com 2->48 50 Antivirus detection for URL or domain 2->50 52 AI detected suspicious sample 2->52 54 Sigma detected: Suspicious Script Execution From Temp Folder 2->54 56 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->56 9 msiexec.exe 139 107 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 34 C:\Windows\Installer\MSI86B6.tmp, PE32 9->34 dropped 36 C:\Windows\Installer\MSI7E19.tmp, PE32 9->36 dropped 38 C:\Windows\Installer\MSI6204.tmp, PE32 9->38 dropped 40 52 other files (none is malicious) 9->40 dropped 14 msiexec.exe 14 9->14         started        18 cmd.exe 1 9->18         started        20 createdump.exe 1 9->20         started        process6 file7 42 C:\Users\user\AppData\Local\...\scr874A.ps1, Unicode 14->42 dropped 44 C:\Users\user\AppData\Local\...\pss874C.ps1, Unicode 14->44 dropped 46 C:\Users\user\AppData\Local\...\msi8749.txt, Unicode 14->46 dropped 58 Bypasses PowerShell execution policy 14->58 22 powershell.exe 17 14->22         started        24 ImporterREDServer.exe 1 18->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        signatures8 process9 process10 30 conhost.exe 22->30         started        32 conhost.exe 24->32         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dll0%ReversingLabs
C:\Windows\Installer\MSI5FFB.tmp0%ReversingLabs
C:\Windows\Installer\MSI6098.tmp0%ReversingLabs
C:\Windows\Installer\MSI6106.tmp0%ReversingLabs
C:\Windows\Installer\MSI6146.tmp0%ReversingLabs
C:\Windows\Installer\MSI6195.tmp0%ReversingLabs
C:\Windows\Installer\MSI61C5.tmp0%ReversingLabs
C:\Windows\Installer\MSI6204.tmp0%ReversingLabs
C:\Windows\Installer\MSI7E19.tmp0%ReversingLabs
C:\Windows\Installer\MSI86B6.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://java.oracle.com/0%Avira URL Cloudsafe
http://schemas.mick0%Avira URL Cloudsafe
https://denimcard.com/updater.phpx100%Avira URL Cloudmalware
http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
denimcard.com
unknown
unknownfalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1818399068.0000000005F59000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://crl.micropowershell.exe, 00000003.00000002.1819270070.0000000007378000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1815746508.0000000005046000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1815746508.0000000004EF1000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1815746508.0000000005046000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://go.micropowershell.exe, 00000003.00000002.1815746508.000000000534F000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/powershell.exe, 00000003.00000002.1818399068.0000000005F59000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://java.oracle.com/classes_nocoops.jsa.1.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1818399068.0000000005F59000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Licensepowershell.exe, 00000003.00000002.1818399068.0000000005F59000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Iconpowershell.exe, 00000003.00000002.1818399068.0000000005F59000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.mickE8vC8KRIp1.msifalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-ImporterREDServer.exe, 0000000A.00000002.1873546260.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aka.ms/winui2/webview2download/Reload():E8vC8KRIp1.msifalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1815746508.0000000004EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://denimcard.com/updater.phpxE8vC8KRIp1.msifalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1815746508.0000000005046000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              No contacted IP infos

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1580398
                              Start date and time:2024-12-24 13:05:13 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 7m 55s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:15
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:E8vC8KRIp1.msi
                              renamed because original name is a hash value
                              Original Sample Name:9df778cfa48c5988fa1f817e6edc91882e5de20addba0b5e6a4ff5fca701d24e.msi
                              Detection:MAL
                              Classification:mal64.evad.winMSI@17/91@2/0
                              EGA Information:
                              • Successful, ratio: 33.3%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 14
                              • Number of non-executed functions: 206
                              Cookbook Comments:
                              • Found application associated with file extension: .msi

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                              • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63, 4.245.163.56
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target ImporterREDServer.exe, PID 6048 because there are no executed function
                              • Execution Graph export aborted for target powershell.exe, PID 6064 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • VT rate limit hit for: E8vC8KRIp1.msi

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              07:06:18API Interceptor4x Sleep call for process: powershell.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeinstaller.msiGet hashmaliciousUnknownBrowse
                                3gPZmVbozD.msiGet hashmaliciousUnknownBrowse
                                  setup.msiGet hashmaliciousUnknownBrowse
                                    installer.msiGet hashmaliciousUnknownBrowse
                                      setup.msiGet hashmaliciousUnknownBrowse
                                        Setup.msiGet hashmaliciousUnknownBrowse
                                          q9bzWO2X1r.msiGet hashmaliciousUnknownBrowse
                                            C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exeinstaller.msiGet hashmaliciousUnknownBrowse
                                              3gPZmVbozD.msiGet hashmaliciousUnknownBrowse
                                                setup.msiGet hashmaliciousUnknownBrowse
                                                  installer.msiGet hashmaliciousUnknownBrowse
                                                    setup.msiGet hashmaliciousUnknownBrowse
                                                      Setup.msiGet hashmaliciousUnknownBrowse
                                                        q9bzWO2X1r.msiGet hashmaliciousUnknownBrowse

                                                          Created / dropped Files

                                                          C:\Config.Msi\575733.rbs

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:modified
                                                          Size (bytes):20975
                                                          Entropy (8bit):5.7548623459758295
                                                          Encrypted:false
                                                          SSDEEP:384:mKQ7kNiBDzJ1XE6utNf4VD78Zte4lS9ccSq54NT2WlUyoPDiKvb3TpoDNP4+7RNO:mKQ7kNiBDzJ1XE6utNf4VD78Zte4lS9L
                                                          MD5:E1BCAD53E7094E762EA7CC0E01A87773
                                                          SHA1:CBE7E0AF16D344EE45ED92EF8F0431161DF40076
                                                          SHA-256:ED38B6C0B596667E93C457891973C07CF61A7D5A803E65BC92E1A2778E13DAF2
                                                          SHA-512:7E8C96454C79C0E2B2AE682430867A4A7CFEA05F9600BF0031DDD1F5AC3FA959CADD525811718B08300C8A5E90D7BFF9117FCDED82D6DC8A2DB98210D9009240
                                                          Malicious:false
                                                          Preview:...@IXOS.@.....@.8.Y.@.....@.....@.....@.....@.....@......&.{C1C254C4-A6C9-4D2E-9E24-5442C42C20F9}..App x installer..E8vC8KRIp1.msi.@.....@.....@.....@......icon_22.exe..&.{CC0834DB-EC05-405A-9761-DDE937BC3BCF}.....@.....@.....@.....@.......@.....@.....@.......@......App x installer......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{C1C254C4-A6C9-4D2E-9E24-5442C42C20F9}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{C1C254C4-A6C9-4D2E-9E24-5442C42C20F9}.@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}&.{C1C254C4-A6C9-4D2E-9E24-5442C42C20F9}.@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}&.{C1C254C4-A6C9-4D2E-9E24-5442C42C20F9}.@......&.{DE28A560-E5E1-4035-8CA3-44934686A249}&.{C1C254C4-A6C9-4D2E-9E24-5442C42C20F9}.@......&.{03D39B98-E7BB-4062-BD92-307D642A5CF1}&.{C1C254C4-A6C9-4D2E-9E24-5442C42C20F9}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{C

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1360
                                                          Entropy (8bit):5.415059038751397
                                                          Encrypted:false
                                                          SSDEEP:24:3Uyt3WSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NK3R82r6SVbu:ky9WSU4y4RQmFoUeWmfmZ9tK8NWR823Q
                                                          MD5:C9FCDEDA736FE17312D6972E2794F6C0
                                                          SHA1:577B74490A15625AA1F5EB1C3FDC1CEF6CC08826
                                                          SHA-256:B9903D16E49921FE437EC4C8DA74163F9369C519B8E3F3DC763B73AF2B40422A
                                                          SHA-512:96A1C2ADBE659F8D15BE35B342DA7479A2F196F64D9DA82F22E618391C12E37E413F25E539EC17AF3F7FD2DAAF656D2EA509E022BF00BD88A91681484FC98A44
                                                          Malicious:false
                                                          Preview:@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbyz3uyd.010.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wjmsmnle.12t.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\msi8749.txt

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):96
                                                          Entropy (8bit):2.99798449505456
                                                          Encrypted:false
                                                          SSDEEP:3:QmalTuOIAlSRYplflbPRYplf955:Qmalt9lLZiLN
                                                          MD5:F26BF481CA203C7D611850139ACBEF41
                                                          SHA1:EA86C45B436D1B8F5F42F87AE5034332A5BCFEC4
                                                          SHA-256:A6AE6BBFC3486BA26A9A3C67B127D6972D16B8B925BDE4AF20880EE1B1D997CB
                                                          SHA-512:D1D2AE7C30A146AC1A85BDC133CE1F105AFC6F4EC8C5BD21A8EAACD0910929D3A9FCB540AB533A253C296C51DC71D1AE58749F7449DAB1C530E82D78D3544E4E
                                                          Malicious:true
                                                          Preview:..C.e.v.e.r.a.l.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .T.r.i.a.l.N.o.w. .:.<.-.>.:. .0. .<.<.:.>.>. .

                                                          C:\Users\user\AppData\Local\Temp\pss874C.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):6668
                                                          Entropy (8bit):3.5127462716425657
                                                          Encrypted:false
                                                          SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                          MD5:30C30EF2CB47E35101D13402B5661179
                                                          SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                          SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                          SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                          Malicious:true
                                                          Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                                          C:\Users\user\AppData\Local\Temp\scr874A.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):250
                                                          Entropy (8bit):3.576902729499699
                                                          Encrypted:false
                                                          SSDEEP:6:QfFok79idK3fclQ9zgltHN+KiVmMXFVrMTlp1LlG7JidK3fpdInO:QfF3IugM/XFVrMTWNvn
                                                          MD5:479FAC6E0C05C5A57698619AFE51DEF2
                                                          SHA1:1AF4A4DB75ACE8324ED7BFF59D711E80A7BDB821
                                                          SHA-256:700080D274E5629A2BFA0D47B9BAF53AD69E67A64A2B04D84115D5851AB3DDBD
                                                          SHA-512:B0B5065C216EBC1124B985F3FF86EE7C7E7E9B994190D1103C454EDD602E0242B7160BFFB202538470254675DFACAC6159F1A459B979DAD563BDED84FCED193E
                                                          Malicious:true
                                                          Preview:..$.o.i.g.n.q.p. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".C.e.v.e.r.a.l.S.e.s.".....$.a.v.o.i.j.g. .=. .[.u.i.n.t.3.2.].(.$.o.i.g.n.q.p. .-.r.e.p.l.a.c.e. .'.b.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".T.r.i.a.l.N.o.w.". .$.a.v.o.i.j.g.

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exe

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):310928
                                                          Entropy (8bit):6.001677789306043
                                                          Encrypted:false
                                                          SSDEEP:3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
                                                          MD5:147B71C906F421AC77F534821F80A0C6
                                                          SHA1:3381128CA482A62333E20D0293FDA50DC5893323
                                                          SHA-256:7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
                                                          SHA-512:2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Joe Sandbox View:
                                                          • Filename: installer.msi, Detection: malicious, Browse
                                                          • Filename: 3gPZmVbozD.msi, Detection: malicious, Browse
                                                          • Filename: setup.msi, Detection: malicious, Browse
                                                          • Filename: installer.msi, Detection: malicious, Browse
                                                          • Filename: setup.msi, Detection: malicious, Browse
                                                          • Filename: Setup.msi, Detection: malicious, Browse
                                                          • Filename: q9bzWO2X1r.msi, Detection: malicious, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}|...|...|....../p....../v....../1...u.a.l....../u...|........./v....../}...Rich|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):117496
                                                          Entropy (8bit):6.136079902481222
                                                          Encrypted:false
                                                          SSDEEP:1536:P4ynPKh5ilvitpOeRZBMZTWTKnSU3hGe+K8b9Ate83CtyxZMPXR0qmOi4:PjoiaUDahe+B92e9tiMPXR0qmOX
                                                          MD5:F67792E08586EA936EBCAE43AAB0388D
                                                          SHA1:4A5B4009DE72DB003D57F8A4416D17F95B3539A8
                                                          SHA-256:4D434BB99C771524C35222E5C65EBEE87FD2F16DDA05BF6191F9723EECE2434D
                                                          SHA-512:F9E69377201E2DC577792F01B71ED3C9AF6C8AD52DD9E139C99EF1D9096F3EB7796F89642242BE8CEE4030EA9CF60EF1AA93D1B0890326A83CB9063E919F1E4A
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Joe Sandbox View:
                                                          • Filename: installer.msi, Detection: malicious, Browse
                                                          • Filename: 3gPZmVbozD.msi, Detection: malicious, Browse
                                                          • Filename: setup.msi, Detection: malicious, Browse
                                                          • Filename: installer.msi, Detection: malicious, Browse
                                                          • Filename: setup.msi, Detection: malicious, Browse
                                                          • Filename: Setup.msi, Detection: malicious, Browse
                                                          • Filename: q9bzWO2X1r.msi, Detection: malicious, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,|..B/..B/..B/.../..B/.G...B/.F...B/.A...B/.C...B/.C...B/..G...B/<.C...B/..C/..B/<.G...B/<../..B/.../..B/<.@...B/Rich..B/................PE..d.....-a..........#............................@.....................................].... .................................................D...,...............`....................]..T...................P_..(...P^...............0..H............................text............................... ..`.rdata...o...0...p..."..............@..@.data...@...........................@....pdata..`...........................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exe

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):506008
                                                          Entropy (8bit):6.4284173495366845
                                                          Encrypted:false
                                                          SSDEEP:6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
                                                          MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
                                                          SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
                                                          SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
                                                          SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):12224
                                                          Entropy (8bit):6.596101286914553
                                                          Encrypted:false
                                                          SSDEEP:192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
                                                          MD5:919E653868A3D9F0C9865941573025DF
                                                          SHA1:EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
                                                          SHA-256:2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
                                                          SHA-512:6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):12224
                                                          Entropy (8bit):6.640081558424349
                                                          Encrypted:false
                                                          SSDEEP:192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
                                                          MD5:7676560D0E9BC1EE9502D2F920D2892F
                                                          SHA1:4A7A7A99900E41FF8A359CA85949ACD828DDB068
                                                          SHA-256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
                                                          SHA-512:F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):11712
                                                          Entropy (8bit):6.6023398138369505
                                                          Encrypted:false
                                                          SSDEEP:192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
                                                          MD5:AC51E3459E8FCE2A646A6AD4A2E220B9
                                                          SHA1:60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
                                                          SHA-256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
                                                          SHA-512:6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):11720
                                                          Entropy (8bit):6.614262942006268
                                                          Encrypted:false
                                                          SSDEEP:192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
                                                          MD5:B0E0678DDC403EFFC7CDC69AE6D641FB
                                                          SHA1:C1A4CE4DED47740D3518CD1FF9E9CE277D959335
                                                          SHA-256:45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
                                                          SHA-512:2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):11720
                                                          Entropy (8bit):6.654155040985372
                                                          Encrypted:false
                                                          SSDEEP:192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
                                                          MD5:94788729C9E7B9C888F4E323A27AB548
                                                          SHA1:B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
                                                          SHA-256:ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
                                                          SHA-512:AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):15304
                                                          Entropy (8bit):6.548897063441128
                                                          Encrypted:false
                                                          SSDEEP:192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
                                                          MD5:580D9EA2308FC2D2D2054A79EA63227C
                                                          SHA1:04B3F21CBBA6D59A61CD839AE3192EA111856F65
                                                          SHA-256:7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
                                                          SHA-512:97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):11712
                                                          Entropy (8bit):6.622041192039296
                                                          Encrypted:false
                                                          SSDEEP:192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
                                                          MD5:35BC1F1C6FBCCEC7EB8819178EF67664
                                                          SHA1:BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
                                                          SHA-256:7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
                                                          SHA-512:9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):11720
                                                          Entropy (8bit):6.730719514840594
                                                          Encrypted:false
                                                          SSDEEP:192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
                                                          MD5:3BF4406DE02AA148F460E5D709F4F67D
                                                          SHA1:89B28107C39BB216DA00507FFD8ADB7838D883F6
                                                          SHA-256:349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
                                                          SHA-512:5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):11720
                                                          Entropy (8bit):6.626458901834476
                                                          Encrypted:false
                                                          SSDEEP:192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
                                                          MD5:BBAFA10627AF6DFAE5ED6E4AEAE57B2A
                                                          SHA1:3094832B393416F212DB9107ADD80A6E93A37947
                                                          SHA-256:C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
                                                          SHA-512:D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):12232
                                                          Entropy (8bit):6.577869728469469
                                                          Encrypted:false
                                                          SSDEEP:192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
                                                          MD5:3A4B6B36470BAD66621542F6D0D153AB
                                                          SHA1:5005454BA8E13BAC64189C7A8416ECC1E3834DC6
                                                          SHA-256:2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
                                                          SHA-512:84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):11712
                                                          Entropy (8bit):6.6496318655699795
                                                          Encrypted:false
                                                          SSDEEP:192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
                                                          MD5:A038716D7BBD490378B26642C0C18E94
                                                          SHA1:29CD67219B65339B637A1716A78221915CEB4370
                                                          SHA-256:B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
                                                          SHA-512:43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):12736
                                                          Entropy (8bit):6.587452239016064
                                                          Encrypted:false
                                                          SSDEEP:192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
                                                          MD5:D75144FCB3897425A855A270331E38C9
                                                          SHA1:132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
                                                          SHA-256:08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
                                                          SHA-512:295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):14280
                                                          Entropy (8bit):6.658205945107734
                                                          Encrypted:false
                                                          SSDEEP:384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
                                                          MD5:8ACB83D102DABD9A5017A94239A2B0C6
                                                          SHA1:9B43A40A7B498E02F96107E1524FE2F4112D36AE
                                                          SHA-256:059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
                                                          SHA-512:B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):12224
                                                          Entropy (8bit):6.621310788423453
                                                          Encrypted:false
                                                          SSDEEP:96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
                                                          MD5:808F1CB8F155E871A33D85510A360E9E
                                                          SHA1:C6251ABFF887789F1F4FC6B9D85705788379D149
                                                          SHA-256:DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
                                                          SHA-512:441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):11720
                                                          Entropy (8bit):6.7263193693903345
                                                          Encrypted:false
                                                          SSDEEP:192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
                                                          MD5:CFF476BB11CC50C41D8D3BF5183D07EC
                                                          SHA1:71E0036364FD49E3E535093E665F15E05A3BDE8F
                                                          SHA-256:B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
                                                          SHA-512:7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):12744
                                                          Entropy (8bit):6.601327134572443
                                                          Encrypted:false
                                                          SSDEEP:192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
                                                          MD5:F43286B695326FC0C20704F0EEBFDEA6
                                                          SHA1:3E0189D2A1968D7F54E721B1C8949487EF11B871
                                                          SHA-256:AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
                                                          SHA-512:6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):14272
                                                          Entropy (8bit):6.519411559704781
                                                          Encrypted:false
                                                          SSDEEP:192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
                                                          MD5:E173F3AB46096482C4361378F6DCB261
                                                          SHA1:7922932D87D3E32CE708F071C02FB86D33562530
                                                          SHA-256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
                                                          SHA-512:3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):12232
                                                          Entropy (8bit):6.659079053710614
                                                          Encrypted:false
                                                          SSDEEP:192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
                                                          MD5:9C9B50B204FCB84265810EF1F3C5D70A
                                                          SHA1:0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
                                                          SHA-256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
                                                          SHA-512:EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):11200
                                                          Entropy (8bit):6.7627840671368835
                                                          Encrypted:false
                                                          SSDEEP:192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
                                                          MD5:0233F97324AAAA048F705D999244BC71
                                                          SHA1:5427D57D0354A103D4BB8B655C31E3189192FC6A
                                                          SHA-256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
                                                          SHA-512:8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):12224
                                                          Entropy (8bit):6.590253878523919
                                                          Encrypted:false
                                                          SSDEEP:192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
                                                          MD5:E1BA66696901CF9B456559861F92786E
                                                          SHA1:D28266C7EDE971DC875360EB1F5EA8571693603E
                                                          SHA-256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
                                                          SHA-512:08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):11720
                                                          Entropy (8bit):6.672720452347989
                                                          Encrypted:false
                                                          SSDEEP:192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
                                                          MD5:7A15B909B6B11A3BE6458604B2FF6F5E
                                                          SHA1:0FEB824D22B6BEEB97BCE58225688CB84AC809C7
                                                          SHA-256:9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
                                                          SHA-512:D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13760
                                                          Entropy (8bit):6.575688560984027
                                                          Encrypted:false
                                                          SSDEEP:192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
                                                          MD5:6C3FCD71A6A1A39EAB3E5C2FD72172CD
                                                          SHA1:15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
                                                          SHA-256:A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
                                                          SHA-512:EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):12232
                                                          Entropy (8bit):6.70261983917014
                                                          Encrypted:false
                                                          SSDEEP:192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
                                                          MD5:D175430EFF058838CEE2E334951F6C9C
                                                          SHA1:7F17FBDCEF12042D215828C1D6675E483A4C62B1
                                                          SHA-256:1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
                                                          SHA-512:6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):12744
                                                          Entropy (8bit):6.599515320379107
                                                          Encrypted:false
                                                          SSDEEP:192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
                                                          MD5:9D43B5E3C7C529425EDF1183511C29E4
                                                          SHA1:07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
                                                          SHA-256:19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
                                                          SHA-512:C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):12232
                                                          Entropy (8bit):6.690164913578267
                                                          Encrypted:false
                                                          SSDEEP:192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
                                                          MD5:43E1AE2E432EB99AA4427BB68F8826BB
                                                          SHA1:EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
                                                          SHA-256:3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
                                                          SHA-512:40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):11720
                                                          Entropy (8bit):6.615761482304143
                                                          Encrypted:false
                                                          SSDEEP:192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
                                                          MD5:735636096B86B761DA49EF26A1C7F779
                                                          SHA1:E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
                                                          SHA-256:5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
                                                          SHA-512:3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):12744
                                                          Entropy (8bit):6.627282858694643
                                                          Encrypted:false
                                                          SSDEEP:192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
                                                          MD5:031DC390780AC08F498E82A5604EF1EB
                                                          SHA1:CF23D59674286D3DC7A3B10CD8689490F583F15F
                                                          SHA-256:B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
                                                          SHA-512:1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):15816
                                                          Entropy (8bit):6.435326465651674
                                                          Encrypted:false
                                                          SSDEEP:192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
                                                          MD5:285DCD72D73559678CFD3ED39F81DDAD
                                                          SHA1:DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
                                                          SHA-256:6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
                                                          SHA-512:84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):12232
                                                          Entropy (8bit):6.5874576656353145
                                                          Encrypted:false
                                                          SSDEEP:192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
                                                          MD5:5CCE7A5ED4C2EBAF9243B324F6618C0E
                                                          SHA1:FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
                                                          SHA-256:AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
                                                          SHA-512:FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13768
                                                          Entropy (8bit):6.645869978118917
                                                          Encrypted:false
                                                          SSDEEP:192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
                                                          MD5:41FBBB054AF69F0141E8FC7480D7F122
                                                          SHA1:3613A572B462845D6478A92A94769885DA0843AF
                                                          SHA-256:974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
                                                          SHA-512:97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):61176
                                                          Entropy (8bit):5.850944458899023
                                                          Encrypted:false
                                                          SSDEEP:1536:8dAqjxlblBAeX9cMPqnLQmnSPFCCBXuk9:8d1l59cJbSNZBXuO
                                                          MD5:3B02A4FCAAC283D3C5E082B62F88BE25
                                                          SHA1:C230237FA2BEF46A4C9649871EE46BBA89958C4E
                                                          SHA-256:D02FB06775ED21CE1124C5A9BA42D7E00872C4CAF3933F0852FFD98591EE9790
                                                          SHA-512:9FE3ACDC6CDC51F56AB205A669F3865FB18DA79750A62E896615AF98F4D37B4A5DADB898126B421133CBD86805A1A84D1C92A429F88AA2152D07939BEBEB93B0
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.X.F...F...F...>O..F.......F.......F.......F.......F.......F...F...F..-/...F..-/...F..-/#..F...FK..F..-/...F..Rich.F..........PE..d.....-a.........." .....X...|.......Y.................................................... .....................................................x.......h.......................0...P...T.......................(....................p..X............................text....V.......X.................. ..`.rdata...X...p...Z...\..............@..@.data...............................@....pdata..............................@..@.rsrc...h...........................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):127224
                                                          Entropy (8bit):6.217127607919178
                                                          Encrypted:false
                                                          SSDEEP:1536:KOMFt1bvZ+4WYoIW9YAlqlEO/NiuE0PJmISN10ZpzdUAsSAl9/mEzuEVvHV7Gvru:fMFZ+4azlqlEO/0d0PkIxPYGX6
                                                          MD5:ABDA3CF0D286D6CC5EC2CB1B49DBC180
                                                          SHA1:85CA9C24AD7CF07830E86607723770645D724C28
                                                          SHA-256:5549E8D3C90AFC8A90558529FE0127CE8A36805D853ED2BBD2A832E497D07405
                                                          SHA-512:AF813D4529C7971C6427E84C21275F2D703495E8BCDE72112ED400FCF2BFD64D1E3754E7A8D95A4D1953472C3C9821EF0444CD844F02AE31FA2C5FA8D93E66CF
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'y.fI*.fI*.fI*...*.fI*..M+.fI*..J+.fI*..L+.fI*..H+.fI*..H+.fI*..H+.fI*.fH*.fI*..L+.fI*..I+.fI*...*.fI*.f.*.fI*..K+.fI*Rich.fI*................PE..d.....-a.........." ......................................................... ............ ..........................................x..|B..............p.......@...............D....>..T...................0@..(...0?............... ...............................text...p........................... ..`.rdata....... ......................@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc..D...........................@..B................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):418040
                                                          Entropy (8bit):6.1735291180760505
                                                          Encrypted:false
                                                          SSDEEP:6144:vJXvKtM+eZLmd2Mht6hBj2+1J3Hw2iojntPqbmdv0Pz:vJXvcMRZLmd2Mht6hBj3A2iW8WO
                                                          MD5:1CC74B77B1A0B6F14B19F45412D62227
                                                          SHA1:25C8D5B1DD13C826AC97995E2265E7960877A869
                                                          SHA-256:1314E7F48DCFAA9ED62AD80C19D4EAD856C6D216D6F80B8EFA1A3803087C506A
                                                          SHA-512:CA88D9DB167FEE11DCF88FD365DBAEF9E2704996E622F1523943C5AF54D6AE2546D860DB86B20757C89FA52E4140D474EB0EA4A69042AA4CAAF6125E0D5381D9
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+ ..Es..Es..Es...s..Es..Ar..Es..Fr..Es..@r..Es..Dr..Es..Dr..Es..Ds(.Es..@r..Es..Er..Es..s..Es...s..Es..Gr..EsRich..Es........PE..d.....-a.........." .........:.......................................................4.... .........................................`n...T...........p.......0..d2...D.................T...................0...(...0................ ...............................text...\........................... ..`.rdata..h.... ......................@..@.data....7.......0..................@....pdata..d2...0...4..................@..@.rsrc........p.......8..............@..@.reloc...............>..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):698104
                                                          Entropy (8bit):6.463466021766765
                                                          Encrypted:false
                                                          SSDEEP:12288:rtCgw2rHcLfk4heNe39mSOWE64h/5+JLkxBdmmVaSV:JCglHsfb9vzE64h/CAxBdmmVaSV
                                                          MD5:087DAF44CD13B79E4D59068B3A1C6250
                                                          SHA1:653FB242A44C7742764C77D8249D00DDDC1C867E
                                                          SHA-256:7AAFC98B0189C4DB66E03EC69B0DA58E59F5728FA9C37F7A61D1531E4D146FD6
                                                          SHA-512:3BB7494191EDDA18416B425762EA35B1C614CA420E6D0A8BBA5B9749C453F2552435FC97CF4532E088BBEC2B57A7DC9F782F7C7CEC67F96A33511C367F6A5052
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>.B.P.B.P.B.P.K...N.P...T.J.P...S.@.P...U.Z.P...Q.F.P...Q.G.P.B.Q...P..U.P.P..P.C.P...C.P.B...C.P..R.C.P.RichB.P.........................PE..d.....-a.........." ................l................................................s.... ..........................................7..T...4...........X....`...D...................Q..T...................@S..(...@R..................H............................text............................... ..`.rdata...V.......X..................@..@.data...`(...0..."..................@....pdata...D...`...F...6..............@..@.rsrc...X............|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):31480
                                                          Entropy (8bit):5.969706735107452
                                                          Encrypted:false
                                                          SSDEEP:384:rTnmLAtoAmXkI4WW9jLU7gJX5ZGz/5UtxcNPMUyZJKSm/dAgZsHL4DhAm:noxXzI5Z05uqlyEiRUhR
                                                          MD5:CC2C7E9435E8F818F3114AEFCC84E053
                                                          SHA1:F106C5EEAA3545CB85BA1217F40E4AE8F047E69E
                                                          SHA-256:59415F12FF688B58C9180A545F4836A4C2DDF472C232B3BE9FAB7965F9980924
                                                          SHA-512:316D0F0374DA2818CC1A83A6F8BE8E70CCCC2D9F37DB54DF9322FF26FF436EB18532CEB549F286E569E1A6B82BA1345FFE4A7ADC678AE450FC5C3C637F24259D
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{...{...{...r.e.....)...h...)...s...)...y...)....... ...x...{...E......y......z......z...{.a.z......z...Rich{...........PE..d.....-a.........." .....,...4......@0................................................... ..........................................T......tU..x.......`....p.......^..............0F..T....................G..(....F...............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...h....`.......N..............@....pdata.......p.......R..............@..@.rsrc...`............V..............@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):103672
                                                          Entropy (8bit):5.851546804507911
                                                          Encrypted:false
                                                          SSDEEP:1536:DkEZwX0tTbIIJdLJABqKSimO9K64vaO4WpgXyhchiUKcvKXMnVOlVS:QErbXvAxO41yhcBvKXwaVS
                                                          MD5:129051E3B7B8D3CC55559BEDBED09486
                                                          SHA1:E257D69C91594C623A8649AC3F76DC4B0C4D8EDF
                                                          SHA-256:73BFA0700A1C1631483D1ADC79A5225066A28A5CA94D70267DE6B0573BF11BDF
                                                          SHA-512:6DCF486B58A0C8E16CB0A2A0B7C53812275DF7E55CEBE94B645517D2A061A67CA3B9CFDDA4F94E89BE57D3B629540C4A45DD153EF84DB90E46D06257A936831A
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X..............&........................................&.............&......&......&.J.......".....&......Rich............................PE..d.....-a.........." ................4...............................................:..... ..........................................J.......[..........`............x..............`...T.......................(....................................................text............................... ..`.rdata.............................@..@.data........p.......N..............@....pdata...............\..............@..@.rsrc...`............n..............@..@.reloc...............t..............@..B........................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):57488
                                                          Entropy (8bit):6.382541157520703
                                                          Encrypted:false
                                                          SSDEEP:768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
                                                          MD5:71F796B486C7FAF25B9B16233A7CE0CD
                                                          SHA1:21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
                                                          SHA-256:B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
                                                          SHA-512:A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4664568
                                                          Entropy (8bit):6.259383987199329
                                                          Encrypted:false
                                                          SSDEEP:49152:AroFmAk9nrwChDI061WcO0ABWmIex2MvOGL//VCsHqwApmqamnBObTETCAtdB8n:0tI0OWiVmIek+QpmqtB+9
                                                          MD5:A6A89F55416DB79D9E13B82685A04D60
                                                          SHA1:EDE6DE1377BBE28E1F0D0DEF095367F1E788FE3B
                                                          SHA-256:22D7C730C0092CDE5E339276F45882ACF4E172269153C6A328D83314DBACEF4B
                                                          SHA-512:D2A734AE3ACC3033C050634839E32F90AE29862D77EC28B87945D62D44562ED56AC2A4266BC70F0F42CACCC0A7D93B07E2B42D7FFCEFE2F599A6A9DC2F26C583
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........$n..J=..J=..J=...=..J=..N<..J=..I<..J=..O<..J=..K<..J=..N<..J=..L<..J=..K<..J=..K<..J=..K=i.J=..N<..J=..O<U.J=..J<..J=..=..J=...=..J=..H<..J=Rich..J=................PE..d.....-a.........." ......+..........f(.......................................I.......H... ..........................................7>.8.....A......@I.......G......G......PI..F....1.T...................0.1.(...0.1...............+..............................text.....+.......+................. ..`.rdata.......+.......+.............@..@.data....'...`B......DB.............@....pdata.......G.......E.............@..@.rsrc........@I.......F.............@..@.reloc...F...PI..H....F.............@..B........................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):215288
                                                          Entropy (8bit):6.050529290720027
                                                          Encrypted:false
                                                          SSDEEP:3072:emvBIfdYtwUTAgsHW0Akz0dMtTWYUQ4TyjEXv8pQxI88hw:ekBIATA1z7tTzovXv8Kxzj
                                                          MD5:BF5EE5008353BB5C52DCF8821082CE6B
                                                          SHA1:F85B517F96FE87D953925D05238345A03594C8F8
                                                          SHA-256:9273A49CAC32ACA5358A77D41DE00FEB589ED3285B2B2E07E9CE9CEBF80BAA31
                                                          SHA-512:B5862D1679AB4F44B228C3E52F5CB98616BF089BAD5EC3BBB63ABDCABDDB55C71C36628E2945C7460AA33F836D85A1A320BF2C704072B307A3B719CD3C6A8549
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[..5...5...5......5...1...5...6...5...0...5...4...5...4...5.#.4...5...4.-.5.#.0...5.#.5...5.#....5.......5.#.7...5.Rich..5.........PE..d.....-a.........." .........j...............................................p............ ..............................................!...........P..h....0.......,.......`..........T...........................@................................................text............................... ..`.rdata..............................@..@.data....$..........................@....pdata.......0... ..................@..@.rsrc...h....P......."..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ghiuoqfj.rar

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:RAR archive data, v5
                                                          Category:dropped
                                                          Size (bytes):357262
                                                          Entropy (8bit):7.999586354126859
                                                          Encrypted:true
                                                          SSDEEP:6144:GD5G7Ah3tsy+aSXnWGWJJTkI9oKXKW7wXQ5IkvruFPYK/lUBEH3tHn+Lyevfaeu0:GD5G7Gtsva2WLJJTkeKW7wXEIkvSHUB/
                                                          MD5:00A69CF80C777D2523BB7D4A89B18A70
                                                          SHA1:E76D43D1540EA6926CE9D8C32152FC77EE098D4C
                                                          SHA-256:624F4B28A39BE65A42A663EDDBE8FA5568B6463C905A1D22B31E85F8B6964296
                                                          SHA-512:7CB51814B7C13F3BACE25FED6612C02714BAB94C82A1A5D373211AB769E23B273F43F281D0C1CCEB2A3444758EBB3928CA39BEF430495C31F9416B46FFB7ADC2
                                                          Malicious:false
                                                          Preview:Rar!......xS!......0..W..A.D)=!....1..,.Ie...z..:.I./...W...s=..K.he.....d.....\*Fj.Q5k..a%...R.m.WW^7.47.....i...<Y@..4.....d..K]..v.t.~...bFg..$)..q.%3.`W..f.a..W..o.U.........;;...uF2..F.j...R..F.....P..GT...+..L.8:$b.6I..%..U.....Rq.P.f0..HV#..%.6....k.......K.[Vd.{.$.._.U..18.Q.A........9.=V...Ro?...U.....Z.C..9.~TH/KPa.8.nN&.....;#..q..9.y..../.]..FKV.(.~....nCF.v.w...ru....B.....;....L....\...zz.d:...r.........}..../..N0........A%..a...Fgl..e..{6..6?q..Ca.-.Z.Gna....j.Q....C...].|..O.p}.i.....Z..._6.cM....ypv2........I.h%.Y...y..z...S....-d.S.`6...2..3_..-..].h.<L&....[..f.......fsX..2..9jW..Qb1...F9....!7&2....lL.<p....%..[.T_............wyQ...L..P.%...P.}.q?.....{o...c.c#2.....H.X....!Q..V.\gA.q.T.6.9....#.W.#$...Q0....J>...........E.......~...0...s...,.%.T.<)N#...]p.{.....\..U..Q..p.x...T.....7s..p..4...V....).b.gj.h...?b..k."....m...*).F/....&...]....c2.b.U.PH..u~oB..j.p........9Vy..r../.y.q....J..............K.%.h..

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):566704
                                                          Entropy (8bit):6.494428734965787
                                                          Encrypted:false
                                                          SSDEEP:12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
                                                          MD5:6DA7F4530EDB350CF9D967D969CCECF8
                                                          SHA1:3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
                                                          SHA-256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
                                                          SHA-512:1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):22
                                                          Entropy (8bit):3.879664004902594
                                                          Encrypted:false
                                                          SSDEEP:3:mKDDlR+7H6U:hOD6U
                                                          MD5:D9324699E54DC12B3B207C7433E1711C
                                                          SHA1:864EB0A68C2979DCFF624118C9C0618FF76FA76C
                                                          SHA-256:EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
                                                          SHA-512:E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
                                                          Malicious:false
                                                          Preview:@echo off..Start "" %1

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\classes.jsa

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):12124160
                                                          Entropy (8bit):4.1175508751036585
                                                          Encrypted:false
                                                          SSDEEP:49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
                                                          MD5:8A13CBE402E0BBF3DA56315F0EBA7F8E
                                                          SHA1:EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
                                                          SHA-256:7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
                                                          SHA-512:46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
                                                          Malicious:false
                                                          Preview:.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\classes_nocoops.jsa

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):12124160
                                                          Entropy (8bit):4.117842215789484
                                                          Encrypted:false
                                                          SSDEEP:49152:lIsY5NLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8v:lYNDUK7k59
                                                          MD5:8DD2CDF8B1702DEE25F4BC2DCE10DA8F
                                                          SHA1:7AE8D142C41159D65C7AB9598C90EC1DF33138D1
                                                          SHA-256:B19E92D742D8989D275BB34FB7828211969997D38FF9250D9561F432D5C5F62C
                                                          SHA-512:6CEBD788559543623A3F54154F6C84E31A9716CFFA19D199087F0704CC9016F54CF0B3CFF6D8DB65428138EEB12553B23EBA7EDAF5B64A050A077DD2951286B0
                                                          Malicious:false
                                                          Preview:....j..L.........*.\.....................................+..............................j..-.....................................!>.............................|<:.......................A.......@...... t...............................".....................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.datatransfer.jmod

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Java jmod module version 1.0
                                                          Category:dropped
                                                          Size (bytes):51389
                                                          Entropy (8bit):7.916683616123071
                                                          Encrypted:false
                                                          SSDEEP:768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
                                                          MD5:8F4C0388762CD566EAE3261FF8E55D14
                                                          SHA1:B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
                                                          SHA-256:AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
                                                          SHA-512:1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
                                                          Malicious:false
                                                          Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^*#.j...R.A..qV.1o...p.....|._.-N$.!.;X....|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be.*.eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.*t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N....*..r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.desktop.jmod

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Java jmod module version 1.0
                                                          Category:dropped
                                                          Size (bytes):12133334
                                                          Entropy (8bit):7.944474086295981
                                                          Encrypted:false
                                                          SSDEEP:196608:h6fa1BzmQR9sZTGVq8B4ISiOCC0SabOyigGRA7OtuPZIWeXB:6a1gk+8B4IS8S2OyiJRA7OtYZaB
                                                          MD5:E3705B15388EC3BDFE799AD5DB80B172
                                                          SHA1:0B9B77F028727C73265393A68F37FC69C30205BD
                                                          SHA-256:BE59AC0E673827B731CF5616B41DA11581A5863285FEA1A0696AA4F93796BCC3
                                                          SHA-512:CA44B3E7658232FCC19C9AD223455F326D34B17384E566B8CAF0F7409D71B2B86F4089BF4A35128EC6CFFE080DF84C69C72C22B230FB0F2F8CB345442318F737
                                                          Malicious:false
                                                          Preview:JM..PK.........n/Q................classes/module-info.class.X...e../.l.!..!.#..M..."..g..#.B.........0;{.AAD.EE..QQQ.aG....{.]....7......~.{....k...{....<HD...4.......x%?G.4_St.Z...\..].+c..t.t........iC./...gZ..].8C..D'M...\3.+~5......z.<.f1..2.v./.As.Lv.....`2.M%...d.h..S`....YC.....D.u0-l.V#.5.,.e..)[..[.v..*............d.I...A........A+&."..8g.)"..E..1!.Z.]....Ak..5.......<'..L8bC..V4.U2.~$...i....)."I...O...d:......@..S...w0m...-....2..x....z.....O....k.8.}....P.....=..I/...<../.d..k....43VL.i...........C.S|`..!b.8....3.Ey..S..e..+.../T..j...g..B.@q9.."..>.LU..2-i....-.!....Z....g.BGl.j..R...Z.D.YJ.Kd...9 l.FN4.Rk.22..b..Rn...u..x.,...j.I.aZ.....X[{L.e..Z#..`.Z...*8..[.p..0.(...j..W..-M...V..H7.c.KN...5e.."...t[um..R...UF.c..1.....z|z.EeO..j..k.V..\x.8.....et;.9.^.Pa..+......U....Iu.q.t....HY.g...q.......omK...FKr1.F..F?.i.d../.]....68..L.........W..s.CU.|y.....zE..Q\...82..W.i[.#Q..xm......P..u.<.#...yC...,........~B..|sF.

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.instrument.jmod

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Java jmod module version 1.0
                                                          Category:dropped
                                                          Size (bytes):41127
                                                          Entropy (8bit):7.961466748192397
                                                          Encrypted:false
                                                          SSDEEP:768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
                                                          MD5:D039093C051B1D555C8F9B245B3D7FA0
                                                          SHA1:C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
                                                          SHA-256:4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
                                                          SHA-512:334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
                                                          Malicious:false
                                                          Preview:JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...*A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z|*.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.logging.jmod

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Java jmod module version 1.0
                                                          Category:dropped
                                                          Size (bytes):113725
                                                          Entropy (8bit):7.928841651831531
                                                          Encrypted:false
                                                          SSDEEP:3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
                                                          MD5:3A03EF8F05A2D0472AE865D9457DAB32
                                                          SHA1:7204170A08115A16A50D5A06C3DE7B0ADB6113B1
                                                          SHA-256:584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
                                                          SHA-512:1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
                                                          Malicious:false
                                                          Preview:JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm......*..Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h.*.^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz|..^.........8q..{...}.*G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j*..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.management.jmod

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Java jmod module version 1.0
                                                          Category:dropped
                                                          Size (bytes):896846
                                                          Entropy (8bit):7.923431656723031
                                                          Encrypted:false
                                                          SSDEEP:12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
                                                          MD5:C6FBB7D49CAA027010C2A817D80CA77C
                                                          SHA1:4191E275E1154271ABF1E54E85A4FF94F59E7223
                                                          SHA-256:1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
                                                          SHA-512:FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
                                                          Malicious:false
                                                          Preview:JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..|..]{.........S|...(cu/..i.d.z...[....'.M|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):639224
                                                          Entropy (8bit):6.219852228773659
                                                          Encrypted:false
                                                          SSDEEP:12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
                                                          MD5:01DACEA3CBE5F2557D0816FC64FAE363
                                                          SHA1:566064A9CB1E33DB10681189A45B105CDD504FD4
                                                          SHA-256:B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
                                                          SHA-512:C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):98224
                                                          Entropy (8bit):6.452201564717313
                                                          Encrypted:false
                                                          SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                          MD5:F34EB034AA4A9735218686590CBA2E8B
                                                          SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                          SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                          SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dll

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):37256
                                                          Entropy (8bit):6.297533243519742
                                                          Encrypted:false
                                                          SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
                                                          MD5:135359D350F72AD4BF716B764D39E749
                                                          SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
                                                          SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
                                                          SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Microsoft\Installer\{C1C254C4-A6C9-4D2E-9E24-5442C42C20F9}\icon_22.exe

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:MS Windows icon resource - 7 icons, 256x256, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                          Category:dropped
                                                          Size (bytes):372526
                                                          Entropy (8bit):4.467275942115759
                                                          Encrypted:false
                                                          SSDEEP:3072:aAVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOzzCIhZ:LCANx6xPZX9mBW
                                                          MD5:B52B2D1D4C9E56CA24AB0CD0730CC5AD
                                                          SHA1:C70A3683DF57DE3096CA58F314C0B649035392CC
                                                          SHA-256:73CDA59B9158F5DCA967A6EC24A3608C672DCA63F714BFD7B7B5F81C1303F457
                                                          SHA-512:CDCAB1C415B87948AD45C967D6C50EA24935D7E58CFC30717E2943D9CE9F5DDEFCB5E60BCE58F9F387635EA30E1A0399DBA644316CC53F1802BAE73B76CB1BFA
                                                          Malicious:false
                                                          Preview:............ .( ..v......... .(.... ..@@.... .(B...(..00.... ..%...j.. .... ............... .....>......... .h......(............. ...... ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\575731.msi

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {CC0834DB-EC05-405A-9761-DDE937BC3BCF}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Dec 23 20:42:47 2024, Last Saved Time/Date: Mon Dec 23 20:42:47 2024, Last Printed: Mon Dec 23 20:42:47 2024, Number of Pages: 450
                                                          Category:dropped
                                                          Size (bytes):60281856
                                                          Entropy (8bit):7.201449726716881
                                                          Encrypted:false
                                                          SSDEEP:786432:8WZfjVmrjV7eIAtehOTZYoZ4sdUuzt/NCaY2ksC:8W5VmrjV7eIvhOTZ9RjVCa1t
                                                          MD5:C5080F60E79B1B30D3867848856F4EB3
                                                          SHA1:52883BED5C40F588B47A1F4DF35D8131CC153E21
                                                          SHA-256:9DF778CFA48C5988FA1F817E6EDC91882E5DE20ADDBA0B5E6A4FF5FCA701D24E
                                                          SHA-512:996102A913421EE600C7B5FD67DCC08C6CCC16FB0AD6CFA3D29E63229E4343C72F6C976C6B39FBF2DBB65773F087E38EF8D5B6F1E1C4A6E1C2E92DCA883568BF
                                                          Malicious:false
                                                          Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...N...K...L...e...O...""..P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                          C:\Windows\Installer\575734.msi

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {CC0834DB-EC05-405A-9761-DDE937BC3BCF}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Dec 23 20:42:47 2024, Last Saved Time/Date: Mon Dec 23 20:42:47 2024, Last Printed: Mon Dec 23 20:42:47 2024, Number of Pages: 450
                                                          Category:dropped
                                                          Size (bytes):60281856
                                                          Entropy (8bit):7.201449726716881
                                                          Encrypted:false
                                                          SSDEEP:786432:8WZfjVmrjV7eIAtehOTZYoZ4sdUuzt/NCaY2ksC:8W5VmrjV7eIvhOTZ9RjVCa1t
                                                          MD5:C5080F60E79B1B30D3867848856F4EB3
                                                          SHA1:52883BED5C40F588B47A1F4DF35D8131CC153E21
                                                          SHA-256:9DF778CFA48C5988FA1F817E6EDC91882E5DE20ADDBA0B5E6A4FF5FCA701D24E
                                                          SHA-512:996102A913421EE600C7B5FD67DCC08C6CCC16FB0AD6CFA3D29E63229E4343C72F6C976C6B39FBF2DBB65773F087E38EF8D5B6F1E1C4A6E1C2E92DCA883568BF
                                                          Malicious:false
                                                          Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...N...K...L...e...O...""..P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                          C:\Windows\Installer\MSI5FFB.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1021792
                                                          Entropy (8bit):6.608727172078022
                                                          Encrypted:false
                                                          SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                          MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                          SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                          SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                          SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\MSI6098.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1021792
                                                          Entropy (8bit):6.608727172078022
                                                          Encrypted:false
                                                          SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                          MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                          SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                          SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                          SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\MSI6106.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1021792
                                                          Entropy (8bit):6.608727172078022
                                                          Encrypted:false
                                                          SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                          MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                          SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                          SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                          SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\MSI6146.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1021792
                                                          Entropy (8bit):6.608727172078022
                                                          Encrypted:false
                                                          SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                          MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                          SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                          SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                          SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\MSI6195.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1201504
                                                          Entropy (8bit):6.4557937684843365
                                                          Encrypted:false
                                                          SSDEEP:24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
                                                          MD5:E83D774F643972B8ECCDB3A34DA135C5
                                                          SHA1:A58ECCFB12D723C3460563C5191D604DEF235D15
                                                          SHA-256:D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
                                                          SHA-512:CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.|CF..@G.|DF..@G.|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\MSI61C5.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1021792
                                                          Entropy (8bit):6.608727172078022
                                                          Encrypted:false
                                                          SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                          MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                          SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                          SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                          SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\MSI6204.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1021792
                                                          Entropy (8bit):6.608727172078022
                                                          Encrypted:false
                                                          SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                          MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                          SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                          SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                          SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\MSI7E19.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):380520
                                                          Entropy (8bit):6.512348002260683
                                                          Encrypted:false
                                                          SSDEEP:6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
                                                          MD5:FFDAACB43C074A8CB9A608C612D7540B
                                                          SHA1:8F054A7F77853DE365A7763D93933660E6E1A890
                                                          SHA-256:7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
                                                          SHA-512:A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\MSI86A5.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):393114
                                                          Entropy (8bit):4.7364985214968485
                                                          Encrypted:false
                                                          SSDEEP:3072:aO9BAVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOzza:aO9SCANx6xPZX9mBb
                                                          MD5:1FAD7FBDF9B5F38C3D512609629AF852
                                                          SHA1:E1A9C8FE692766A0C64A956A44165146203F0F27
                                                          SHA-256:2CF2B019309B984ECD3269A237E5FD5AD1C8E954C6B6251E4E28E0DFAA3120F6
                                                          SHA-512:7757F608A70AEA1A1BACCAB1E9965F3BFF10A382D334F2C61B42E742ED449CE6DD17172D525327B0062FDB7A625F2EF903B95F156C53E3B2CFCF042FCABFBD68
                                                          Malicious:false
                                                          Preview:...@IXOS.@.....@.8.Y.@.....@.....@.....@.....@.....@......&.{C1C254C4-A6C9-4D2E-9E24-5442C42C20F9}..App x installer..E8vC8KRIp1.msi.@.....@.....@.....@......icon_22.exe..&.{CC0834DB-EC05-405A-9761-DDE937BC3BCF}.....@.....@.....@.....@.......@.....@.....@.......@......App x installer......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@4....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F}C.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}8.21:\Software\Coors Q Corporation\App x installer\Version.@.......@.....@.....@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}N.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll.@.......@.....@.....@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}U.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.d

                                                          C:\Windows\Installer\MSI86B6.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):787808
                                                          Entropy (8bit):6.693392695195763
                                                          Encrypted:false
                                                          SSDEEP:24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
                                                          MD5:8CF47242B5DF6A7F6D2D7AF9CC3A7921
                                                          SHA1:B51595A8A113CF889B0D1DD4B04DF16B3E18F318
                                                          SHA-256:CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
                                                          SHA-512:748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\SourceHash{C1C254C4-A6C9-4D2E-9E24-5442C42C20F9}

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):1.1643660184882885
                                                          Encrypted:false
                                                          SSDEEP:12:JSbX72FjFlAGiLIlHVRpZh/7777777777777777777777777vDHF9u0qDWit/l0G:JXlQI5tbu1DPiF
                                                          MD5:BDB36A9D03AE4FE07CD40DF2192D7FFE
                                                          SHA1:08AE5EDDBDE0E29815F5490EE837BCF725658C88
                                                          SHA-256:6414B4FEE59EC82AD9D210A3ACEF0AEEA31811F177AEA9B3FE528FD088FC3EF3
                                                          SHA-512:BFEB4FA8C9725FB2FAAF41FB9ED9A5EE25AD8A7AE3612749E8FA56DB26CD841E7E41455D71CF8B9482AEE7DF4AE48023FDC116BE28FCFAAC21F1FC6E852F451C
                                                          Malicious:false
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Installer\inprogressinstallinfo.ipi

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):1.5855324271278595
                                                          Encrypted:false
                                                          SSDEEP:48:6h8PhXuRc06WXJ0FT5ljAmMoAECiCyVSCvoQX2ySCOTEV:68hX13FTXuECe9Xj5
                                                          MD5:35A1E32F9158A9C40E47D19FFCF0B9BC
                                                          SHA1:729017E9ADC96FF9C8521DEEF91FBB42D39B28FC
                                                          SHA-256:A50C28FC5F6FCC317B14ED4AED17A33B76219EA7D1A8B203EE58780EEBDECDC6
                                                          SHA-512:1B0B930F162B64CBDFCC06E1E7BFEBC1101F8C3FA10BBB7921BB6E1A4FB151C1499E9E1ED289BC285F519014F18E79122474B2111956F6CFA76CA5EC162EA492
                                                          Malicious:false
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):432221
                                                          Entropy (8bit):5.375174411324765
                                                          Encrypted:false
                                                          SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauu:zTtbmkExhMJCIpErX
                                                          MD5:A980F777DD682EB5731806CF12FE9DFE
                                                          SHA1:C11E4E326A9B49A69B021EAFE8E0C581EC7901F2
                                                          SHA-256:4A805C136E855CFD7837F47E89E02352F3274BFFBCD21061454B8310228EEC7E
                                                          SHA-512:833E2060FBCACB945401A3E9268959844D12C489857CFB1231C37E155B6791D3E1801A11E477F1764EEDDA992F8AA5DDBA2D04AEF03E33D29A14D3CB29522BCF
                                                          Malicious:false
                                                          Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                          C:\Windows\Temp\~DF3242894C0351D027.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):512
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                          Malicious:false
                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DF3D2554972FF7C66B.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):512
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                          Malicious:false
                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DF60533D2836C706DC.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):32768
                                                          Entropy (8bit):1.2689164723505089
                                                          Encrypted:false
                                                          SSDEEP:48:X0PupO+CFXJpT5EVDjAmMoAECiCyVSCvoQX2ySCOTEV:EPBRTuVvuECe9Xj5
                                                          MD5:4A5D546526A0730013CB1E7C5EE74604
                                                          SHA1:7ED38ACE5488CF2299225DD21D6DC7010BA8202A
                                                          SHA-256:917B5AE34510840E1D4AB8269B8894FBD0514B94104427A0B71F8A3E4981DD44
                                                          SHA-512:E975036D5C408B563E90D4C39675CC0387CB8AB2D9821EABEE54CE82EA06DCE0B44CC116B2047AE15E0DEA5F7111A1290E8F541F54E7543D38967764D97F52A8
                                                          Malicious:false
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DF72DD7EB20E880E99.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):32768
                                                          Entropy (8bit):0.0718523199444343
                                                          Encrypted:false
                                                          SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOx1PjO8UkRnY0qDtltgVky6lit/:2F0i8n0itFzDHF9u0qDJit/
                                                          MD5:9BE79ED15B69F165B02C75C9B6C51450
                                                          SHA1:A9F215AECB4553536DD4328F79D9AB109D8341E1
                                                          SHA-256:5B6C3C49B840C5227C4C166852A43D81BE5BA986BFBD6E89479CA78640CF1C61
                                                          SHA-512:D9CC4987F9536F80120D56DC7CF6EA5E4A111835F31D2BFB6836BAE172D16460A3D1244CE198DFFBFF09FFBF9E1EC1A5BA7A6464059E2A56993C47451084E2F7
                                                          Malicious:false
                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DF8F5E5EE5842F4D07.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):512
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                          Malicious:false
                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DFA026166BCFF63B4F.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):73728
                                                          Entropy (8bit):0.14522885188057774
                                                          Encrypted:false
                                                          SSDEEP:24:GVzPTxkrMvxipVkrMvvkrMvbMoAEVkryjCyH1ipVkrMvIV2BwG2r80mNx+0kz:GVTTeySCTmMoAECiCyVSCvoQXCu
                                                          MD5:B8DD7416D7F10333F9D0C3248B3AE664
                                                          SHA1:3D93A695E281C301029FE6066E9D5EC9E2B86595
                                                          SHA-256:4F9DA61E720F1198DF0561DFE58FDD13E145D0787E80E471000D1E1DA4A4A1D0
                                                          SHA-512:514AC24E4AED995A1A54521BC39049F4290D681F7C2AC48459D98A17A1753649B7DD507ECCB42D49F1054E15C52CB0D4F552AAB8CA5CB94E0A80C4F7CA96C1AD
                                                          Malicious:false
                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DFA2B97C2038E10DE1.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):1.5855324271278595
                                                          Encrypted:false
                                                          SSDEEP:48:6h8PhXuRc06WXJ0FT5ljAmMoAECiCyVSCvoQX2ySCOTEV:68hX13FTXuECe9Xj5
                                                          MD5:35A1E32F9158A9C40E47D19FFCF0B9BC
                                                          SHA1:729017E9ADC96FF9C8521DEEF91FBB42D39B28FC
                                                          SHA-256:A50C28FC5F6FCC317B14ED4AED17A33B76219EA7D1A8B203EE58780EEBDECDC6
                                                          SHA-512:1B0B930F162B64CBDFCC06E1E7BFEBC1101F8C3FA10BBB7921BB6E1A4FB151C1499E9E1ED289BC285F519014F18E79122474B2111956F6CFA76CA5EC162EA492
                                                          Malicious:false
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DFB660FE05079ABC2F.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):1.5855324271278595
                                                          Encrypted:false
                                                          SSDEEP:48:6h8PhXuRc06WXJ0FT5ljAmMoAECiCyVSCvoQX2ySCOTEV:68hX13FTXuECe9Xj5
                                                          MD5:35A1E32F9158A9C40E47D19FFCF0B9BC
                                                          SHA1:729017E9ADC96FF9C8521DEEF91FBB42D39B28FC
                                                          SHA-256:A50C28FC5F6FCC317B14ED4AED17A33B76219EA7D1A8B203EE58780EEBDECDC6
                                                          SHA-512:1B0B930F162B64CBDFCC06E1E7BFEBC1101F8C3FA10BBB7921BB6E1A4FB151C1499E9E1ED289BC285F519014F18E79122474B2111956F6CFA76CA5EC162EA492
                                                          Malicious:false
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DFCB2FDFCB468E4CC1.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):512
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                          Malicious:false
                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DFCF777A3CFB3A7411.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):32768
                                                          Entropy (8bit):1.2689164723505089
                                                          Encrypted:false
                                                          SSDEEP:48:X0PupO+CFXJpT5EVDjAmMoAECiCyVSCvoQX2ySCOTEV:EPBRTuVvuECe9Xj5
                                                          MD5:4A5D546526A0730013CB1E7C5EE74604
                                                          SHA1:7ED38ACE5488CF2299225DD21D6DC7010BA8202A
                                                          SHA-256:917B5AE34510840E1D4AB8269B8894FBD0514B94104427A0B71F8A3E4981DD44
                                                          SHA-512:E975036D5C408B563E90D4C39675CC0387CB8AB2D9821EABEE54CE82EA06DCE0B44CC116B2047AE15E0DEA5F7111A1290E8F541F54E7543D38967764D97F52A8
                                                          Malicious:false
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DFD1529628E8CB2885.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):32768
                                                          Entropy (8bit):1.2689164723505089
                                                          Encrypted:false
                                                          SSDEEP:48:X0PupO+CFXJpT5EVDjAmMoAECiCyVSCvoQX2ySCOTEV:EPBRTuVvuECe9Xj5
                                                          MD5:4A5D546526A0730013CB1E7C5EE74604
                                                          SHA1:7ED38ACE5488CF2299225DD21D6DC7010BA8202A
                                                          SHA-256:917B5AE34510840E1D4AB8269B8894FBD0514B94104427A0B71F8A3E4981DD44
                                                          SHA-512:E975036D5C408B563E90D4C39675CC0387CB8AB2D9821EABEE54CE82EA06DCE0B44CC116B2047AE15E0DEA5F7111A1290E8F541F54E7543D38967764D97F52A8
                                                          Malicious:false
                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\Temp\~DFEA0492AA242FA84C.TMP

                                                          Download File
                                                          Process:C:\Windows\System32\msiexec.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):512
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                          Malicious:false
                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          \Device\ConDrv

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):638
                                                          Entropy (8bit):4.751962275036146
                                                          Encrypted:false
                                                          SSDEEP:12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
                                                          MD5:15CA959638E74EEC47E0830B90D0696E
                                                          SHA1:E836936738DCB6C551B6B76054F834CFB8CC53E5
                                                          SHA-256:57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
                                                          SHA-512:101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
                                                          Malicious:false
                                                          Preview:[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

                                                          Static File Info

                                                          General

                                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {CC0834DB-EC05-405A-9761-DDE937BC3BCF}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Dec 23 20:42:47 2024, Last Saved Time/Date: Mon Dec 23 20:42:47 2024, Last Printed: Mon Dec 23 20:42:47 2024, Number of Pages: 450
                                                          Entropy (8bit):7.201449726716881
                                                          TrID:
                                                          • Windows SDK Setup Transform Script (63028/2) 88.73%
                                                          • Generic OLE2 / Multistream Compound File (8008/1) 11.27%
                                                          File name:E8vC8KRIp1.msi
                                                          File size:60'281'856 bytes
                                                          MD5:c5080f60e79b1b30d3867848856f4eb3
                                                          SHA1:52883bed5c40f588b47a1f4df35d8131cc153e21
                                                          SHA256:9df778cfa48c5988fa1f817e6edc91882e5de20addba0b5e6a4ff5fca701d24e
                                                          SHA512:996102a913421ee600c7b5fd67dcc08c6ccc16fb0ad6cfa3d29e63229e4343c72f6c976c6b39fbf2dbb65773f087e38ef8d5b6f1e1c4a6e1c2e92dca883568bf
                                                          SSDEEP:786432:8WZfjVmrjV7eIAtehOTZYoZ4sdUuzt/NCaY2ksC:8W5VmrjV7eIvhOTZ9RjVCa1t
                                                          TLSH:4AD76C01B3FA4148F2F75EB17EBA45A594BABD521B30C0EF1204A60E1B71BC25BB5763
                                                          File Content Preview:........................>............................................2..................................................................x......................................................................................................................

                                                          File Icon

                                                          Icon Hash:2d2e3797b32b2b99

                                                          Network Behavior

                                                          Network Port Distribution

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 24, 2024 13:06:16.477914095 CET6173653192.168.2.41.1.1.1
                                                          Dec 24, 2024 13:06:17.485778093 CET6173653192.168.2.41.1.1.1
                                                          Dec 24, 2024 13:06:17.952245951 CET53617361.1.1.1192.168.2.4
                                                          Dec 24, 2024 13:06:17.952265978 CET53617361.1.1.1192.168.2.4

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Dec 24, 2024 13:06:16.477914095 CET192.168.2.41.1.1.10xad05Standard query (0)denimcard.comA (IP address)IN (0x0001)false
                                                          Dec 24, 2024 13:06:17.485778093 CET192.168.2.41.1.1.10xad05Standard query (0)denimcard.comA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Dec 24, 2024 13:06:17.952245951 CET1.1.1.1192.168.2.40xad05Name error (3)denimcard.comnonenoneA (IP address)IN (0x0001)false
                                                          Dec 24, 2024 13:06:17.952265978 CET1.1.1.1192.168.2.40xad05Name error (3)denimcard.comnonenoneA (IP address)IN (0x0001)false

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:07:06:05
                                                          Start date:24/12/2024
                                                          Path:C:\Windows\System32\msiexec.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\E8vC8KRIp1.msi"
                                                          Imagebase:0x7ff7eded0000
                                                          File size:69'632 bytes
                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:1
                                                          Start time:07:06:05
                                                          Start date:24/12/2024
                                                          Path:C:\Windows\System32\msiexec.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\msiexec.exe /V
                                                          Imagebase:0x7ff7eded0000
                                                          File size:69'632 bytes
                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:2
                                                          Start time:07:06:07
                                                          Start date:24/12/2024
                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding B6FC27F7B452802029F995C7B4F25DAE
                                                          Imagebase:0x5b0000
                                                          File size:59'904 bytes
                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:07:06:18
                                                          Start date:24/12/2024
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss874C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8749.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr874A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr874B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                          Imagebase:0x640000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:07:06:18
                                                          Start date:24/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:07:06:24
                                                          Start date:24/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
                                                          Imagebase:0x7ff61d7f0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:7
                                                          Start time:07:06:24
                                                          Start date:24/12/2024
                                                          Path:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"
                                                          Imagebase:0x7ff6b1680000
                                                          File size:57'488 bytes
                                                          MD5 hash:71F796B486C7FAF25B9B16233A7CE0CD
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 0%, ReversingLabs
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:07:06:24
                                                          Start date:24/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:9
                                                          Start time:07:06:24
                                                          Start date:24/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f330000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:10
                                                          Start time:07:06:24
                                                          Start date:24/12/2024
                                                          Path:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"
                                                          Imagebase:0x140000000
                                                          File size:117'496 bytes
                                                          MD5 hash:F67792E08586EA936EBCAE43AAB0388D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 0%, ReversingLabs
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:11
                                                          Start time:07:06:24
                                                          Start date:24/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Executed Functions

                                                            Function 07601B50 Relevance: 4.0, Strings: 3, Instructions: 205COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1821036895.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7600000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $^q$$^q$$^q
                                                            • API String ID: 0-831282457
                                                            • Opcode ID: eb7fc374198b6952208c8a2be6110753f151bd6cf5f7a6bfedc3c30bd8027b89
                                                            • Instruction ID: 099591d3ff37dbf4a6c30d8df2684cbb3cc9b69532e30ba0cda2c9fe5bcdff70
                                                            • Opcode Fuzzy Hash: eb7fc374198b6952208c8a2be6110753f151bd6cf5f7a6bfedc3c30bd8027b89
                                                            • Instruction Fuzzy Hash: C861E1B170021E9FCB2D9F79D44066FBBE2AF86310F14846AE8468B391EB35C945CBD1
                                                            Function 07601B35 Relevance: 2.6, Strings: 2, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1821036895.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7600000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $^q$$^q
                                                            • API String ID: 0-355816377
                                                            • Opcode ID: ae0dad0293864f4863de1e5ab2f364478bc7a668c0aeafbc63f6bdd614b85c7f
                                                            • Instruction ID: 222ea6807b4a687816607a0f087d2c1d118b3e2877ae43697fdab01f33fd1877
                                                            • Opcode Fuzzy Hash: ae0dad0293864f4863de1e5ab2f364478bc7a668c0aeafbc63f6bdd614b85c7f
                                                            • Instruction Fuzzy Hash: 66315EF5A0420EDFCB2C8F65D5446AF7BF1EB42321F1484A6D4068B291E739D945CBD1
                                                            Function 02DE8BC8 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1815012020.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_2de0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: U
                                                            • API String ID: 0-3372436214
                                                            • Opcode ID: cfc0d3ac00bc7eb0902efdf4cb2829c87741bc343c06e9cc1cad62dccf17ccc9
                                                            • Instruction ID: ca6535c79c66593ee03c2a4115897c8385174e2fb6e731b5933ddf047c8237c4
                                                            • Opcode Fuzzy Hash: cfc0d3ac00bc7eb0902efdf4cb2829c87741bc343c06e9cc1cad62dccf17ccc9
                                                            • Instruction Fuzzy Hash: 2071CF30A012488FCB15EF68C884A9EFBF6FF85314F248569E456DB3A1DB71AC45CB91
                                                            Function 02DE8478 Relevance: .3, Instructions: 266COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1815012020.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_2de0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a577274f8fee0af36077fe195dcc4d0d8db9d0f3b030363a55fd802251f249f5
                                                            • Instruction ID: fd69701d4ff48bc13e609d361248b201dbf2fc5d627d9090ac491b30d1de9138
                                                            • Opcode Fuzzy Hash: a577274f8fee0af36077fe195dcc4d0d8db9d0f3b030363a55fd802251f249f5
                                                            • Instruction Fuzzy Hash: 99A17D35E002088FDF14EFA4D984AADBBB2FF84304F254559E806EB365DB74AD49DB90
                                                            Function 02DE8D36 Relevance: .2, Instructions: 188COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1815012020.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_2de0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 86b06a888bcc459b0ff04713d1f82d92e79a29accbaa7a146c1a782b42e36557
                                                            • Instruction ID: d463bb4fbb38afc1fbc5f817a8ccd278623b64d8bb13ad397388a47e2b5379fd
                                                            • Opcode Fuzzy Hash: 86b06a888bcc459b0ff04713d1f82d92e79a29accbaa7a146c1a782b42e36557
                                                            • Instruction Fuzzy Hash: 80713A70E012089FDF15EFA5D584BADBBF2BF88344F148429D416AB3A0DB75AC46CB51
                                                            Function 02DE8959 Relevance: .1, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1815012020.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_2de0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5e39127ba4ecdbff47e49e19a25712397c3f2c9ab22c34f9da07f8083a45c739
                                                            • Instruction ID: bbfbddf3b9121417c6e0afe62f1af0bab1d3ea0f6f00d900ef6c1e7c772001b0
                                                            • Opcode Fuzzy Hash: 5e39127ba4ecdbff47e49e19a25712397c3f2c9ab22c34f9da07f8083a45c739
                                                            • Instruction Fuzzy Hash: C251A130A402448FDB14EB64C998AAEBBB2FF89751F184569D447EB3B0CB349C41DB90
                                                            Function 02DE8BB3 Relevance: .1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1815012020.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_2de0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9c2e6d7823bf9c9d78359703bd1ba2aa753c415b4846d5a3cc1b35c7facbee87
                                                            • Instruction ID: 4e5cfd54af570560bf8758f9bf5ec9a5d361dab140a188e9943039d35219ae40
                                                            • Opcode Fuzzy Hash: 9c2e6d7823bf9c9d78359703bd1ba2aa753c415b4846d5a3cc1b35c7facbee87
                                                            • Instruction Fuzzy Hash: B2417E70E002488FDB19EFA9C58479EBBB2FF89344F148569D006EB3A0DBB5AC45CB51
                                                            Function 02DE3A80 Relevance: .1, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1815012020.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_2de0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 889edf090a44e40927bb9cab67cb75c3c4ab27ea5ac679d4deffd8350aada334
                                                            • Instruction ID: 110d2e74aca24f5ef88dc22ed8e7c87643b36d3b5323976b1f339aa360c4e6a2
                                                            • Opcode Fuzzy Hash: 889edf090a44e40927bb9cab67cb75c3c4ab27ea5ac679d4deffd8350aada334
                                                            • Instruction Fuzzy Hash: 58413D60B092408FD7D5BA28C160275BFF3EB9625035986AAF08BCB751DA25EC46CB61
                                                            Function 02D3D01D Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1814850521.0000000002D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D3D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_2d3d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 73d2f91b7923f2a38a2d99e6fad2bec5cc7d4ae9fb2c52e5ecba67f3d3184d9a
                                                            • Instruction ID: c195989f442eebf06e615c28dd555e928489ea827101c344000dba656fff708a
                                                            • Opcode Fuzzy Hash: 73d2f91b7923f2a38a2d99e6fad2bec5cc7d4ae9fb2c52e5ecba67f3d3184d9a
                                                            • Instruction Fuzzy Hash: 2001D6714093409AE7228A29CDC4B67BF99EF41B64F28C52AED584B346C779DC41CEB1
                                                            Function 02D3D005 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1814850521.0000000002D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D3D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_2d3d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d45d72dfbfe91ba7bd9a55a50baebd0cfef7fb200140d47a8f0d2a23e3be270b
                                                            • Instruction ID: f0d63c9b868052874c5d234d54a69c9b9d8604aba8b0c997d0e824c17ea58642
                                                            • Opcode Fuzzy Hash: d45d72dfbfe91ba7bd9a55a50baebd0cfef7fb200140d47a8f0d2a23e3be270b
                                                            • Instruction Fuzzy Hash: 1701406100E3C09ED7138B25C894B52BFB4EF47624F1DC0DBD8888F2A7C2699849CB72
                                                            Function 02DE88ED Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1815012020.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_2de0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6ae92635493a35cb049eb243bde21c516c9d341322e76c97ca8aa1af132d8b6e
                                                            • Instruction ID: 0cc2dff5ca6527c88a0feed61011a01fe79509aaeda342e7afa89255d0d441f7
                                                            • Opcode Fuzzy Hash: 6ae92635493a35cb049eb243bde21c516c9d341322e76c97ca8aa1af132d8b6e
                                                            • Instruction Fuzzy Hash: 3FF03770A4020A8FDB04DBA4D595B6E77B2EF40340F104419D142DF3A4DB78DD49CBD0

                                                            Non-executed Functions

                                                            Function 07601658 Relevance: 15.3, Strings: 12, Instructions: 272COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1821036895.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7600000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 84ik$84ik$tP^q$tP^q$tP^q$tP^q$$^q$$^q$$^q$$^q$ak$ak
                                                            • API String ID: 0-4209403998
                                                            • Opcode ID: be36de5ce551423c88dafff8002f8cb2183b05453dc16493c093bb890b8dc145
                                                            • Instruction ID: 8177a66b0a9b9297dadaf07f99a1d2ef5b24fc7053ea772714d1e80783df7166
                                                            • Opcode Fuzzy Hash: be36de5ce551423c88dafff8002f8cb2183b05453dc16493c093bb890b8dc145
                                                            • Instruction Fuzzy Hash: 038137B1B042598FD71D8B79980466BBBE2EF86310F1880ABD546CF392DA31DC05C7E1
                                                            Function 07600898 Relevance: 10.2, Strings: 8, Instructions: 184COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1821036895.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7600000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                            • API String ID: 0-3732357466
                                                            • Opcode ID: 4650b28af73265b9f7448c65af18e1a43e885893a72425cc8f4e76d726751c11
                                                            • Instruction ID: e6fed38b26a86f8b8451f5fd3072b86319f7c386b04ac020ed0259990d1e9f1a
                                                            • Opcode Fuzzy Hash: 4650b28af73265b9f7448c65af18e1a43e885893a72425cc8f4e76d726751c11
                                                            • Instruction Fuzzy Hash: 1C510AB57043068FDB2D4A7994047ABBBB6EFC5621F24847BD446CB381DA31C856C7E1
                                                            Function 07600E88 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1821036895.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7600000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4hk$4hk$$^q$$^q$$^q
                                                            • API String ID: 0-3513967680
                                                            • Opcode ID: 6a54625643bcd16a8c49d01ce7a48e2b79638a6b0ea2af23a43339f9870500a2
                                                            • Instruction ID: c813b1524dd5473c6808be6bfd3ddcc7c6ab4c592ff0f5307293dc2ceba53158
                                                            • Opcode Fuzzy Hash: 6a54625643bcd16a8c49d01ce7a48e2b79638a6b0ea2af23a43339f9870500a2
                                                            • Instruction Fuzzy Hash: B91102F131020A9FDA2C59399810B7B76DA8FD1610B18843ADA07DB3D6DE76D842D3F1
                                                            Function 076004D1 Relevance: 5.1, Strings: 4, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1821036895.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7600000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$4'^q$$^q$$^q
                                                            • API String ID: 0-2049395529
                                                            • Opcode ID: aa07faa8c69266f866dfe9261b8d2349301da6c747959cb93a8588be5e103401
                                                            • Instruction ID: b22bab787bd99ce4b1be617627804c5bca2876e11b2ae170ef32e67091e63097
                                                            • Opcode Fuzzy Hash: aa07faa8c69266f866dfe9261b8d2349301da6c747959cb93a8588be5e103401
                                                            • Instruction Fuzzy Hash: A4017161B4A3854FC71F167829241665FB25F83550B2E04DBC082DF3E7CD698D4A83E2

                                                            Execution Graph

                                                            Execution Coverage:3.4%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:1.7%
                                                            Total number of Nodes:700
                                                            Total number of Limit Nodes:1
                                                            execution_graph 2502 7ff6b16859ad 2521 7ff6b16843d0 2502->2521 2504 7ff6b16859ba 2505 7ff6b16843d0 ExFilterRethrow 10 API calls 2504->2505 2507 7ff6b16859c3 __GSHandlerCheck_EH 2505->2507 2506 7ff6b1685a0a RaiseException 2508 7ff6b1685a29 2506->2508 2507->2506 2524 7ff6b1683b54 2508->2524 2510 7ff6b16843d0 ExFilterRethrow 10 API calls 2511 7ff6b1685a6d 2510->2511 2513 7ff6b16843d0 ExFilterRethrow 10 API calls 2511->2513 2515 7ff6b1685a76 2513->2515 2516 7ff6b16843d0 ExFilterRethrow 10 API calls 2515->2516 2518 7ff6b1685a7f 2516->2518 2517 7ff6b1685a5a __GSHandlerCheck_EH 2517->2510 2519 7ff6b16843d0 ExFilterRethrow 10 API calls 2518->2519 2520 7ff6b1685a8e 2519->2520 2536 7ff6b16843ec 2521->2536 2523 7ff6b16843d9 2523->2504 2525 7ff6b16843d0 ExFilterRethrow 10 API calls 2524->2525 2526 7ff6b1683b66 2525->2526 2527 7ff6b1683ba1 abort 2526->2527 2528 7ff6b16843d0 ExFilterRethrow 10 API calls 2526->2528 2529 7ff6b1683b71 2528->2529 2529->2527 2530 7ff6b1683b8d 2529->2530 2531 7ff6b16843d0 ExFilterRethrow 10 API calls 2530->2531 2532 7ff6b1683b92 2531->2532 2532->2517 2533 7ff6b1684104 2532->2533 2534 7ff6b16843d0 ExFilterRethrow 10 API calls 2533->2534 2535 7ff6b1684112 2534->2535 2535->2517 2537 7ff6b168440b GetLastError 2536->2537 2538 7ff6b1684404 2536->2538 2550 7ff6b1686678 2537->2550 2538->2523 2551 7ff6b1686498 __vcrt_InitializeCriticalSectionEx 5 API calls 2550->2551 2552 7ff6b168669f TlsGetValue 2551->2552 2256 7ff6b16827ec 2279 7ff6b1682b8c 2256->2279 2259 7ff6b168280d 2262 7ff6b168294d 2259->2262 2268 7ff6b168282b __scrt_release_startup_lock 2259->2268 2260 7ff6b1682943 2319 7ff6b1682ecc IsProcessorFeaturePresent 2260->2319 2263 7ff6b1682ecc 7 API calls 2262->2263 2264 7ff6b1682958 2263->2264 2266 7ff6b1682960 _exit 2264->2266 2265 7ff6b1682850 2267 7ff6b16828d6 _get_initial_narrow_environment __p___argv __p___argc 2285 7ff6b1681060 2267->2285 2268->2265 2268->2267 2271 7ff6b16828ce _register_thread_local_exe_atexit_callback 2268->2271 2271->2267 2274 7ff6b1682903 2275 7ff6b168290d 2274->2275 2276 7ff6b1682908 _cexit 2274->2276 2315 7ff6b1682d20 2275->2315 2276->2275 2326 7ff6b168316c 2279->2326 2282 7ff6b1682bbb __scrt_initialize_crt 2283 7ff6b1682805 2282->2283 2328 7ff6b168404c 2282->2328 2283->2259 2283->2260 2286 7ff6b1681386 2285->2286 2310 7ff6b16810b4 2285->2310 2355 7ff6b1681450 __acrt_iob_func 2286->2355 2288 7ff6b1681399 2313 7ff6b1683020 GetModuleHandleW 2288->2313 2289 7ff6b1681289 2289->2286 2290 7ff6b168129f 2289->2290 2360 7ff6b1682688 2290->2360 2292 7ff6b16812a9 2294 7ff6b1681325 2292->2294 2295 7ff6b16812b9 GetTempPathA 2292->2295 2293 7ff6b1681125 strcmp 2293->2310 2369 7ff6b16823c0 2294->2369 2298 7ff6b16812cb GetLastError 2295->2298 2299 7ff6b16812e9 strcat_s 2295->2299 2296 7ff6b1681151 strcmp 2296->2310 2301 7ff6b1681450 6 API calls 2298->2301 2299->2294 2302 7ff6b1681304 2299->2302 2305 7ff6b16812df GetLastError 2301->2305 2306 7ff6b1681450 6 API calls 2302->2306 2303 7ff6b1681344 __acrt_iob_func fflush __acrt_iob_func fflush 2309 7ff6b1681312 2303->2309 2304 7ff6b168117d strcmp 2304->2310 2305->2309 2306->2309 2309->2288 2310->2289 2310->2293 2310->2296 2310->2304 2311 7ff6b1681226 strcmp 2310->2311 2311->2310 2312 7ff6b1681239 atoi 2311->2312 2312->2310 2314 7ff6b16828ff 2313->2314 2314->2264 2314->2274 2316 7ff6b1682d31 __scrt_initialize_crt 2315->2316 2317 7ff6b1682916 2316->2317 2318 7ff6b168404c __scrt_initialize_crt 7 API calls 2316->2318 2317->2265 2318->2317 2320 7ff6b1682ef2 2319->2320 2321 7ff6b1682f11 RtlCaptureContext RtlLookupFunctionEntry 2320->2321 2322 7ff6b1682f3a RtlVirtualUnwind 2321->2322 2323 7ff6b1682f76 2321->2323 2322->2323 2324 7ff6b1682fa8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2323->2324 2325 7ff6b1682ffa 2324->2325 2325->2262 2327 7ff6b1682bae __scrt_dllmain_crt_thread_attach 2326->2327 2327->2282 2327->2283 2329 7ff6b1684054 2328->2329 2330 7ff6b168405e 2328->2330 2334 7ff6b16844f4 2329->2334 2330->2283 2335 7ff6b1684503 2334->2335 2336 7ff6b1684059 2334->2336 2342 7ff6b1686630 2335->2342 2338 7ff6b1686460 2336->2338 2339 7ff6b168648b 2338->2339 2340 7ff6b168648f 2339->2340 2341 7ff6b168646e DeleteCriticalSection 2339->2341 2340->2330 2341->2339 2346 7ff6b1686498 2342->2346 2347 7ff6b16865b2 TlsFree 2346->2347 2348 7ff6b16864dc 2346->2348 2348->2347 2349 7ff6b168650a LoadLibraryExW 2348->2349 2352 7ff6b16865a1 GetProcAddress 2348->2352 2354 7ff6b168654d LoadLibraryExW 2348->2354 2350 7ff6b168652b GetLastError 2349->2350 2351 7ff6b1686581 2349->2351 2350->2348 2351->2352 2353 7ff6b1686598 FreeLibrary 2351->2353 2352->2347 2353->2352 2354->2348 2354->2351 2405 7ff6b1681010 2355->2405 2357 7ff6b168148a __acrt_iob_func 2408 7ff6b1681000 2357->2408 2359 7ff6b16814a2 __stdio_common_vfprintf __acrt_iob_func fflush 2359->2288 2362 7ff6b1682690 2360->2362 2361 7ff6b16826aa malloc 2361->2362 2363 7ff6b16826b4 2361->2363 2362->2361 2364 7ff6b16826ba 2362->2364 2363->2292 2365 7ff6b16826c5 2364->2365 2410 7ff6b1682b30 2364->2410 2414 7ff6b1681720 2365->2414 2368 7ff6b16826cb 2368->2292 2370 7ff6b1682688 5 API calls 2369->2370 2371 7ff6b16823f5 OpenProcess 2370->2371 2372 7ff6b168243b GetLastError 2371->2372 2373 7ff6b1682458 K32GetModuleBaseNameA 2371->2373 2374 7ff6b1681450 6 API calls 2372->2374 2375 7ff6b1682492 2373->2375 2376 7ff6b1682470 GetLastError 2373->2376 2379 7ff6b1682453 2374->2379 2431 7ff6b1681800 2375->2431 2377 7ff6b1681450 6 API calls 2376->2377 2380 7ff6b1682484 CloseHandle 2377->2380 2384 7ff6b16825fa 2379->2384 2387 7ff6b16825f3 _invalid_parameter_noinfo_noreturn 2379->2387 2380->2379 2382 7ff6b16825b3 CloseHandle 2382->2379 2383 7ff6b16824ae 2385 7ff6b16813c0 6 API calls 2383->2385 2442 7ff6b1682660 2384->2442 2386 7ff6b16824cf CreateFileA 2385->2386 2389 7ff6b1682543 2386->2389 2390 7ff6b168250f GetLastError 2386->2390 2387->2384 2391 7ff6b1682550 MiniDumpWriteDump 2389->2391 2395 7ff6b168258a CloseHandle CloseHandle 2389->2395 2393 7ff6b1681450 6 API calls 2390->2393 2391->2395 2396 7ff6b1682576 GetLastError 2391->2396 2394 7ff6b1682538 CloseHandle 2393->2394 2394->2379 2395->2379 2396->2389 2397 7ff6b168258c 2396->2397 2399 7ff6b1681450 6 API calls 2397->2399 2399->2395 2400 7ff6b16813c0 __acrt_iob_func 2401 7ff6b1681010 fprintf __stdio_common_vfprintf 2400->2401 2402 7ff6b16813fa __acrt_iob_func 2401->2402 2501 7ff6b1681000 2402->2501 2404 7ff6b1681412 __stdio_common_vfprintf __acrt_iob_func fflush 2404->2303 2409 7ff6b1681000 2405->2409 2407 7ff6b1681036 __stdio_common_vfprintf 2407->2357 2408->2359 2409->2407 2411 7ff6b1682b3e std::bad_alloc::bad_alloc 2410->2411 2420 7ff6b1683f84 2411->2420 2413 7ff6b1682b4f 2415 7ff6b168172e Concurrency::cancel_current_task 2414->2415 2416 7ff6b1683f84 Concurrency::cancel_current_task 2 API calls 2415->2416 2417 7ff6b168173f 2416->2417 2425 7ff6b1683cc0 2417->2425 2421 7ff6b1683fa3 2420->2421 2422 7ff6b1683fc0 RtlPcToFileHeader 2420->2422 2421->2422 2423 7ff6b1683fd8 2422->2423 2424 7ff6b1683fe7 RaiseException 2422->2424 2423->2424 2424->2413 2426 7ff6b168176d 2425->2426 2427 7ff6b1683ce1 2425->2427 2426->2368 2427->2426 2428 7ff6b1683cf6 malloc 2427->2428 2429 7ff6b1683d07 2428->2429 2430 7ff6b1683d23 free 2428->2430 2429->2430 2430->2426 2432 7ff6b1681863 WSAStartup 2431->2432 2433 7ff6b1681850 2431->2433 2436 7ff6b168187f 2432->2436 2441 7ff6b168185c 2432->2441 2434 7ff6b1681450 6 API calls 2433->2434 2434->2441 2435 7ff6b1682660 __GSHandlerCheck_EH 8 API calls 2437 7ff6b1681d87 2435->2437 2438 7ff6b1681dd0 2436->2438 2436->2441 2451 7ff6b16820c0 2436->2451 2437->2382 2437->2383 2440 7ff6b1681450 6 API calls 2438->2440 2440->2441 2441->2435 2443 7ff6b1682669 2442->2443 2444 7ff6b1681334 2443->2444 2445 7ff6b16829c0 IsProcessorFeaturePresent 2443->2445 2444->2303 2444->2400 2446 7ff6b16829d8 2445->2446 2496 7ff6b1682a94 RtlCaptureContext 2446->2496 2452 7ff6b16820e9 2451->2452 2453 7ff6b1682218 2451->2453 2455 7ff6b1682144 2452->2455 2458 7ff6b168216c 2452->2458 2459 7ff6b1682137 2452->2459 2475 7ff6b16817e0 2453->2475 2466 7ff6b1682690 2455->2466 2456 7ff6b168221d 2461 7ff6b1681720 Concurrency::cancel_current_task 4 API calls 2456->2461 2460 7ff6b1682155 BuildCatchObjectHelperInternal 2458->2460 2463 7ff6b1682690 5 API calls 2458->2463 2459->2455 2459->2456 2462 7ff6b16821e0 _invalid_parameter_noinfo_noreturn 2460->2462 2465 7ff6b16821d3 BuildCatchObjectHelperInternal 2460->2465 2464 7ff6b1682223 2461->2464 2462->2465 2463->2460 2465->2436 2467 7ff6b16826aa malloc 2466->2467 2468 7ff6b168269b 2467->2468 2469 7ff6b16826b4 2467->2469 2468->2467 2470 7ff6b16826ba 2468->2470 2469->2460 2471 7ff6b1682b30 Concurrency::cancel_current_task 2 API calls 2470->2471 2473 7ff6b16826c5 2470->2473 2471->2473 2472 7ff6b1681720 Concurrency::cancel_current_task 4 API calls 2474 7ff6b16826cb 2472->2474 2473->2472 2474->2460 2488 7ff6b16834d4 2475->2488 2493 7ff6b16833f8 2488->2493 2491 7ff6b1683f84 Concurrency::cancel_current_task 2 API calls 2492 7ff6b16834f6 2491->2492 2494 7ff6b1683cc0 __std_exception_copy 2 API calls 2493->2494 2495 7ff6b168342c 2494->2495 2495->2491 2497 7ff6b1682aae RtlLookupFunctionEntry 2496->2497 2498 7ff6b16829eb 2497->2498 2499 7ff6b1682ac4 RtlVirtualUnwind 2497->2499 2500 7ff6b1682984 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2498->2500 2499->2497 2499->2498 2501->2404 2554 7ff6b16874a7 2557 7ff6b1685cc0 2554->2557 2562 7ff6b1685c38 2557->2562 2560 7ff6b1685ce0 2561 7ff6b16843d0 ExFilterRethrow 10 API calls 2561->2560 2563 7ff6b1685c5a 2562->2563 2565 7ff6b1685ca3 2562->2565 2564 7ff6b16843d0 ExFilterRethrow 10 API calls 2563->2564 2563->2565 2564->2565 2565->2560 2565->2561 2961 7ff6b1685f75 2969 7ff6b1685e35 __GSHandlerCheck_EH 2961->2969 2962 7ff6b1685f92 2963 7ff6b16843d0 ExFilterRethrow 10 API calls 2962->2963 2964 7ff6b1685f97 2963->2964 2965 7ff6b1685fa2 2964->2965 2966 7ff6b16843d0 ExFilterRethrow 10 API calls 2964->2966 2967 7ff6b1682660 __GSHandlerCheck_EH 8 API calls 2965->2967 2966->2965 2968 7ff6b1685fb5 2967->2968 2969->2962 2970 7ff6b1683bd0 __GSHandlerCheck_EH 10 API calls 2969->2970 2970->2969 2971 7ff6b1687372 2972 7ff6b16843d0 ExFilterRethrow 10 API calls 2971->2972 2973 7ff6b1687389 2972->2973 2974 7ff6b16843d0 ExFilterRethrow 10 API calls 2973->2974 2975 7ff6b16873a4 2974->2975 2976 7ff6b16843d0 ExFilterRethrow 10 API calls 2975->2976 2977 7ff6b16873ad 2976->2977 2978 7ff6b1685414 __GSHandlerCheck_EH 31 API calls 2977->2978 2979 7ff6b16873f3 2978->2979 2980 7ff6b16843d0 ExFilterRethrow 10 API calls 2979->2980 2981 7ff6b16873f8 2980->2981 2566 7ff6b1687130 2567 7ff6b1687168 __GSHandlerCheckCommon 2566->2567 2568 7ff6b1687194 2567->2568 2570 7ff6b1683c00 2567->2570 2571 7ff6b16843d0 ExFilterRethrow 10 API calls 2570->2571 2572 7ff6b1683c42 2571->2572 2573 7ff6b16843d0 ExFilterRethrow 10 API calls 2572->2573 2574 7ff6b1683c4f 2573->2574 2575 7ff6b16843d0 ExFilterRethrow 10 API calls 2574->2575 2576 7ff6b1683c58 __GSHandlerCheck_EH 2575->2576 2579 7ff6b1685414 2576->2579 2580 7ff6b1685443 __except_validate_context_record 2579->2580 2581 7ff6b16843d0 ExFilterRethrow 10 API calls 2580->2581 2582 7ff6b1685448 2581->2582 2583 7ff6b1685498 2582->2583 2588 7ff6b16855b2 __GSHandlerCheck_EH 2582->2588 2594 7ff6b1683ca9 2582->2594 2584 7ff6b168559f 2583->2584 2586 7ff6b16854f3 __GSHandlerCheck_EH 2583->2586 2583->2594 2619 7ff6b1683678 2584->2619 2589 7ff6b16856a2 abort 2586->2589 2592 7ff6b1685543 2586->2592 2591 7ff6b16855f7 2588->2591 2588->2594 2623 7ff6b1683bbc 2588->2623 2591->2594 2626 7ff6b16849a4 2591->2626 2595 7ff6b1685cf0 2592->2595 2594->2568 2679 7ff6b1683ba8 2595->2679 2597 7ff6b1685d40 __GSHandlerCheck_EH 2598 7ff6b1685d5b 2597->2598 2599 7ff6b1685d72 2597->2599 2601 7ff6b16843d0 ExFilterRethrow 10 API calls 2598->2601 2600 7ff6b16843d0 ExFilterRethrow 10 API calls 2599->2600 2602 7ff6b1685d77 2600->2602 2603 7ff6b1685d60 2601->2603 2604 7ff6b1685d6a 2602->2604 2606 7ff6b16843d0 ExFilterRethrow 10 API calls 2602->2606 2603->2604 2605 7ff6b1685fd0 abort 2603->2605 2607 7ff6b16843d0 ExFilterRethrow 10 API calls 2604->2607 2608 7ff6b1685d82 2606->2608 2613 7ff6b1685d96 __GSHandlerCheck_EH 2607->2613 2609 7ff6b16843d0 ExFilterRethrow 10 API calls 2608->2609 2609->2604 2610 7ff6b1685f92 2611 7ff6b16843d0 ExFilterRethrow 10 API calls 2610->2611 2612 7ff6b1685f97 2611->2612 2614 7ff6b1685fa2 2612->2614 2615 7ff6b16843d0 ExFilterRethrow 10 API calls 2612->2615 2613->2610 2682 7ff6b1683bd0 2613->2682 2616 7ff6b1682660 __GSHandlerCheck_EH 8 API calls 2614->2616 2615->2614 2617 7ff6b1685fb5 2616->2617 2617->2594 2620 7ff6b168368a 2619->2620 2621 7ff6b1685cf0 __GSHandlerCheck_EH 19 API calls 2620->2621 2622 7ff6b16836a5 2621->2622 2622->2594 2624 7ff6b16843d0 ExFilterRethrow 10 API calls 2623->2624 2625 7ff6b1683bc5 2624->2625 2625->2591 2627 7ff6b1684a01 __GSHandlerCheck_EH 2626->2627 2628 7ff6b1684a09 2627->2628 2629 7ff6b1684a20 2627->2629 2630 7ff6b16843d0 ExFilterRethrow 10 API calls 2628->2630 2631 7ff6b16843d0 ExFilterRethrow 10 API calls 2629->2631 2637 7ff6b1684a0e 2630->2637 2632 7ff6b1684a25 2631->2632 2634 7ff6b16843d0 ExFilterRethrow 10 API calls 2632->2634 2632->2637 2633 7ff6b1684e99 abort 2635 7ff6b1684a30 2634->2635 2636 7ff6b16843d0 ExFilterRethrow 10 API calls 2635->2636 2636->2637 2637->2633 2638 7ff6b1684b54 __GSHandlerCheck_EH 2637->2638 2640 7ff6b16843d0 ExFilterRethrow 10 API calls 2637->2640 2639 7ff6b1684def 2638->2639 2673 7ff6b1684b90 __GSHandlerCheck_EH 2638->2673 2639->2633 2641 7ff6b1684ded 2639->2641 2721 7ff6b1684ea0 2639->2721 2643 7ff6b1684ac0 2640->2643 2642 7ff6b16843d0 ExFilterRethrow 10 API calls 2641->2642 2645 7ff6b1684e30 2642->2645 2647 7ff6b1684e37 2643->2647 2649 7ff6b16843d0 ExFilterRethrow 10 API calls 2643->2649 2645->2633 2645->2647 2646 7ff6b1684dd4 __GSHandlerCheck_EH 2646->2641 2654 7ff6b1684e81 2646->2654 2648 7ff6b1682660 __GSHandlerCheck_EH 8 API calls 2647->2648 2650 7ff6b1684e43 2648->2650 2651 7ff6b1684ad0 2649->2651 2650->2594 2652 7ff6b16843d0 ExFilterRethrow 10 API calls 2651->2652 2653 7ff6b1684ad9 2652->2653 2685 7ff6b1683be8 2653->2685 2655 7ff6b16843d0 ExFilterRethrow 10 API calls 2654->2655 2657 7ff6b1684e86 2655->2657 2659 7ff6b16843d0 ExFilterRethrow 10 API calls 2657->2659 2660 7ff6b1684e8f terminate 2659->2660 2660->2633 2661 7ff6b16843d0 ExFilterRethrow 10 API calls 2662 7ff6b1684b16 2661->2662 2662->2638 2663 7ff6b16843d0 ExFilterRethrow 10 API calls 2662->2663 2665 7ff6b1684b22 2663->2665 2664 7ff6b1683bbc 10 API calls BuildCatchObjectHelperInternal 2664->2673 2666 7ff6b16843d0 ExFilterRethrow 10 API calls 2665->2666 2667 7ff6b1684b2b 2666->2667 2688 7ff6b1685fd8 2667->2688 2670 7ff6b1684b3f 2695 7ff6b16860c8 2670->2695 2673->2646 2673->2664 2699 7ff6b16852d0 2673->2699 2713 7ff6b16848d0 2673->2713 2674 7ff6b1684e7b terminate 2674->2654 2676 7ff6b1684b47 std::bad_alloc::bad_alloc __GSHandlerCheck_EH 2676->2674 2677 7ff6b1683f84 Concurrency::cancel_current_task 2 API calls 2676->2677 2678 7ff6b1684e7a 2677->2678 2678->2674 2680 7ff6b16843d0 ExFilterRethrow 10 API calls 2679->2680 2681 7ff6b1683bb1 2680->2681 2681->2597 2683 7ff6b16843d0 ExFilterRethrow 10 API calls 2682->2683 2684 7ff6b1683bde 2683->2684 2684->2613 2686 7ff6b16843d0 ExFilterRethrow 10 API calls 2685->2686 2687 7ff6b1683bf6 2686->2687 2687->2633 2687->2661 2689 7ff6b16860bf abort 2688->2689 2692 7ff6b1686003 2688->2692 2690 7ff6b1684b3b 2690->2638 2690->2670 2691 7ff6b1683bbc 10 API calls BuildCatchObjectHelperInternal 2691->2692 2692->2690 2692->2691 2693 7ff6b1683ba8 Is_bad_exception_allowed 10 API calls 2692->2693 2737 7ff6b1685190 2692->2737 2693->2692 2696 7ff6b1686135 2695->2696 2698 7ff6b16860e5 Is_bad_exception_allowed 2695->2698 2696->2676 2697 7ff6b1683ba8 10 API calls Is_bad_exception_allowed 2697->2698 2698->2696 2698->2697 2700 7ff6b16852fd 2699->2700 2701 7ff6b168538d 2699->2701 2702 7ff6b1683ba8 Is_bad_exception_allowed 10 API calls 2700->2702 2701->2673 2703 7ff6b1685306 2702->2703 2703->2701 2704 7ff6b1683ba8 Is_bad_exception_allowed 10 API calls 2703->2704 2705 7ff6b168531f 2703->2705 2704->2705 2705->2701 2706 7ff6b168534c 2705->2706 2707 7ff6b1683ba8 Is_bad_exception_allowed 10 API calls 2705->2707 2708 7ff6b1683bbc BuildCatchObjectHelperInternal 10 API calls 2706->2708 2707->2706 2709 7ff6b1685360 2708->2709 2709->2701 2710 7ff6b1685379 2709->2710 2711 7ff6b1683ba8 Is_bad_exception_allowed 10 API calls 2709->2711 2712 7ff6b1683bbc BuildCatchObjectHelperInternal 10 API calls 2710->2712 2711->2710 2712->2701 2714 7ff6b168490d __GSHandlerCheck_EH 2713->2714 2715 7ff6b1684933 2714->2715 2751 7ff6b168480c 2714->2751 2717 7ff6b1683ba8 Is_bad_exception_allowed 10 API calls 2715->2717 2718 7ff6b1684945 2717->2718 2760 7ff6b1683838 RtlUnwindEx 2718->2760 2722 7ff6b1685169 2721->2722 2723 7ff6b1684ef4 2721->2723 2725 7ff6b1682660 __GSHandlerCheck_EH 8 API calls 2722->2725 2724 7ff6b16843d0 ExFilterRethrow 10 API calls 2723->2724 2727 7ff6b1684ef9 2724->2727 2726 7ff6b1685175 2725->2726 2726->2641 2728 7ff6b1684f60 __GSHandlerCheck_EH 2727->2728 2729 7ff6b1684f0e EncodePointer 2727->2729 2728->2722 2731 7ff6b1685189 abort 2728->2731 2735 7ff6b1684f82 __GSHandlerCheck_EH 2728->2735 2730 7ff6b16843d0 ExFilterRethrow 10 API calls 2729->2730 2732 7ff6b1684f1e 2730->2732 2732->2728 2784 7ff6b16834f8 2732->2784 2734 7ff6b16848d0 __GSHandlerCheck_EH 21 API calls 2734->2735 2735->2722 2735->2734 2736 7ff6b1683ba8 10 API calls Is_bad_exception_allowed 2735->2736 2736->2735 2738 7ff6b168524c 2737->2738 2739 7ff6b16851bd 2737->2739 2738->2692 2740 7ff6b1683ba8 Is_bad_exception_allowed 10 API calls 2739->2740 2741 7ff6b16851c6 2740->2741 2741->2738 2742 7ff6b1683ba8 Is_bad_exception_allowed 10 API calls 2741->2742 2743 7ff6b16851df 2741->2743 2742->2743 2743->2738 2744 7ff6b168520b 2743->2744 2745 7ff6b1683ba8 Is_bad_exception_allowed 10 API calls 2743->2745 2746 7ff6b1683bbc BuildCatchObjectHelperInternal 10 API calls 2744->2746 2745->2744 2747 7ff6b168521f 2746->2747 2747->2738 2748 7ff6b1685238 2747->2748 2749 7ff6b1683ba8 Is_bad_exception_allowed 10 API calls 2747->2749 2750 7ff6b1683bbc BuildCatchObjectHelperInternal 10 API calls 2748->2750 2749->2748 2750->2738 2752 7ff6b168482f 2751->2752 2763 7ff6b1684608 2752->2763 2754 7ff6b1684840 2755 7ff6b1684845 __AdjustPointer 2754->2755 2756 7ff6b1684881 __AdjustPointer 2754->2756 2758 7ff6b1683bbc BuildCatchObjectHelperInternal 10 API calls 2755->2758 2759 7ff6b1684864 BuildCatchObjectHelperInternal 2755->2759 2757 7ff6b1683bbc BuildCatchObjectHelperInternal 10 API calls 2756->2757 2756->2759 2757->2759 2758->2759 2759->2715 2761 7ff6b1682660 __GSHandlerCheck_EH 8 API calls 2760->2761 2762 7ff6b168394e 2761->2762 2762->2673 2764 7ff6b1684635 2763->2764 2766 7ff6b168463e 2763->2766 2765 7ff6b1683ba8 Is_bad_exception_allowed 10 API calls 2764->2765 2765->2766 2767 7ff6b1683ba8 Is_bad_exception_allowed 10 API calls 2766->2767 2768 7ff6b168465d 2766->2768 2775 7ff6b16846c2 __AdjustPointer BuildCatchObjectHelperInternal 2766->2775 2767->2768 2769 7ff6b16846aa 2768->2769 2770 7ff6b16846ca 2768->2770 2768->2775 2772 7ff6b16847e9 abort abort 2769->2772 2769->2775 2771 7ff6b1683bbc BuildCatchObjectHelperInternal 10 API calls 2770->2771 2773 7ff6b168474a 2770->2773 2770->2775 2771->2773 2774 7ff6b168480c 2772->2774 2773->2775 2776 7ff6b1683bbc BuildCatchObjectHelperInternal 10 API calls 2773->2776 2777 7ff6b1684608 BuildCatchObjectHelperInternal 10 API calls 2774->2777 2775->2754 2776->2775 2778 7ff6b1684840 2777->2778 2779 7ff6b1684845 __AdjustPointer 2778->2779 2780 7ff6b1684881 __AdjustPointer 2778->2780 2782 7ff6b1683bbc BuildCatchObjectHelperInternal 10 API calls 2779->2782 2783 7ff6b1684864 BuildCatchObjectHelperInternal 2779->2783 2781 7ff6b1683bbc BuildCatchObjectHelperInternal 10 API calls 2780->2781 2780->2783 2781->2783 2782->2783 2783->2754 2785 7ff6b16843d0 ExFilterRethrow 10 API calls 2784->2785 2786 7ff6b1683524 2785->2786 2786->2728 2787 7ff6b16843b0 2788 7ff6b16843ca 2787->2788 2789 7ff6b16843b9 2787->2789 2789->2788 2790 7ff6b16843c5 free 2789->2790 2790->2788 2791 7ff6b1681630 2794 7ff6b1683d50 2791->2794 2795 7ff6b168164c 2794->2795 2796 7ff6b1683d5f free 2794->2796 2796->2795 2989 7ff6b1682970 2992 7ff6b1682da0 2989->2992 2993 7ff6b1682979 2992->2993 2994 7ff6b1682dc3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 2992->2994 2994->2993 2995 7ff6b168756f 2996 7ff6b16843d0 ExFilterRethrow 10 API calls 2995->2996 2997 7ff6b168757d 2996->2997 2998 7ff6b1687588 2997->2998 2999 7ff6b16843d0 ExFilterRethrow 10 API calls 2997->2999 2999->2998 2797 7ff6b168191a 2798 7ff6b168194d 2797->2798 2801 7ff6b16818a0 2797->2801 2799 7ff6b16820c0 21 API calls 2798->2799 2799->2801 2800 7ff6b1681d76 2802 7ff6b1682660 __GSHandlerCheck_EH 8 API calls 2800->2802 2801->2800 2803 7ff6b1681dd0 2801->2803 2804 7ff6b16820c0 21 API calls 2801->2804 2805 7ff6b1681d87 2802->2805 2806 7ff6b1681450 6 API calls 2803->2806 2804->2801 2806->2800 2807 7ff6b168291a 2808 7ff6b1683020 __scrt_is_managed_app GetModuleHandleW 2807->2808 2809 7ff6b1682921 2808->2809 2810 7ff6b1682925 2809->2810 2811 7ff6b1682960 _exit 2809->2811 3000 7ff6b1687559 3003 7ff6b1684158 3000->3003 3004 7ff6b1684182 3003->3004 3005 7ff6b1684170 3003->3005 3007 7ff6b16843d0 ExFilterRethrow 10 API calls 3004->3007 3005->3004 3006 7ff6b1684178 3005->3006 3009 7ff6b1684180 3006->3009 3010 7ff6b16843d0 ExFilterRethrow 10 API calls 3006->3010 3008 7ff6b1684187 3007->3008 3008->3009 3011 7ff6b16843d0 ExFilterRethrow 10 API calls 3008->3011 3012 7ff6b16841a7 3010->3012 3011->3009 3013 7ff6b16843d0 ExFilterRethrow 10 API calls 3012->3013 3014 7ff6b16841b4 terminate 3013->3014 2812 7ff6b1681b18 _time64 2813 7ff6b1681b34 2812->2813 2814 7ff6b1681bf1 2813->2814 2828 7ff6b1681ee0 2813->2828 2817 7ff6b1681c34 BuildCatchObjectHelperInternal 2814->2817 2842 7ff6b1682230 2814->2842 2818 7ff6b1681da2 _invalid_parameter_noinfo_noreturn 2817->2818 2819 7ff6b16818a0 2817->2819 2820 7ff6b1681da9 WSAGetLastError 2818->2820 2822 7ff6b1681d76 2819->2822 2824 7ff6b1681dd0 2819->2824 2825 7ff6b16820c0 21 API calls 2819->2825 2821 7ff6b1681450 6 API calls 2820->2821 2821->2822 2823 7ff6b1682660 __GSHandlerCheck_EH 8 API calls 2822->2823 2826 7ff6b1681d87 2823->2826 2827 7ff6b1681450 6 API calls 2824->2827 2825->2819 2827->2822 2829 7ff6b1681f04 BuildCatchObjectHelperInternal 2828->2829 2834 7ff6b1681f25 2828->2834 2829->2814 2830 7ff6b1682031 2831 7ff6b16817e0 21 API calls 2830->2831 2833 7ff6b1682036 2831->2833 2832 7ff6b1681f74 2832->2833 2835 7ff6b1682690 5 API calls 2832->2835 2837 7ff6b1681720 Concurrency::cancel_current_task 4 API calls 2833->2837 2834->2830 2834->2832 2836 7ff6b1681fa9 2834->2836 2841 7ff6b1681f92 BuildCatchObjectHelperInternal 2835->2841 2839 7ff6b1682690 5 API calls 2836->2839 2836->2841 2840 7ff6b168203c 2837->2840 2838 7ff6b168202a _invalid_parameter_noinfo_noreturn 2838->2830 2839->2841 2841->2829 2841->2838 2843 7ff6b16823ab 2842->2843 2844 7ff6b168225e 2842->2844 2846 7ff6b16817e0 21 API calls 2843->2846 2845 7ff6b16822be 2844->2845 2848 7ff6b16822e6 2844->2848 2849 7ff6b16822b1 2844->2849 2850 7ff6b1682690 5 API calls 2845->2850 2847 7ff6b16823b0 2846->2847 2851 7ff6b1681720 Concurrency::cancel_current_task 4 API calls 2847->2851 2853 7ff6b1682690 5 API calls 2848->2853 2855 7ff6b16822cf BuildCatchObjectHelperInternal 2848->2855 2849->2845 2849->2847 2850->2855 2854 7ff6b16823b6 2851->2854 2852 7ff6b1682364 _invalid_parameter_noinfo_noreturn 2856 7ff6b1682357 BuildCatchObjectHelperInternal 2852->2856 2853->2855 2855->2852 2855->2856 2856->2817 3015 7ff6b16874d6 3016 7ff6b1683b54 11 API calls 3015->3016 3017 7ff6b16874e9 3016->3017 3021 7ff6b1684104 10 API calls 3017->3021 3024 7ff6b168751a __GSHandlerCheck_EH 3017->3024 3018 7ff6b16843d0 ExFilterRethrow 10 API calls 3019 7ff6b168752e 3018->3019 3020 7ff6b16843d0 ExFilterRethrow 10 API calls 3019->3020 3022 7ff6b168753b 3020->3022 3021->3024 3023 7ff6b16843d0 ExFilterRethrow 10 API calls 3022->3023 3025 7ff6b1687548 3023->3025 3024->3018 2857 7ff6b1684024 2864 7ff6b168642c 2857->2864 2863 7ff6b1684031 2876 7ff6b1686714 2864->2876 2867 7ff6b168402d 2867->2863 2869 7ff6b16844ac 2867->2869 2868 7ff6b1686460 __vcrt_uninitialize_locks DeleteCriticalSection 2868->2867 2881 7ff6b16865e8 2869->2881 2877 7ff6b1686498 __vcrt_InitializeCriticalSectionEx 5 API calls 2876->2877 2878 7ff6b168674a 2877->2878 2879 7ff6b1686444 2878->2879 2880 7ff6b168675f InitializeCriticalSectionAndSpinCount 2878->2880 2879->2867 2879->2868 2880->2879 2882 7ff6b1686498 __vcrt_InitializeCriticalSectionEx 5 API calls 2881->2882 2883 7ff6b168660d TlsAlloc 2882->2883 3026 7ff6b1685860 3027 7ff6b16843d0 ExFilterRethrow 10 API calls 3026->3027 3028 7ff6b16858ad 3027->3028 3029 7ff6b16843d0 ExFilterRethrow 10 API calls 3028->3029 3030 7ff6b16858bb __except_validate_context_record 3029->3030 3031 7ff6b16843d0 ExFilterRethrow 10 API calls 3030->3031 3032 7ff6b1685914 3031->3032 3033 7ff6b16843d0 ExFilterRethrow 10 API calls 3032->3033 3034 7ff6b168591d 3033->3034 3035 7ff6b16843d0 ExFilterRethrow 10 API calls 3034->3035 3036 7ff6b1685926 3035->3036 3055 7ff6b1683b18 3036->3055 3039 7ff6b16843d0 ExFilterRethrow 10 API calls 3040 7ff6b1685959 3039->3040 3041 7ff6b1685aa9 abort 3040->3041 3042 7ff6b1685991 3040->3042 3043 7ff6b1683b54 11 API calls 3042->3043 3047 7ff6b1685a31 3043->3047 3044 7ff6b1685a5a __GSHandlerCheck_EH 3045 7ff6b16843d0 ExFilterRethrow 10 API calls 3044->3045 3046 7ff6b1685a6d 3045->3046 3048 7ff6b16843d0 ExFilterRethrow 10 API calls 3046->3048 3047->3044 3049 7ff6b1684104 10 API calls 3047->3049 3050 7ff6b1685a76 3048->3050 3049->3044 3051 7ff6b16843d0 ExFilterRethrow 10 API calls 3050->3051 3052 7ff6b1685a7f 3051->3052 3053 7ff6b16843d0 ExFilterRethrow 10 API calls 3052->3053 3054 7ff6b1685a8e 3053->3054 3056 7ff6b16843d0 ExFilterRethrow 10 API calls 3055->3056 3057 7ff6b1683b29 3056->3057 3058 7ff6b1683b34 3057->3058 3059 7ff6b16843d0 ExFilterRethrow 10 API calls 3057->3059 3060 7ff6b16843d0 ExFilterRethrow 10 API calls 3058->3060 3059->3058 3061 7ff6b1683b45 3060->3061 3061->3039 3061->3040 3062 7ff6b1687260 3063 7ff6b1687273 3062->3063 3064 7ff6b1687280 3062->3064 3065 7ff6b1681e80 _invalid_parameter_noinfo_noreturn 3063->3065 3065->3064 3066 7ff6b1681ce0 3067 7ff6b1682688 5 API calls 3066->3067 3068 7ff6b1681cea gethostname 3067->3068 3069 7ff6b1681da9 WSAGetLastError 3068->3069 3070 7ff6b1681d08 3068->3070 3071 7ff6b1681450 6 API calls 3069->3071 3080 7ff6b1682040 3070->3080 3073 7ff6b1681d76 3071->3073 3074 7ff6b1682660 __GSHandlerCheck_EH 8 API calls 3073->3074 3075 7ff6b1681d87 3074->3075 3076 7ff6b16818a0 3076->3073 3077 7ff6b1681dd0 3076->3077 3078 7ff6b16820c0 21 API calls 3076->3078 3079 7ff6b1681450 6 API calls 3077->3079 3078->3076 3079->3073 3081 7ff6b1682063 BuildCatchObjectHelperInternal 3080->3081 3082 7ff6b16820a2 3080->3082 3081->3076 3083 7ff6b1682230 22 API calls 3082->3083 3084 7ff6b16820b5 3083->3084 3084->3076 3088 7ff6b168195f 3089 7ff6b168196d 3088->3089 3090 7ff6b1681a23 3089->3090 3091 7ff6b1681ee0 22 API calls 3089->3091 3092 7ff6b1682230 22 API calls 3090->3092 3093 7ff6b1681a67 BuildCatchObjectHelperInternal 3090->3093 3091->3090 3092->3093 3094 7ff6b1681da2 _invalid_parameter_noinfo_noreturn 3093->3094 3095 7ff6b16818a0 3093->3095 3096 7ff6b1681da9 WSAGetLastError 3094->3096 3099 7ff6b1681dd0 3095->3099 3100 7ff6b16820c0 21 API calls 3095->3100 3103 7ff6b1681d76 3095->3103 3097 7ff6b1681450 6 API calls 3096->3097 3097->3103 3098 7ff6b1682660 __GSHandlerCheck_EH 8 API calls 3101 7ff6b1681d87 3098->3101 3102 7ff6b1681450 6 API calls 3099->3102 3100->3095 3102->3103 3103->3098 3104 7ff6b16848c7 abort 2888 7ff6b1687411 2889 7ff6b1687495 2888->2889 2890 7ff6b1687429 2888->2890 2890->2889 2891 7ff6b16843d0 ExFilterRethrow 10 API calls 2890->2891 2892 7ff6b1687476 2891->2892 2893 7ff6b16843d0 ExFilterRethrow 10 API calls 2892->2893 2894 7ff6b168748b terminate 2893->2894 2894->2889 3105 7ff6b1681550 3106 7ff6b1683d50 __std_exception_destroy free 3105->3106 3107 7ff6b1681567 3106->3107 2895 7ff6b1683090 2896 7ff6b16830c4 2895->2896 2897 7ff6b16830a8 2895->2897 2897->2896 2902 7ff6b16841c0 2897->2902 2901 7ff6b16830e2 2903 7ff6b16843d0 ExFilterRethrow 10 API calls 2902->2903 2904 7ff6b16830d6 2903->2904 2905 7ff6b16841d4 2904->2905 2906 7ff6b16843d0 ExFilterRethrow 10 API calls 2905->2906 2907 7ff6b16841dd 2906->2907 2907->2901 2908 7ff6b1687290 2909 7ff6b16872a3 2908->2909 2910 7ff6b16872b0 2908->2910 2912 7ff6b1681e80 2909->2912 2913 7ff6b1681e93 2912->2913 2914 7ff6b1681eb7 2912->2914 2913->2914 2915 7ff6b1681ed8 _invalid_parameter_noinfo_noreturn 2913->2915 2914->2910 2919 7ff6b1687090 2920 7ff6b16870d2 __GSHandlerCheckCommon 2919->2920 2921 7ff6b16870fa 2920->2921 2923 7ff6b1683d78 2920->2923 2924 7ff6b1683da8 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 2923->2924 2925 7ff6b1683e99 2924->2925 2926 7ff6b1683e64 RtlUnwindEx 2924->2926 2925->2921 2926->2924 2927 7ff6b1681510 2928 7ff6b1683cc0 __std_exception_copy 2 API calls 2927->2928 2929 7ff6b1681539 2928->2929 3108 7ff6b16827d0 3112 7ff6b1683074 SetUnhandledExceptionFilter 3108->3112 3113 7ff6b168733c _seh_filter_exe 3117 7ff6b1681d39 3118 7ff6b1681d40 3117->3118 3118->3118 3119 7ff6b1682040 22 API calls 3118->3119 3121 7ff6b16818a0 3118->3121 3119->3121 3120 7ff6b1681d76 3122 7ff6b1682660 __GSHandlerCheck_EH 8 API calls 3120->3122 3121->3120 3123 7ff6b1681dd0 3121->3123 3124 7ff6b16820c0 21 API calls 3121->3124 3125 7ff6b1681d87 3122->3125 3126 7ff6b1681450 6 API calls 3123->3126 3124->3121 3126->3120 2939 7ff6b1682700 2940 7ff6b1682710 2939->2940 2952 7ff6b1682bd8 2940->2952 2942 7ff6b1682ecc 7 API calls 2943 7ff6b16827b5 2942->2943 2944 7ff6b1682734 _RTC_Initialize 2949 7ff6b1682797 2944->2949 2960 7ff6b1682e64 InitializeSListHead 2944->2960 2949->2942 2951 7ff6b16827a5 2949->2951 2953 7ff6b1682be9 2952->2953 2954 7ff6b1682c1b 2952->2954 2955 7ff6b1682c58 2953->2955 2958 7ff6b1682bee __scrt_release_startup_lock 2953->2958 2954->2944 2956 7ff6b1682ecc 7 API calls 2955->2956 2957 7ff6b1682c62 2956->2957 2958->2954 2959 7ff6b1682c0b _initialize_onexit_table 2958->2959 2959->2954

                                                            Executed Functions

                                                            Function 00007FF6B1681060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214stringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 7ff6b1681060-7ff6b16810ae 1 7ff6b1681386-7ff6b1681394 call 7ff6b1681450 0->1 2 7ff6b16810b4-7ff6b16810c6 0->2 7 7ff6b1681399 1->7 3 7ff6b16810d0-7ff6b16810d6 2->3 5 7ff6b16810dc-7ff6b16810df 3->5 6 7ff6b168127f-7ff6b1681283 3->6 9 7ff6b16810ed 5->9 10 7ff6b16810e1-7ff6b16810e5 5->10 6->3 8 7ff6b1681289-7ff6b1681299 6->8 11 7ff6b168139e-7ff6b16813b7 7->11 8->1 12 7ff6b168129f-7ff6b16812b7 call 7ff6b1682688 8->12 14 7ff6b16810f0-7ff6b16810fc 9->14 10->9 13 7ff6b16810e7-7ff6b16810eb 10->13 23 7ff6b168132a-7ff6b1681336 call 7ff6b16823c0 12->23 24 7ff6b16812b9-7ff6b16812c9 GetTempPathA 12->24 13->9 16 7ff6b1681104-7ff6b168110b 13->16 17 7ff6b1681110-7ff6b1681113 14->17 18 7ff6b16810fe-7ff6b1681102 14->18 20 7ff6b168127b 16->20 21 7ff6b1681125-7ff6b1681136 strcmp 17->21 22 7ff6b1681115-7ff6b1681119 17->22 18->14 18->16 20->6 26 7ff6b168113c-7ff6b168113f 21->26 27 7ff6b1681267-7ff6b168126e 21->27 22->21 25 7ff6b168111b-7ff6b168111f 22->25 41 7ff6b1681338-7ff6b1681344 call 7ff6b16813c0 23->41 42 7ff6b1681346 23->42 31 7ff6b16812cb-7ff6b16812e7 GetLastError call 7ff6b1681450 GetLastError 24->31 32 7ff6b16812e9-7ff6b1681302 strcat_s 24->32 25->21 25->27 28 7ff6b1681151-7ff6b1681162 strcmp 26->28 29 7ff6b1681141-7ff6b1681145 26->29 33 7ff6b1681276 27->33 36 7ff6b1681258-7ff6b1681265 28->36 37 7ff6b1681168-7ff6b168116b 28->37 29->28 34 7ff6b1681147-7ff6b168114b 29->34 52 7ff6b1681313-7ff6b1681323 call 7ff6b1682680 31->52 39 7ff6b1681325 32->39 40 7ff6b1681304-7ff6b1681312 call 7ff6b1681450 32->40 33->20 34->28 34->36 36->20 43 7ff6b168117d-7ff6b168118e strcmp 37->43 44 7ff6b168116d-7ff6b1681171 37->44 39->23 40->52 49 7ff6b168134b-7ff6b1681384 __acrt_iob_func fflush __acrt_iob_func fflush call 7ff6b1682680 41->49 42->49 50 7ff6b1681247-7ff6b1681256 43->50 51 7ff6b1681194-7ff6b1681197 43->51 44->43 48 7ff6b1681173-7ff6b1681177 44->48 48->43 48->50 49->11 50->33 56 7ff6b1681199-7ff6b168119d 51->56 57 7ff6b16811a5-7ff6b16811af 51->57 52->11 56->57 60 7ff6b168119f-7ff6b16811a3 56->60 61 7ff6b16811b0-7ff6b16811bb 57->61 60->57 63 7ff6b16811c3-7ff6b16811d2 60->63 64 7ff6b16811bd-7ff6b16811c1 61->64 65 7ff6b16811d7-7ff6b16811da 61->65 63->33 64->61 64->63 66 7ff6b16811ec-7ff6b16811f6 65->66 67 7ff6b16811dc-7ff6b16811e0 65->67 69 7ff6b1681200-7ff6b168120b 66->69 67->66 68 7ff6b16811e2-7ff6b16811e6 67->68 68->20 68->66 70 7ff6b168120d-7ff6b1681211 69->70 71 7ff6b1681215-7ff6b1681218 69->71 70->69 72 7ff6b1681213 70->72 73 7ff6b168121a-7ff6b168121e 71->73 74 7ff6b1681226-7ff6b1681237 strcmp 71->74 72->20 73->74 75 7ff6b1681220-7ff6b1681224 73->75 74->20 76 7ff6b1681239-7ff6b1681245 atoi 74->76 75->20 75->74 76->20
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
                                                            • String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
                                                            • API String ID: 2647627392-2367407095
                                                            • Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                            • Instruction ID: 2004c1f90401ed4a283d50a657da5d9ae965574debe5c808bc01a0941abb8278
                                                            • Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                            • Instruction Fuzzy Hash: 82A15551D1C682BBFB619F28A4502B967A4EB4775CF048137DB8EC2699FE3CE484E300
                                                            Function 00007FF6B16827EC Relevance: 13.6, APIs: 9, Instructions: 102COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                            • String ID:
                                                            • API String ID: 2308368977-0
                                                            • Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                            • Instruction ID: 1ab3b125b9c865b645e9c8d596d8f1ed00385356e097154171975c4a4704ad15
                                                            • Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                            • Instruction Fuzzy Hash: DE312921A18243A3EB14AB69A4153B91291AF4778CF44503BEB0D873E3FE2DE944E240
                                                            Function 00007FF6B1681450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                            • String ID: [createdump]
                                                            • API String ID: 3735572767-2657508301
                                                            • Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                            • Instruction ID: 916fdb2eaf0d3d7dbbbbb3c8bce7210dea8b3fa07bd8dc9e48c173ea1bb2e6c5
                                                            • Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                            • Instruction Fuzzy Hash: E101AD31A18B81A3E7109B54F81416AA368FF86BD8F10853AEF8D83769EF3CD455D340

                                                            Non-executed Functions

                                                            Function 00007FF6B1682ECC Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                            • String ID:
                                                            • API String ID: 3140674995-0
                                                            • Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                            • Instruction ID: af98d89652ae45a43123a637e178a96cd14499e2374f306c09459caaf16e4624
                                                            • Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                            • Instruction Fuzzy Hash: 23317072618B8196EB608F64E8503EE7365FB85748F50403ADB4E87B94EF3CC648D714
                                                            Function 00007FF6B1683074 Relevance: .0, Instructions: 2COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                            • Instruction ID: 3dda0b289092b15eb712084c2687806249a5762ed6f1121836f182bb1d99b898
                                                            • Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                            • Instruction Fuzzy Hash: 02A0022191CC02F2E7548F18E8541312334FB52308B600533D60DC10A0BF3CE546F300
                                                            Function 00007FF6B16823C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6B168242D
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6B168243B
                                                              • Part of subcall function 00007FF6B1681450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6B1681475
                                                              • Part of subcall function 00007FF6B1681450: fprintf.MSPDB140-MSVCRT ref: 00007FF6B1681485
                                                              • Part of subcall function 00007FF6B1681450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6B1681494
                                                              • Part of subcall function 00007FF6B1681450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6B16814B3
                                                              • Part of subcall function 00007FF6B1681450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6B16814BE
                                                              • Part of subcall function 00007FF6B1681450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6B16814C7
                                                            • K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6B1682466
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6B1682470
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6B1682487
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6B16825F3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
                                                            • String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
                                                            • API String ID: 3971781330-1292085346
                                                            • Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                            • Instruction ID: 2fd7e3bc79bb60076b67fc7d27129059ba274ecd3971a68ca16aa5f971e1c1a5
                                                            • Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                            • Instruction Fuzzy Hash: CC61873161864293E7209B19E45077E77A1FB86798F600136DF9E83AA5EF3CE445E740
                                                            Function 00007FF6B16849A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 177 7ff6b16849a4-7ff6b1684a07 call 7ff6b1684518 180 7ff6b1684a09-7ff6b1684a12 call 7ff6b16843d0 177->180 181 7ff6b1684a20-7ff6b1684a29 call 7ff6b16843d0 177->181 186 7ff6b1684e99-7ff6b1684e9f abort 180->186 187 7ff6b1684a18-7ff6b1684a1e 180->187 188 7ff6b1684a2b-7ff6b1684a38 call 7ff6b16843d0 * 2 181->188 189 7ff6b1684a3f-7ff6b1684a42 181->189 187->189 188->189 189->186 190 7ff6b1684a48-7ff6b1684a54 189->190 192 7ff6b1684a56-7ff6b1684a7d 190->192 193 7ff6b1684a7f 190->193 195 7ff6b1684a81-7ff6b1684a83 192->195 193->195 195->186 198 7ff6b1684a89-7ff6b1684a8f 195->198 199 7ff6b1684b59-7ff6b1684b6f call 7ff6b1685724 198->199 200 7ff6b1684a95-7ff6b1684a99 198->200 205 7ff6b1684b75-7ff6b1684b79 199->205 206 7ff6b1684def-7ff6b1684df3 199->206 200->199 202 7ff6b1684a9f-7ff6b1684aaa 200->202 202->199 204 7ff6b1684ab0-7ff6b1684ab5 202->204 204->199 207 7ff6b1684abb-7ff6b1684ac5 call 7ff6b16843d0 204->207 205->206 208 7ff6b1684b7f-7ff6b1684b8a 205->208 210 7ff6b1684e2b-7ff6b1684e35 call 7ff6b16843d0 206->210 211 7ff6b1684df5-7ff6b1684dfc 206->211 220 7ff6b1684acb-7ff6b1684af1 call 7ff6b16843d0 * 2 call 7ff6b1683be8 207->220 221 7ff6b1684e37-7ff6b1684e56 call 7ff6b1682660 207->221 208->206 214 7ff6b1684b90-7ff6b1684b94 208->214 210->186 210->221 211->186 212 7ff6b1684e02-7ff6b1684e26 call 7ff6b1684ea0 211->212 212->210 218 7ff6b1684b9a-7ff6b1684bd1 call 7ff6b16836d0 214->218 219 7ff6b1684dd4-7ff6b1684dd8 214->219 218->219 232 7ff6b1684bd7-7ff6b1684be2 218->232 219->210 223 7ff6b1684dda-7ff6b1684de7 call 7ff6b1683670 219->223 246 7ff6b1684af3-7ff6b1684af7 220->246 247 7ff6b1684b11-7ff6b1684b1b call 7ff6b16843d0 220->247 235 7ff6b1684ded 223->235 236 7ff6b1684e81-7ff6b1684e98 call 7ff6b16843d0 * 2 terminate 223->236 233 7ff6b1684be6-7ff6b1684bf6 232->233 237 7ff6b1684bfc-7ff6b1684c02 233->237 238 7ff6b1684d2f-7ff6b1684dce 233->238 235->210 236->186 237->238 241 7ff6b1684c08-7ff6b1684c31 call 7ff6b16856a8 237->241 238->219 238->233 241->238 252 7ff6b1684c37-7ff6b1684c7e call 7ff6b1683bbc * 2 241->252 246->247 250 7ff6b1684af9-7ff6b1684b04 246->250 247->199 256 7ff6b1684b1d-7ff6b1684b3d call 7ff6b16843d0 * 2 call 7ff6b1685fd8 247->256 250->247 253 7ff6b1684b06-7ff6b1684b0b 250->253 263 7ff6b1684cba-7ff6b1684cd0 call 7ff6b1685ab0 252->263 264 7ff6b1684c80-7ff6b1684ca5 call 7ff6b1683bbc call 7ff6b16852d0 252->264 253->186 253->247 272 7ff6b1684b54 256->272 273 7ff6b1684b3f-7ff6b1684b49 call 7ff6b16860c8 256->273 274 7ff6b1684d2b 263->274 275 7ff6b1684cd2 263->275 280 7ff6b1684cd7-7ff6b1684d26 call 7ff6b16848d0 264->280 281 7ff6b1684ca7-7ff6b1684cb3 264->281 272->199 283 7ff6b1684e7b-7ff6b1684e80 terminate 273->283 284 7ff6b1684b4f-7ff6b1684e7a call 7ff6b1684090 call 7ff6b1685838 call 7ff6b1683f84 273->284 274->238 275->252 280->274 281->264 282 7ff6b1684cb5 281->282 282->263 283->236 284->283
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                            • String ID: csm$csm$csm
                                                            • API String ID: 695522112-393685449
                                                            • Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                            • Instruction ID: 059fcf9f46f4fd1a4d10da56b1d3a84ebb688aca0680997304a52ec5aaf85392
                                                            • Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                            • Instruction Fuzzy Hash: 62E18E739086829BE7209F29D4803AD7BA0FB5674CF154136DB8D87796EF38E585E700
                                                            Function 00007FF6B16813C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                            • String ID: [createdump]
                                                            • API String ID: 3735572767-2657508301
                                                            • Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                            • Instruction ID: f0a8f4e71cf242ca67feb1454567c9338c3e595ee50b5177226115d24093d537
                                                            • Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                            • Instruction Fuzzy Hash: 3B018F31A18B4193E7109B54F8141AAA364FB86BD8F108136DB8D43769EF3CD495D340
                                                            Function 00007FF6B1681800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • WSAStartup.WS2_32 ref: 00007FF6B168186C
                                                              • Part of subcall function 00007FF6B1681450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6B1681475
                                                              • Part of subcall function 00007FF6B1681450: fprintf.MSPDB140-MSVCRT ref: 00007FF6B1681485
                                                              • Part of subcall function 00007FF6B1681450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6B1681494
                                                              • Part of subcall function 00007FF6B1681450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6B16814B3
                                                              • Part of subcall function 00007FF6B1681450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6B16814BE
                                                              • Part of subcall function 00007FF6B1681450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6B16814C7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
                                                            • String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
                                                            • API String ID: 3378602911-3973674938
                                                            • Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                            • Instruction ID: 00b92d18077c07829da4421e2e1d2e1de82b9348db329c722454ec97983e6f0a
                                                            • Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                            • Instruction Fuzzy Hash: 0431F062E18A81ABE7598F1DA8557F927A2BB47788F450037DF4D43391EE3CE145E700
                                                            Function 00007FF6B1686498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF6B168669F,?,?,?,00007FF6B168441E,?,?,?,00007FF6B16843D9), ref: 00007FF6B168651D
                                                            • GetLastError.KERNEL32(?,00000000,00007FF6B168669F,?,?,?,00007FF6B168441E,?,?,?,00007FF6B16843D9,?,?,?,?,00007FF6B1683524), ref: 00007FF6B168652B
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00007FF6B168669F,?,?,?,00007FF6B168441E,?,?,?,00007FF6B16843D9,?,?,?,?,00007FF6B1683524), ref: 00007FF6B1686555
                                                            • FreeLibrary.KERNEL32(?,00000000,00007FF6B168669F,?,?,?,00007FF6B168441E,?,?,?,00007FF6B16843D9,?,?,?,?,00007FF6B1683524), ref: 00007FF6B168659B
                                                            • GetProcAddress.KERNEL32(?,00000000,00007FF6B168669F,?,?,?,00007FF6B168441E,?,?,?,00007FF6B16843D9,?,?,?,?,00007FF6B1683524), ref: 00007FF6B16865A7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                            • String ID: api-ms-
                                                            • API String ID: 2559590344-2084034818
                                                            • Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                            • Instruction ID: eda4979e2c53736964b75ded7590349cb5e065fe545f5cf162f25d715660b5bf
                                                            • Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                            • Instruction Fuzzy Hash: DA31C321A1A602A3FF21DB0A980057523D4FF5ABA8F294636DF5D8B798FF3CE0459311
                                                            Function 00007FF6B1681B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 360 7ff6b1681b18-7ff6b1681b32 _time64 361 7ff6b1681b34-7ff6b1681b37 360->361 362 7ff6b1681b80-7ff6b1681ba8 360->362 363 7ff6b1681b40-7ff6b1681b68 361->363 362->362 364 7ff6b1681baa-7ff6b1681bd8 362->364 363->363 365 7ff6b1681b6a-7ff6b1681b71 363->365 366 7ff6b1681bfa-7ff6b1681c32 364->366 367 7ff6b1681bda-7ff6b1681bf5 call 7ff6b1681ee0 364->367 365->364 369 7ff6b1681c64-7ff6b1681c78 call 7ff6b1682230 366->369 370 7ff6b1681c34-7ff6b1681c43 366->370 367->366 377 7ff6b1681c7d-7ff6b1681c88 369->377 373 7ff6b1681c48-7ff6b1681c62 call 7ff6b16868c0 370->373 374 7ff6b1681c45 370->374 373->377 374->373 379 7ff6b1681cbb-7ff6b1681cde 377->379 380 7ff6b1681c8a-7ff6b1681c98 377->380 383 7ff6b1681d55-7ff6b1681d70 379->383 381 7ff6b1681c9a-7ff6b1681cad 380->381 382 7ff6b1681cb3-7ff6b1681cb6 call 7ff6b1682680 380->382 381->382 385 7ff6b1681da2-7ff6b1681dce _invalid_parameter_noinfo_noreturn WSAGetLastError call 7ff6b1681450 call 7ff6b1682680 381->385 382->379 387 7ff6b1681d76 383->387 388 7ff6b16818a0-7ff6b16818a3 383->388 392 7ff6b1681d78-7ff6b1681da1 call 7ff6b1682660 385->392 387->392 390 7ff6b16818a5-7ff6b16818b7 388->390 391 7ff6b16818f3-7ff6b16818fe 388->391 395 7ff6b16818b9-7ff6b16818c8 390->395 396 7ff6b16818e2-7ff6b16818ee call 7ff6b16820c0 390->396 398 7ff6b1681904-7ff6b1681915 391->398 399 7ff6b1681dd0-7ff6b1681dde call 7ff6b1681450 391->399 401 7ff6b16818cd-7ff6b16818dd 395->401 402 7ff6b16818ca 395->402 396->383 398->383 399->392 401->383 402->401
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID: _time64
                                                            • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                            • API String ID: 1670930206-4114407318
                                                            • Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                            • Instruction ID: 9dbb17828188bd08606b5d0f402148864185ae46e04f595130ab9eb4953ded00
                                                            • Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                            • Instruction Fuzzy Hash: FC51C362A18B819BEB04CF2CE4943A967A5FB467D8F400136DB5D57BA9EF3CE041E740
                                                            Function 00007FF6B1684EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID: EncodePointerabort
                                                            • String ID: MOC$RCC
                                                            • API String ID: 1188231555-2084237596
                                                            • Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                            • Instruction ID: 2c3bbc491e00a08828ae093dea6d0dd461a91017a6cb2a7146f51fdf8aeba99d
                                                            • Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                            • Instruction Fuzzy Hash: 6C91A173A08B869BE710CB69E8802AD7BA0F74678CF14412AEF8D97755EF38D195D700
                                                            Function 00007FF6B1685414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 459 7ff6b1685414-7ff6b1685461 call 7ff6b16863f4 call 7ff6b16843d0 464 7ff6b1685463-7ff6b1685469 459->464 465 7ff6b168548e-7ff6b1685492 459->465 464->465 466 7ff6b168546b-7ff6b168546e 464->466 467 7ff6b1685498-7ff6b168549b 465->467 468 7ff6b16855b2-7ff6b16855c7 call 7ff6b1685724 465->468 470 7ff6b1685480-7ff6b1685483 466->470 471 7ff6b1685470-7ff6b1685474 466->471 472 7ff6b16854a1-7ff6b16854d1 467->472 473 7ff6b1685680 467->473 479 7ff6b16855c9-7ff6b16855cc 468->479 480 7ff6b16855d2-7ff6b16855d8 468->480 470->465 477 7ff6b1685485-7ff6b1685488 470->477 476 7ff6b1685476-7ff6b168547e 471->476 471->477 472->473 478 7ff6b16854d7-7ff6b16854de 472->478 474 7ff6b1685685-7ff6b16856a1 473->474 476->465 476->470 477->465 477->473 478->473 481 7ff6b16854e4-7ff6b16854e8 478->481 479->473 479->480 484 7ff6b16855da-7ff6b16855de 480->484 485 7ff6b1685647-7ff6b168567b call 7ff6b16849a4 480->485 482 7ff6b168559f-7ff6b16855ad call 7ff6b1683678 481->482 483 7ff6b16854ee-7ff6b16854f1 481->483 482->473 487 7ff6b1685556-7ff6b1685559 483->487 488 7ff6b16854f3-7ff6b1685508 call 7ff6b1684520 483->488 484->485 490 7ff6b16855e0-7ff6b16855e7 484->490 485->473 487->482 494 7ff6b168555b-7ff6b1685563 487->494 498 7ff6b16856a2-7ff6b16856a7 abort 488->498 499 7ff6b168550e-7ff6b1685511 488->499 490->485 493 7ff6b16855e9-7ff6b16855f0 490->493 493->485 496 7ff6b16855f2-7ff6b1685605 call 7ff6b1683bbc 493->496 497 7ff6b1685569-7ff6b1685593 494->497 494->498 496->485 508 7ff6b1685607-7ff6b1685645 496->508 497->498 501 7ff6b1685599-7ff6b168559d 497->501 502 7ff6b168553a-7ff6b168553d 499->502 503 7ff6b1685513-7ff6b1685538 499->503 505 7ff6b1685546-7ff6b1685551 call 7ff6b1685cf0 501->505 502->498 506 7ff6b1685543 502->506 503->502 505->473 506->505 508->474
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID: __except_validate_context_recordabort
                                                            • String ID: csm$csm
                                                            • API String ID: 746414643-3733052814
                                                            • Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                            • Instruction ID: 0fc9a0deb3c10b3fe93b5359ad6c4f7b5c14e2759b8b9d6852aab8eb952d039a
                                                            • Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                            • Instruction Fuzzy Hash: 0771C032A086929BDB208F29A0507797BA0FB43B9DF048136DB8C87A95FF3CD491D741
                                                            Function 00007FF6B168195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                            • API String ID: 0-4114407318
                                                            • Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                            • Instruction ID: d24288e81d54ac15c36fd4870099e42643f6481c59db00f7de2b72443726d7d5
                                                            • Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                            • Instruction Fuzzy Hash: 8F51E562A18B8597E700CF2DE4407AAA7A1EB827D4F500136EB9D53BE9EF3DD041E740
                                                            Function 00007FF6B1685860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID: CreateFrameInfo__except_validate_context_record
                                                            • String ID: csm
                                                            • API String ID: 2558813199-1018135373
                                                            • Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                            • Instruction ID: 4cb96385df7a5f1616eb1d27fd8af9d5e2a207055979813803a9d93ea4c8af6a
                                                            • Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                            • Instruction Fuzzy Hash: C3515E7261874297D720AB1AE08036E77F4FB8AB98F140136DB8D87B55EF78E460DB00
                                                            Function 00007FF6B16817E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00007FF6B16817EB
                                                            • WSAStartup.WS2_32 ref: 00007FF6B168186C
                                                              • Part of subcall function 00007FF6B1681450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6B1681475
                                                              • Part of subcall function 00007FF6B1681450: fprintf.MSPDB140-MSVCRT ref: 00007FF6B1681485
                                                              • Part of subcall function 00007FF6B1681450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6B1681494
                                                              • Part of subcall function 00007FF6B1681450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6B16814B3
                                                              • Part of subcall function 00007FF6B1681450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6B16814BE
                                                              • Part of subcall function 00007FF6B1681450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6B16814C7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
                                                            • String ID: --name$Pipe syntax in dump name not supported$string too long
                                                            • API String ID: 1412700758-3183687674
                                                            • Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                            • Instruction ID: a5ecc8d1bf2f8475b93eac86fd9d9ab5b970245e0975b72663b507aad1681ae6
                                                            • Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                            • Instruction Fuzzy Hash: A701B522A18981EBF7619F16EC817EA6350BB8A79CF000037EF0D46651EE3CD486D700
                                                            Function 00007FF6B1681CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastgethostname
                                                            • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                            • API String ID: 3782448640-4114407318
                                                            • Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                            • Instruction ID: 6fbbbc3684fb38a941fe1c22b79be5e9ab38a715f8f30ddf7fc30a2f997243ed
                                                            • Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                            • Instruction Fuzzy Hash: 2011E711A08542ABE748AF29A8503FA22909F877ACF101137DB5F972D6EE3CD082A340
                                                            Function 00007FF6B1684158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID: terminate
                                                            • String ID: MOC$RCC$csm
                                                            • API String ID: 1821763600-2671469338
                                                            • Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                            • Instruction ID: 4c308b8a10a4468e33ecc3933d69273bbf10566cbbf248ebd587f348c0499a9b
                                                            • Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                            • Instruction Fuzzy Hash: FDF0AF36A08246E3E3645B5AA14127C3774EF59B4DF085032D7488A392FF7CE5A0E602
                                                            Function 00007FF6B16820C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF6B16818EE), ref: 00007FF6B16821E0
                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6B168221E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                            • String ID: Invalid process id '%d' error %d
                                                            • API String ID: 73155330-4244389950
                                                            • Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                            • Instruction ID: 7a4e027dbad4cf2828176c8749f34e3038c67e6dd79988fff26189056c1e4fb7
                                                            • Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                            • Instruction Fuzzy Hash: 21312666709781A7EB109F1995443B963A1EB06BD8F28063BDF9D47BD5EE7CE090E300
                                                            Function 00007FF6B1683F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6B168173F), ref: 00007FF6B1683FC8
                                                            • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6B168173F), ref: 00007FF6B168400E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.1869222493.00007FF6B1681000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B1680000, based on PE: true
                                                            • Associated: 00000007.00000002.1869191334.00007FF6B1680000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869265516.00007FF6B1688000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869305307.00007FF6B168C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000007.00000002.1869337071.00007FF6B168D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_7ff6b1680000_createdump.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFileHeaderRaise
                                                            • String ID: csm
                                                            • API String ID: 2573137834-1018135373
                                                            • Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                            • Instruction ID: 45abeb1d6939d8b137709c35855383119fe3c0e38265e691babb6a6c7c5374e7
                                                            • Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                            • Instruction Fuzzy Hash: CC113D32618B4192EB208B19F44026977A4FB89B98F284231EFCD47B58EF3DD556D740

                                                            Non-executed Functions

                                                            Function 00007FFE0144C0C0 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$HandleModule
                                                            • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                            • API String ID: 667068680-295688737
                                                            • Opcode ID: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                            • Instruction ID: 4fb55df81a17519a74bed90ca49cd17683557a551b47c6ea8f04bf7092cdc524
                                                            • Opcode Fuzzy Hash: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                            • Instruction Fuzzy Hash: D3A187A4A09F0791EB249B55FC6816433B6FF49BC9BA59035C80E4F234EF7CA159C392
                                                            Function 00007FFE1A537508 Relevance: 90.2, APIs: 36, Strings: 15, Instructions: 913COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Name::operator+
                                                            • String ID: /$[thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
                                                            • API String ID: 2943138195-2884338863
                                                            • Opcode ID: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
                                                            • Instruction ID: 61b4edc47fc50d0b2ac50615fc8390a472214838c67a08255218c020092db5a1
                                                            • Opcode Fuzzy Hash: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
                                                            • Instruction Fuzzy Hash: 8D925162B1CE8286E741CB15E4802BEB7A0FF85764F5011B6FA8E47AA9DF7CD544CB40
                                                            Function 00007FFE0144F9DA Relevance: 34.3, APIs: 16, Strings: 3, Instructions: 1065COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                            • API String ID: 2003779279-1866435925
                                                            • Opcode ID: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
                                                            • Instruction ID: ee3602ebfd946886a4ba4d917299c38d8318de50f39e63bfdaa5682964a5c483
                                                            • Opcode Fuzzy Hash: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
                                                            • Instruction Fuzzy Hash: 76A26A26609B8A82EB24CB19E4903A9B770FB85FC5F548036DA8D4BB76DF7DD845C700
                                                            Function 00007FFE01442D70 Relevance: 27.7, APIs: 14, Strings: 1, Instructions: 1490COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memchr.VCRUNTIME140 ref: 00007FFE014430AA
                                                            • memchr.VCRUNTIME140 ref: 00007FFE01443470
                                                            • memchr.VCRUNTIME140 ref: 00007FFE014436A5
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0144410D
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01444114
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0144411B
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01444122
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01444129
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01444130
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01444137
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0144413E
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01444145
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0144414C
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014442D3
                                                              • Part of subcall function 00007FFE01421DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0141C320), ref: 00007FFE01421DFB
                                                              • Part of subcall function 00007FFE01421DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE0141C320), ref: 00007FFE01421E08
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn$memchr$memmovememset
                                                            • String ID: 0123456789-
                                                            • API String ID: 3572500260-3850129594
                                                            • Opcode ID: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
                                                            • Instruction ID: d108592efe99e9f05464087151e0161391ea1abd881a08b31dc905b686df696a
                                                            • Opcode Fuzzy Hash: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
                                                            • Instruction Fuzzy Hash: CBE29762A09A968AEB108F69D4843BC27B2FB45F98F559131DA5E0B7F5CF7DD881C300
                                                            Function 0000000140008390 Relevance: 19.7, APIs: 13, Instructions: 152fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00000001400078C0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                              • Part of subcall function 00000001400078C0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                              • Part of subcall function 00000001400078C0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                              • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                              • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                              • Part of subcall function 00000001400078C0: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                              • Part of subcall function 00000001400078C0: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                            • OpenEventA.KERNEL32 ref: 00000001400083D0
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008411
                                                            • OpenEventA.KERNEL32 ref: 0000000140008454
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008495
                                                            • CloseHandle.KERNEL32 ref: 00000001400084B4
                                                              • Part of subcall function 0000000140007A80: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                              • Part of subcall function 0000000140007A80: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                              • Part of subcall function 0000000140007A80: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                              • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                              • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                              • Part of subcall function 0000000140007A80: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                              • Part of subcall function 0000000140007A80: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                            • OpenFileMappingA.KERNEL32 ref: 00000001400084F4
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008535
                                                            • CloseHandle.KERNEL32 ref: 0000000140008554
                                                            • CloseHandle.KERNEL32 ref: 0000000140008561
                                                            • MapViewOfFile.KERNEL32 ref: 0000000140008592
                                                            • CloseHandle.KERNEL32 ref: 00000001400085AB
                                                            • CloseHandle.KERNEL32 ref: 00000001400085B8
                                                            • CloseHandle.KERNEL32 ref: 00000001400085C5
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: U?$char_traits@$D@std@@@std@@$CloseHandle$??6?$basic_ostream@V01@$Open_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@D@std@@@1@_EventFileV?$basic_streambuf@$MappingView
                                                            • String ID:
                                                            • API String ID: 1089015687-0
                                                            • Opcode ID: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                            • Instruction ID: fd742db5588232a2ef73a73be7c7ffe6f8b637fdc8693f60d02eba1a373aa13c
                                                            • Opcode Fuzzy Hash: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                            • Instruction Fuzzy Hash: 93613DB1210A4482FB17DB27F85539963A2BB8EBE4F404215FB9E4B7B6DE3DC1818700
                                                            Function 0000000140007FC0 Relevance: 18.2, APIs: 12, Instructions: 159fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: File$CloseCreateHandleMappingView_invalid_parameter_noinfo_noreturnmemcpymemset$Unmap
                                                            • String ID:
                                                            • API String ID: 2074253140-0
                                                            • Opcode ID: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                            • Instruction ID: c383ff2e5a2ae1bd4c41fba5bb50c967b221784ccd91ddafc61d096c64d59825
                                                            • Opcode Fuzzy Hash: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                            • Instruction Fuzzy Hash: F471AA71305A4185FB22CB56F8907E973A2FB8DBD4F404225ABAD4B7B9DE3DC0818704
                                                            Function 00007FFE0144B698 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 225COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: iswdigit$btowclocaleconv
                                                            • String ID: 0$0
                                                            • API String ID: 240710166-203156872
                                                            • Opcode ID: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                            • Instruction ID: 76c731362b501aef01a81f0329ca621e60df68213904aa30c4518cd4462133c1
                                                            • Opcode Fuzzy Hash: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                            • Instruction Fuzzy Hash: 4D81F672A1854687E7259F29E85027A77A2FF94B89F084135DB8E4A2B1EF3CE855C700
                                                            Function 00007FFE0141C780 Relevance: 17.0, APIs: 8, Strings: 1, Instructions: 1257COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 0123456789-+Ee
                                                            • API String ID: 0-1347306980
                                                            • Opcode ID: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
                                                            • Instruction ID: c004af5c81d0930c6549fd12701ccacaefe63bd34e1d9ff3e4f8b7161e339b8d
                                                            • Opcode Fuzzy Hash: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
                                                            • Instruction Fuzzy Hash: FAC29C76A09A8289EB518F69D59427C3BB1FB51F88F548031DA5E0B7B5CF3DE866C300
                                                            Function 00007FFE0144A27C Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 247COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: memchr$isdigit$localeconv
                                                            • String ID: 0$0123456789abcdefABCDEF
                                                            • API String ID: 1981154758-1185640306
                                                            • Opcode ID: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                            • Instruction ID: b34606fe7481360ce33d9ebb7c6d2a9f922b1b1f1c3dbe064035f38f6575d6b3
                                                            • Opcode Fuzzy Hash: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                            • Instruction Fuzzy Hash: 2F912862A0859647F7258F24E81037E7BA2FB45B8CF689034DE8F4B675DA3CE845C741
                                                            Function 00007FFE0141D810 Relevance: 15.3, APIs: 7, Strings: 1, Instructions: 1307COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: memchr$_invalid_parameter_noinfo_noreturn$localeconv
                                                            • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                            • API String ID: 2141594249-3606100449
                                                            • Opcode ID: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
                                                            • Instruction ID: 3db193a1a697732a210826dda62ceec94cad40c37ca2ff05e5b2f2bab9d3c238
                                                            • Opcode Fuzzy Hash: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
                                                            • Instruction Fuzzy Hash: F6D29A76A09A8689EB528F6AD19427C3771FB51F88B548431DE5E1B7B1CF3DE862C300
                                                            Function 00007FFE01432208 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1497COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _Find_elem.LIBCPMT ref: 00007FFE01432C08
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014335B9
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014335C0
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014335C7
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01433776
                                                              • Part of subcall function 00007FFE01421DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0141C320), ref: 00007FFE01421DFB
                                                              • Part of subcall function 00007FFE01421DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE0141C320), ref: 00007FFE01421E08
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
                                                            • String ID: 0123456789-
                                                            • API String ID: 2779821303-3850129594
                                                            • Opcode ID: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
                                                            • Instruction ID: a55523e5edc3ea26220bbf306fd7a7f9bee26c3598b963c0c1be6edda616c41c
                                                            • Opcode Fuzzy Hash: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
                                                            • Instruction Fuzzy Hash: D0E27D26A19A9689EB508F29D09067D3BB4FF44B84F549036EE4E4BBB5CF7DD881C700
                                                            Function 00007FFE01430C60 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1497COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _Find_elem.LIBCPMT ref: 00007FFE01431660
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01432011
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01432018
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0143201F
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014321CE
                                                              • Part of subcall function 00007FFE01421DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0141C320), ref: 00007FFE01421DFB
                                                              • Part of subcall function 00007FFE01421DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE0141C320), ref: 00007FFE01421E08
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
                                                            • String ID: 0123456789-
                                                            • API String ID: 2779821303-3850129594
                                                            • Opcode ID: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
                                                            • Instruction ID: c1706dce329309f3122fe0aa4488a50cec154e8023760fc1fd1ea0007e08f2cf
                                                            • Opcode Fuzzy Hash: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
                                                            • Instruction Fuzzy Hash: 47E27D26A19A9689EB508F29D0906BD3BB4FB44F84F549035EE4E4BBB5CF3DD881C700
                                                            Function 00007FFE0144BDA0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 239COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: iswdigit$localeconv
                                                            • String ID: 0$0$0123456789abcdefABCDEF
                                                            • API String ID: 2634821343-613610638
                                                            • Opcode ID: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                            • Instruction ID: 5139646cc9927e0e533675a6f68741b2c1cf43d0f9dcf0580c2054120d11d57d
                                                            • Opcode Fuzzy Hash: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                            • Instruction Fuzzy Hash: 8A812972E0855687EB358F24D85067A76A2FB94B48F089131DF8E4F6B4EB3CE855C780
                                                            Function 00007FFE0141A330 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Findmemmove$CloseFileFirst_invalid_parameter_noinfo_noreturnwcscpy_s
                                                            • String ID: .$.
                                                            • API String ID: 479945582-3769392785
                                                            • Opcode ID: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                            • Instruction ID: 24ad36c801a3cb050664544b75bb02ef41fe1adebd15533749e9214f7f9a4487
                                                            • Opcode Fuzzy Hash: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                            • Instruction Fuzzy Hash: 5141A122A1979285EB20DF65E8483B97360FB857A8F504235EBAD0BAF4DF7CD485C700
                                                            Function 00007FFE0142ABB0 Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1289COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 0123456789-+Ee
                                                            • API String ID: 0-1347306980
                                                            • Opcode ID: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
                                                            • Instruction ID: 53efe614e3dfcbca8c7b6f4cef8f030613783009f92b2cb5c8fef0ca27eda65b
                                                            • Opcode Fuzzy Hash: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
                                                            • Instruction Fuzzy Hash: 1BC26D26A09A4685EB648F1AD15027D3761FF65B88B948031DE5E0BBB1CF3DE8E5D302
                                                            Function 00007FFE0142BCD0 Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1289COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 0123456789-+Ee
                                                            • API String ID: 0-1347306980
                                                            • Opcode ID: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
                                                            • Instruction ID: 5255a5e377b8d902078717d67300ec8f0c072a9ea0f9db1cc7f2ba0cb9bc40e5
                                                            • Opcode Fuzzy Hash: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
                                                            • Instruction Fuzzy Hash: 7EC26C36A09A8685EB608F19D19027D37A1FF65F84B949431DE4E0B7B0CF3DE8A5D312
                                                            Function 00007FFE01436338 Relevance: 9.6, APIs: 6, Instructions: 626COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014365AB
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0143663D
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014366E0
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01436B9C
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01436BEE
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01436C35
                                                              • Part of subcall function 00007FFE0143EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0142923E), ref: 00007FFE0143EC08
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                            • String ID:
                                                            • API String ID: 15630516-0
                                                            • Opcode ID: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
                                                            • Instruction ID: 5a5f86a2ddc5412c07a3d0d831d2a0a7b5da09c58d1a71fcc4496ecce4d27ac6
                                                            • Opcode Fuzzy Hash: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
                                                            • Instruction Fuzzy Hash: E3529162A18B8695EB148F29D4441BD7771FB94B98F519132DB8D0BBB9EF3CE680C340
                                                            Function 00007FFE01436C84 Relevance: 9.6, APIs: 6, Instructions: 626COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01436EF7
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01436F89
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0143702C
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014374E8
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0143753A
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01437581
                                                              • Part of subcall function 00007FFE0143EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0142923E), ref: 00007FFE0143EC08
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                            • String ID:
                                                            • API String ID: 15630516-0
                                                            • Opcode ID: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
                                                            • Instruction ID: 0bd75dc75bcdd89ad1b85d90a4b084155700fcbc7bb55bbaeae473d3d4094a68
                                                            • Opcode Fuzzy Hash: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
                                                            • Instruction Fuzzy Hash: 21527F62A18B8695EB108F29D4442BD7771FB94B99F509132EB8D0BBB5EF3CE584C340
                                                            Function 0000000140012220 Relevance: 8.9, APIs: 7, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrow$MemoryRecycle@Recycler@allocator@dvacore@@$_invalid_parameter_noinfo_noreturn
                                                            • String ID:
                                                            • API String ID: 1799700165-0
                                                            • Opcode ID: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                            • Instruction ID: 3a6b280c2881091f38a62e61b74d670a019ca3ad59059a788fa850ef2ffa55ac
                                                            • Opcode Fuzzy Hash: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                            • Instruction Fuzzy Hash: D52112B5611A80CAE71DEE37A8523EA1362E79C7C4F149536BF594FAAEDE31C4218340
                                                            Function 00007FFE0142CDF0 Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 1331COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn$localeconv
                                                            • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                            • API String ID: 1825414929-3606100449
                                                            • Opcode ID: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
                                                            • Instruction ID: 999ab5953d188d8b482d9aa038529e9bbbefc9484cb2ad5e64fd3a249835fa89
                                                            • Opcode Fuzzy Hash: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
                                                            • Instruction Fuzzy Hash: A2D24B26A09A8685EB548F5AD19017C3361FF64F88B949031DF5E0B7B4CF3DE8A6D312
                                                            Function 00007FFE0142DF10 Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 1331COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn$localeconv
                                                            • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                            • API String ID: 1825414929-3606100449
                                                            • Opcode ID: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
                                                            • Instruction ID: 3828176a7a8ef168753857848db1ad4d95ae705cfe65e9ca48deb47fc13fc28d
                                                            • Opcode Fuzzy Hash: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
                                                            • Instruction Fuzzy Hash: 40D24B26A09A4685EB608F1AD19017C3761FF64F84B949032DF5E1B7B0DF3DE8A6D312
                                                            Function 00007FFE01429460 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                            • String ID:
                                                            • API String ID: 1326169664-0
                                                            • Opcode ID: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                            • Instruction ID: 47f815f9ddd3e1f9848364c4e1371c31458cd2e39f96227bd8553a09581223ac
                                                            • Opcode Fuzzy Hash: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                            • Instruction Fuzzy Hash: DEE15A22B09B5695EB10DFA5D4402AC63B1EB98B98F914136DE4D1BBB8DF3CD59AC300
                                                            Function 00007FFE01428FB0 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                            • String ID:
                                                            • API String ID: 1326169664-0
                                                            • Opcode ID: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                            • Instruction ID: 2a591f2ca06603864b4832ce110b909b14fccd4f37a8010113d0cd657233d196
                                                            • Opcode Fuzzy Hash: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                            • Instruction Fuzzy Hash: 66E15822B09B5695FB10CBA5D4401AC7372EB58B98F914136DE4D2BBB8DF3CD59AC300
                                                            Function 00007FFE0141E8B0 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 634COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn$memchr
                                                            • String ID: 0123456789ABCDEFabcdef-+Xx
                                                            • API String ID: 2740501399-2799312399
                                                            • Opcode ID: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
                                                            • Instruction ID: 6a72595256aca2b3d78d6210654a162ded9b09e54bedd6377a9ab9335ed11565
                                                            • Opcode Fuzzy Hash: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
                                                            • Instruction Fuzzy Hash: 4452B42AB09A8289FB528F29D45017C3B71BB45B98B548431CE5E2F7B5DF3DE866D300
                                                            Function 00007FFE01435470 Relevance: 5.3, APIs: 3, Instructions: 815COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FFE01447600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE01413887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0144760F
                                                              • Part of subcall function 00007FFE0141F6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FFE01444C66,?,?,0000003F,00000000,?,0000003F,?,00007FFE0141FE66), ref: 00007FFE0141F6FC
                                                            • _W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE0141FE77), ref: 00007FFE01435F35
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE0141FE77), ref: 00007FFE01435F4A
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE0141FE77), ref: 00007FFE01435F58
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: free$Gettnames_lock_localesrealloc
                                                            • String ID:
                                                            • API String ID: 3705959680-0
                                                            • Opcode ID: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
                                                            • Instruction ID: 74a4be1001998d5cf7fadd98f809e8250f3cf69a8438c54697cc494d5eebf5e7
                                                            • Opcode Fuzzy Hash: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
                                                            • Instruction Fuzzy Hash: 27823761E09A0286FB66DF25D8812B937A1FF54B84F444436EA0E4F3B6EF3CE4568744
                                                            Function 00007FFE01434780 Relevance: 5.3, APIs: 3, Instructions: 815COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FFE01447600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE01413887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0144760F
                                                              • Part of subcall function 00007FFE0141F6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FFE01444C66,?,?,0000003F,00000000,?,0000003F,?,00007FFE0141FE66), ref: 00007FFE0141F6FC
                                                            • _W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE0141FE88), ref: 00007FFE01435245
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE0141FE88), ref: 00007FFE0143525A
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE0141FE88), ref: 00007FFE01435268
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: free$Gettnames_lock_localesrealloc
                                                            • String ID:
                                                            • API String ID: 3705959680-0
                                                            • Opcode ID: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
                                                            • Instruction ID: 6af8673e8c96b17affc80f52b8e3c3934f052dc1bb4936155998790cad6a0dc2
                                                            • Opcode Fuzzy Hash: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
                                                            • Instruction Fuzzy Hash: AF824A61E09A0285FB66DF25D8812B937A1FF54B84F484136EA0E4F3B6EF3CE4568744
                                                            Function 0000000140010BE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ErrorFormatLastMessage
                                                            • String ID: GetLastError() = 0x%X
                                                            • API String ID: 3479602957-3384952017
                                                            • Opcode ID: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                            • Instruction ID: 03957f339625c86e619908699dc07c15f857aa178ffe48bb474e222578fe156c
                                                            • Opcode Fuzzy Hash: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                            • Instruction Fuzzy Hash: 63219032A18BC083E7118B2AE400399B7A4F7D97A4F159315EBE8036E9EB78C545CB40
                                                            Function 00007FFE014444E0 Relevance: 5.0, APIs: 3, Instructions: 509COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FFE01441E70: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01441F72
                                                              • Part of subcall function 00007FFE01447600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE01413887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0144760F
                                                            • _Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE0141FE66,?,?,?,?,?,?,?,00007FFE0141F7E7), ref: 00007FFE01444BCF
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE0141FE66,?,?,?,?,?,?,?,00007FFE0141F7E7), ref: 00007FFE01444BE4
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE0141FE66,?,?,?,?,?,?,?,00007FFE0141F7E7), ref: 00007FFE01444BF3
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: free$Gettnames_invalid_parameter_noinfo_noreturn_lock_locales
                                                            • String ID:
                                                            • API String ID: 962949324-0
                                                            • Opcode ID: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
                                                            • Instruction ID: 43b50735cecbb4e0d0faa31984f2478564cb088fcfdc0cc9c218b685c75e727f
                                                            • Opcode Fuzzy Hash: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
                                                            • Instruction Fuzzy Hash: 2A322C65A09A0286FB61DF25E8412B537A2FF547C4F484436EA0E4F7B6EF3CE4568344
                                                            Function 00007FFE01434340 Relevance: 3.3, APIs: 2, Instructions: 297COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014346ED
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0143473B
                                                              • Part of subcall function 00007FFE0143EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0142923E), ref: 00007FFE0143EC08
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                            • String ID:
                                                            • API String ID: 15630516-0
                                                            • Opcode ID: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
                                                            • Instruction ID: 5abd9c8a0e3f5049786825306422fb2bc2852d9d13c7c4cf30ce0757670ca487
                                                            • Opcode Fuzzy Hash: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
                                                            • Instruction Fuzzy Hash: 31D13622B09B8696EB10CFA5D5402EC6372EB58B98F454132DE5D2BBB9DF3CE459C340
                                                            Function 00007FFE01433F00 Relevance: 3.3, APIs: 2, Instructions: 297COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014342AD
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014342FB
                                                              • Part of subcall function 00007FFE0143EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0142923E), ref: 00007FFE0143EC08
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                            • String ID:
                                                            • API String ID: 15630516-0
                                                            • Opcode ID: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
                                                            • Instruction ID: 6e60b0f93636616a7d992242fc93c2bcc37e3b2600eb08289da9de263e0ae98c
                                                            • Opcode Fuzzy Hash: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
                                                            • Instruction Fuzzy Hash: EDD14722B09B4695FB10CFA5D4542AC63B2AB48B98B454132DE4D2BBB9DF3CE459C340
                                                            Function 00007FFE014260D0 Relevance: 3.3, APIs: 2, Instructions: 251COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                            • String ID:
                                                            • API String ID: 1654775311-0
                                                            • Opcode ID: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
                                                            • Instruction ID: b77865bb79a34efab67a2527c2f9b1c6207122eec70132a96079dc81ffd031ea
                                                            • Opcode Fuzzy Hash: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
                                                            • Instruction Fuzzy Hash: C8A1CD72F096A285FB109BA594506BC37B1BB25B98F964035DE4E1FBB5CF3CA891C301
                                                            Function 00007FFE01426440 Relevance: 3.3, APIs: 2, Instructions: 251COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                            • String ID:
                                                            • API String ID: 1654775311-0
                                                            • Opcode ID: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
                                                            • Instruction ID: a4d5badbe340e405eac2d2ca305e6d903f9f535d99827727432746d68dfdb9ff
                                                            • Opcode Fuzzy Hash: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
                                                            • Instruction Fuzzy Hash: 40A1B072F096A285FB208BA5E4506BC27B1BB65B98F954035DE4D1FBB4DF3C9891C301
                                                            Function 00007FFE0141A7B0 Relevance: 3.1, APIs: 2, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: memmove$DiskFreeSpace_invalid_parameter_noinfo_noreturn
                                                            • String ID:
                                                            • API String ID: 1915456417-0
                                                            • Opcode ID: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                            • Instruction ID: ea7c80d9a1ba3392439d0ba2920276b9a869b187894d54b6d3f7da6bfd352ae2
                                                            • Opcode Fuzzy Hash: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                            • Instruction Fuzzy Hash: BD415D72B15B8198FB00CFA1D8506AC37B5FB48BA8F545625CE5D2BBA8DF78D085C340
                                                            Function 00007FFE0143EFC0 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: InfoLocale___lc_locale_name_func
                                                            • String ID:
                                                            • API String ID: 3366915261-0
                                                            • Opcode ID: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                            • Instruction ID: 32f0c4ead03a0eb7e908e03d59ab8dedec4af55efa25f49110924c4ad04ad2f5
                                                            • Opcode Fuzzy Hash: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                            • Instruction Fuzzy Hash: D7F015B6E2C14382E3A85B2CE469739A270FB54749F400136E90F4A6B4CF6DE5489742
                                                            Function 00007FFE01430710 Relevance: .4, Instructions: 410COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
                                                            • Instruction ID: 37e397a1613bf025a32366a62ba9dcd67774aa1e128f3c6abbf0e72695247f39
                                                            • Opcode Fuzzy Hash: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
                                                            • Instruction Fuzzy Hash: 7D023626A09A4689EB648F29D45037D33A1FB54F88F549232EA4E1F7B5CF3DD886C350
                                                            Function 00007FFE01442880 Relevance: .4, Instructions: 391COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
                                                            • Instruction ID: 7d10abcc2eb74d6d614084e89c5f8deeb0d45da699b91b2a2306f3c273b991fb
                                                            • Opcode Fuzzy Hash: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
                                                            • Instruction Fuzzy Hash: E7025E26A09A868AEB518F29E45077C37A2FB44F98F549131EA4D5F3B5CF7DD882C310
                                                            Function 00007FFE0141F9B0 Relevance: .3, Instructions: 331COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _lock_locales
                                                            • String ID:
                                                            • API String ID: 3756862740-0
                                                            • Opcode ID: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
                                                            • Instruction ID: 55eef7717cf8f9933d51693df50d9f9af7df054a2dab616bef31d4bcaa945ffe
                                                            • Opcode Fuzzy Hash: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
                                                            • Instruction Fuzzy Hash: F2E16C21E09A4286EB66DF25E9501B933A2FF80BD4F544136E90E4F7B6DF3CA54B8740
                                                            Function 0000000140004730 Relevance: 67.0, APIs: 5, Strings: 33, Instructions: 470COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.VCRUNTIME140 ref: 000000014000475B
                                                              • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                              • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                              • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                            • ?RationalApproximation@utility@dvacore@@YA?AV?$rational@H@boost@@N@Z.DVACORE ref: 0000000140004866
                                                              • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140004A15
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn$memcmp$Approximation@utility@dvacore@@H@boost@@RationalV?$rational@memset
                                                            • String ID: brightness$camera_firmware_version$camera_id$channel_mask$clip_id$contrast$digital_gain_blue$digital_gain_green$digital_gain_red$exposure_compensation$exposure_time$framerate_denominator$framerate_numerator$genlock_setting$gmt_date$gmt_time$iso$jamsync_setting$local_date$local_time$pixel_aspect_ratio$reel_id_full$sample_size$samplerate$saturation$sensor_id$sensor_name$shutter_degrees$shutter_fractions$shutter_phase_offset$user_timecode_preference$white_balance_kelvin$white_balance_tint
                                                            • API String ID: 2423274481-1946953090
                                                            • Opcode ID: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                            • Instruction ID: 3df9d643723a61ec3293b9608ef6f05312d7ec0c5a500361e19cd6c4bd00b042
                                                            • Opcode Fuzzy Hash: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                            • Instruction Fuzzy Hash: 2C32FAB1204A4091EB07EF27E5913EA2762AB8EBD8F444522FB5D4F7B7EE39C5458340
                                                            Function 00007FFE1A538C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Name::operator+
                                                            • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
                                                            • API String ID: 2943138195-1388207849
                                                            • Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                            • Instruction ID: a74bfa1425be8e96dd24e5497d60fb17a66e5bb6bc34b32ef3846cb1a1208c0c
                                                            • Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                            • Instruction Fuzzy Hash: 59F16EB2F1CE1294F7198B66D8542BC26B0BF82B64F4045FBCA1D56AB8DF3DA644C740
                                                            Function 00007FFE1A53C3C8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Name::operator+
                                                            • String ID: `anonymous namespace'
                                                            • API String ID: 2943138195-3062148218
                                                            • Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                            • Instruction ID: 5d80b17ffae3e599e4e4ee055236bd712223455a7a67871aac9c12fc7558e52c
                                                            • Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                            • Instruction Fuzzy Hash: 24E12972A0CF8695EB10CF26E4802BD77A0FB86B54F4480B6EA4D57B65EF38E554C700
                                                            Function 0000000140002630 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 290COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400026F4
                                                            • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002732
                                                            • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 000000014000274E
                                                            • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002782
                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00000001400027D4
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400028A8
                                                            • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00000001400028DE
                                                            • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 00000001400028FA
                                                            • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 000000014000292E
                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z.MSVCP140 ref: 000000014000295A
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002A28
                                                            • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A68
                                                            • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A72
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: U?$char_traits@$D@std@@@std@@$_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??6?$basic_ostream@D@std@@@1@@V01@V?$basic_streambuf@$??1?$basic_ios@??1?$basic_iostream@
                                                            • String ID: (
                                                            • API String ID: 703713002-3887548279
                                                            • Opcode ID: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                            • Instruction ID: baf078011914228b1285121be46ed74d2e86fc5146668a69ad3868f5cbe279a1
                                                            • Opcode Fuzzy Hash: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                            • Instruction Fuzzy Hash: 38D18DB2214B8495EB11CF6AE4903EE7761F789BD4F509206EB8E57BA9DF39C085C700
                                                            Function 00000001400107F0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 268libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn$Library$ByteCharErrorLastLoadMultiWide$AddressFreeProc
                                                            • String ID: [NOT FOUND ] %s
                                                            • API String ID: 2350601386-3340296899
                                                            • Opcode ID: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                            • Instruction ID: 89755aee4be5230680617513bdac96f2938001ccf8c1f4c7198f5862e1eb9078
                                                            • Opcode Fuzzy Hash: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                            • Instruction Fuzzy Hash: 84B1BE32605B9481FB169B26E54039D6761F788BE4F048615FBE90BBE6DFBAC5D0C340
                                                            Function 00007FFE1A53A83C Relevance: 22.9, APIs: 15, Instructions: 358COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Name::operator+
                                                            • String ID:
                                                            • API String ID: 2943138195-0
                                                            • Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                            • Instruction ID: accf7b66260b36f056dd3b3a3c587051a8ac1890e43df09590fc01197bf6995f
                                                            • Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                            • Instruction Fuzzy Hash: FCF17B72F0CA829AE711DF66D4901FC37B0AB86B58F4440F6EB4D67AA9DE38D519C340
                                                            Function 000000014001189C Relevance: 22.6, APIs: 15, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__p___argc__p___argv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                            • String ID:
                                                            • API String ID: 1818695170-0
                                                            • Opcode ID: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                            • Instruction ID: 023b0e87761b9852ca56ff973ea6cc8ec164607202ff5c8f9f76f90c0a7f0558
                                                            • Opcode Fuzzy Hash: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                            • Instruction Fuzzy Hash: BA315E3120520192FA5BEB67E5223E927A1AB9D7C4F444025BB994F2F7DE7FC805C351
                                                            Function 00007FFE1A53D20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Name::operator+
                                                            • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
                                                            • API String ID: 2943138195-2309034085
                                                            • Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                            • Instruction ID: abdef68fee57e12a9e820628bd85960d1f71e23e4ef79095c2ffd812cbc038f9
                                                            • Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                            • Instruction Fuzzy Hash: 4AE18C63F0CE5294FB159B6699541FC27B0AF92F64F4409F7DA0E17AB9DE3CA9088340
                                                            Function 0000000140003320 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 422COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: memcmp$_invalid_parameter_noinfo_noreturn$clockmemcpymemset
                                                            • String ID: B8RB$MRDH$SideCarLut$flip_horizontal$flip_vertical
                                                            • API String ID: 140832405-680935841
                                                            • Opcode ID: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                            • Instruction ID: 18037ac5236aebefbc83965bda8a7e26ab6d0ca403e2fb1aff30bf3622b6eda0
                                                            • Opcode Fuzzy Hash: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                            • Instruction Fuzzy Hash: BD2270B2605BC485EB22DF2AE8413E93364F799798F449215EB9C5B7A6EF35C285C300
                                                            Function 00007FFE1A532CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                            • String ID: csm$csm$csm
                                                            • API String ID: 3436797354-393685449
                                                            • Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                            • Instruction ID: cfcbaf154ffb819716330ac0142327a91cc2e5afd221a82b6249c5b13df94228
                                                            • Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                            • Instruction Fuzzy Hash: DCD15E76B0CB4186EB109B66D4412BD77A4FF96BA8F0001B6DE8D57B66CF38E494C700
                                                            Function 00007FFE014126E0 Relevance: 18.2, APIs: 12, Instructions: 238COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$__strncntfreemalloc$CompareInfoString
                                                            • String ID:
                                                            • API String ID: 3420081407-0
                                                            • Opcode ID: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                            • Instruction ID: 75f20c11372b2e3c9407ad716d49ea9c324d15208a4ea1ca9223862db68eed61
                                                            • Opcode Fuzzy Hash: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                            • Instruction Fuzzy Hash: 68A1B263B0868286FB318F209510BBA66A1EF44BE8F644631DE5D9E7F4DFBCE4448341
                                                            Function 00007FFE0142692C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FFE0144B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B0
                                                              • Part of subcall function 00007FFE0144B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B8
                                                              • Part of subcall function 00007FFE0144B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0C1
                                                              • Part of subcall function 00007FFE0144B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0DD
                                                            • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0142A87E), ref: 00007FFE01426971
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0142A87E), ref: 00007FFE0142698E
                                                            • _Maklocstr.LIBCPMT ref: 00007FFE014269AA
                                                            • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0142A87E), ref: 00007FFE014269B3
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0142A87E), ref: 00007FFE014269D0
                                                            • _Maklocstr.LIBCPMT ref: 00007FFE014269EC
                                                            • _Maklocstr.LIBCPMT ref: 00007FFE01426A01
                                                              • Part of subcall function 00007FFE01414D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01422124,?,?,?,00007FFE014143DB,?,?,?,00007FFE01415B31), ref: 00007FFE01414D72
                                                              • Part of subcall function 00007FFE01414D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01422124,?,?,?,00007FFE014143DB,?,?,?,00007FFE01415B31), ref: 00007FFE01414D98
                                                              • Part of subcall function 00007FFE01414D50: memmove.VCRUNTIME140(?,?,?,00007FFE01422124,?,?,?,00007FFE014143DB,?,?,?,00007FFE01415B31), ref: 00007FFE01414DB0
                                                            Strings
                                                            • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE01426999
                                                            • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE014269DB
                                                            • :AM:am:PM:pm, xrefs: 00007FFE014269FA
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Maklocstrfree$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
                                                            • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                            • API String ID: 269533641-35662545
                                                            • Opcode ID: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                            • Instruction ID: 480be876dd26a3745f287509745b953c695268a2779bc2a797db78b7407f91da
                                                            • Opcode Fuzzy Hash: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                            • Instruction Fuzzy Hash: F4212B32A14B4282EB00DF21E4502A977A1EB99FC8F858235DA4D4B776EF3CE585C381
                                                            Function 00007FFE01412B20 Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiStringWide$freemalloc$__strncnt
                                                            • String ID:
                                                            • API String ID: 1733283546-0
                                                            • Opcode ID: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                            • Instruction ID: 148b171a728dade7cd716e1100215f1d9e408e67317e73e1b52a97a1e3759431
                                                            • Opcode Fuzzy Hash: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                            • Instruction Fuzzy Hash: 2B916032A08B8286EB608F51D44077966A1FB44BE8F644235EA5D9BBF4DFBCE4458700
                                                            Function 00007FFE01449350 Relevance: 16.7, APIs: 11, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Xp_setw$Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                            • String ID:
                                                            • API String ID: 3166507417-0
                                                            • Opcode ID: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                            • Instruction ID: 39a1cd52b54450e0ceb080cd01db3aa07b927eecb91d87bf749135235468b7ce
                                                            • Opcode Fuzzy Hash: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                            • Instruction Fuzzy Hash: 50617122F085429BFB10DAA2D4415EE2722EB5874CF504536EE0D6BAB5DE3CE90AD740
                                                            Function 00000001400071E0 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetDllDirectoryW.KERNEL32 ref: 000000014000721A
                                                            • ?AppDir@Dir@filesupport@dvacore@@SA?AV123@XZ.DVACORE ref: 0000000140007225
                                                            • ?FullPath@Dir@filesupport@dvacore@@QEBA?AV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@std@@XZ.DVACORE ref: 0000000140007236
                                                            • ?UTF16to8@string@dvacore@@YA?AV?$basic_string@EU?$char_traits@E@std@@U?$SBAAllocator@E@allocator@dvacore@@@std@@AEBV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@4@@Z.DVACORE ref: 0000000140007245
                                                            • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140007275
                                                            • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 00000001400072A6
                                                            • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400072B6
                                                            • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007362
                                                            • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007372
                                                            • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 000000014000738A
                                                              • Part of subcall function 0000000140008300: WaitForMultipleObjects.KERNEL32 ref: 0000000140008346
                                                              • Part of subcall function 0000000140008300: ResetEvent.KERNEL32 ref: 0000000140008355
                                                              • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007859
                                                              • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007866
                                                              • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007873
                                                              • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007880
                                                              • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000788D
                                                              • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000789A
                                                            • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400073F6
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Dir@filesupport@dvacore@@$CloseHandle$Allocator@_Allocator@allocator@dvacore@@BlockDispose@FileSmallU?$char_traits@_UnmapV?$basic_string@_ViewW@std@@atoi$Allocator@Dir@DirectoryE@allocator@dvacore@@@std@@E@std@@EventF16to8@string@dvacore@@FullMultipleObjectsPath@ResetU?$char_traits@V123@V?$basic_string@W@allocator@dvacore@@@4@@W@allocator@dvacore@@@std@@Wait
                                                            • String ID:
                                                            • API String ID: 2702579277-0
                                                            • Opcode ID: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                            • Instruction ID: 4e02132fa2518a481f17a5c3ad5963577c23686a774b89ce01035fe16d76d46e
                                                            • Opcode Fuzzy Hash: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                            • Instruction Fuzzy Hash: 09618EB2608A4082FB12CB26F8947EA67A2F78EBD0F505121FB9D476B5DF3DC5498700
                                                            Function 00007FFE01459BC0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 229COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                            • API String ID: 2003779279-1866435925
                                                            • Opcode ID: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                            • Instruction ID: cd441cd842dbe1456d0a59c0ffd863b39d928e5d63fc9a991fc37b71c1a1cb16
                                                            • Opcode Fuzzy Hash: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                            • Instruction Fuzzy Hash: 60918022A18A46C1EF65CB15E4917B97760FB84FC8F548036CA4E4B7B6DF2DD44AC301
                                                            Function 00007FFE1A53E350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                            • API String ID: 0-3207858774
                                                            • Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                            • Instruction ID: 8f065517ab70d0ae427be357836a4a98134a18e91ecd485643e0fb1f1122e358
                                                            • Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                            • Instruction Fuzzy Hash: E2913962B0CE8699EB118B22E4502BC37E1AF96FA4B4840F6DE4D037A5EF3CE505D750
                                                            Function 00007FFE1A53A13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Name::operator+$Name::operator+=
                                                            • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                            • API String ID: 179159573-1464470183
                                                            • Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                            • Instruction ID: 6a2766d51977583a39626436be29324422dba0c85a325b472a095d8587eff7ad
                                                            • Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                            • Instruction Fuzzy Hash: 97513A31F1CE6699FB14CB66E8405BC37B0BF46BA4F5041BAEA0D57A68EF2AD541C700
                                                            Function 00007FFE0144B440 Relevance: 15.2, APIs: 10, Instructions: 167COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Xp_setw$Xp_setn$Xp_addx$iswspaceiswxdigit
                                                            • String ID:
                                                            • API String ID: 3781602613-0
                                                            • Opcode ID: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                            • Instruction ID: 14ee05e1def88bba27b8a5e4b4b8dd8e32c1696a7fc8d1cb7eb8bed59a507df9
                                                            • Opcode Fuzzy Hash: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                            • Instruction Fuzzy Hash: D7617022F085429BFB11DEA2D4811FD2732EB58748F504536EE0D6BAB9DE3CE95AC740
                                                            Function 00007FFE1A5388E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Name::operator+
                                                            • String ID:
                                                            • API String ID: 2943138195-0
                                                            • Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                            • Instruction ID: 629e02eea09fd4d18619713f9e6fc1c533e88526bd0e2091754f5c20e8f3d606
                                                            • Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                            • Instruction Fuzzy Hash: C3615062F08F5698F701DBA2D8801FC27B1BF85BA8B4044B6EE4D6BA69DF78D545C340
                                                            Function 00007FFE1A5212D0 Relevance: 15.1, APIs: 10, Instructions: 148COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874121796.00007FFE1A521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874062623.00007FFE1A520000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874142696.00007FFE1A525000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874167385.00007FFE1A528000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874188173.00007FFE1A529000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a520000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: abort$AdjustPointermemmove
                                                            • String ID:
                                                            • API String ID: 338301193-0
                                                            • Opcode ID: 07f6f1c71b1fba12c50c9bfb688491a0a06ff6fb4efb73833bc0a4a245d0f2ba
                                                            • Instruction ID: c920acde0565a9e8af3e95b65d65c9b70404081e650b6dfba25b02c95c021f02
                                                            • Opcode Fuzzy Hash: 07f6f1c71b1fba12c50c9bfb688491a0a06ff6fb4efb73833bc0a4a245d0f2ba
                                                            • Instruction Fuzzy Hash: A8519E35F0EF42C1EA658B93A44453E72A7BF56FA4F0984F7DA4E06AA1DF2CE4418340
                                                            Function 00007FFE1A5331A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                            • String ID: csm$csm$csm
                                                            • API String ID: 211107550-393685449
                                                            • Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                            • Instruction ID: c3993220d239acd2e0d04f3a0dc45fd37d4f02613580c51f2be66476aaeff4e1
                                                            • Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                            • Instruction Fuzzy Hash: C6E17372B0CA818AE7109F66D4802BD7BA1FF86F68F1441B6DA9D47766DF38E485C700
                                                            Function 00007FFE1A521650 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874121796.00007FFE1A521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874062623.00007FFE1A520000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874142696.00007FFE1A525000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874167385.00007FFE1A528000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874188173.00007FFE1A529000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a520000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                            • String ID: csm$csm$csm
                                                            • API String ID: 211107550-393685449
                                                            • Opcode ID: cb3bf927df27b60c74c765ddc221b28a06d569304d98737ce8ec765a202f2bbd
                                                            • Instruction ID: 765246afba80fd2f287031523858fecb17e50ee7971df7549b6c5caf90c32560
                                                            • Opcode Fuzzy Hash: cb3bf927df27b60c74c765ddc221b28a06d569304d98737ce8ec765a202f2bbd
                                                            • Instruction Fuzzy Hash: F3E1B477A0CB81CAE7109FA6D4802BE37A2FB46B68F1401B7DA4D47666DF38E585C740
                                                            Function 00007FFE0144A080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 148COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: memchrtolower$_errnoisspace
                                                            • String ID: 0$0123456789abcdefghijklmnopqrstuvwxyz
                                                            • API String ID: 3508154992-2692187688
                                                            • Opcode ID: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                            • Instruction ID: 9c7996b6414078658326a5df321a2ef093ad67d9a16fe4d49a18bab2ff86b4f2
                                                            • Opcode Fuzzy Hash: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                            • Instruction Fuzzy Hash: 6B51E712A4D6D247FB618F24A8143B96AA2FB45BD4F684031CD9F4F3B5DE3CE9429701
                                                            Function 00007FFE1A53BE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Name::operator+
                                                            • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                            • API String ID: 2943138195-2239912363
                                                            • Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                            • Instruction ID: 5ca46681bb3f7eb7439df5bacf718e3a570f5ee832898dc38f2dfaa22618fc2a
                                                            • Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                            • Instruction Fuzzy Hash: 2A514962F1CF9598FB118B62D8412BC77B0BF8AB64F4540FACA4D12AA5EF3C9144C710
                                                            Function 00000001400078C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                            • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                            • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                              • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                              • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                              • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                              • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                              • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                              • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                              • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                            • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                            • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                            • String ID: ImptRED_CEvent_
                                                            • API String ID: 2242036409-942587184
                                                            • Opcode ID: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                            • Instruction ID: 9b405900c275d478bf9193c59fc3990d56eeb31e22b03c6e117ca8d8066cf312
                                                            • Opcode Fuzzy Hash: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                            • Instruction Fuzzy Hash: 1D519AB2204B8096EB11CB6AE89079E7B70F389B98F504111EF8D57BA9DF3DC549CB00
                                                            Function 0000000140007E00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E41
                                                            • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007E60
                                                            • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E94
                                                              • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                              • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                              • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                              • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007ECB
                                                              • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                              • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                              • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007EE5
                                                            • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F92
                                                            • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F9C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                            • String ID: ImptRED_SEvent_
                                                            • API String ID: 2242036409-1609572862
                                                            • Opcode ID: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                            • Instruction ID: 8a97eb910a4fcdb6b4de6865597d3f36b8df7ed7ebbeccb018c797ebbaee1b0b
                                                            • Opcode Fuzzy Hash: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                            • Instruction Fuzzy Hash: 15519A72204B8096EB11CB6AE8907AE7B70F389B98F504111EF8D17BA8DF3DC549CB40
                                                            Function 0000000140007A80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                            • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                            • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                              • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                              • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                              • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                              • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                              • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                              • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                              • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                            • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                            • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                            • String ID: ImptRED_CmdMap_
                                                            • API String ID: 2242036409-3276274529
                                                            • Opcode ID: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                            • Instruction ID: 80f30c22282736ca9dbe0986c54b36137faedd7c3a9fa85d2e807ed86ae44cad
                                                            • Opcode Fuzzy Hash: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                            • Instruction Fuzzy Hash: BC518972204B8096EB11CB6AE8907DE7B70F389B98F504111EF8D17BA8DF79C449CB00
                                                            Function 0000000140007C40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007C81
                                                            • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007CA0
                                                            • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007CD4
                                                              • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                              • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                              • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                              • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D0B
                                                              • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                              • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                              • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D25
                                                            • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DD2
                                                            • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DDC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                            • String ID: ImptRED_DMap_
                                                            • API String ID: 2242036409-2879874026
                                                            • Opcode ID: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                            • Instruction ID: 0bc148500ed73b7892a49071eae52613f37d732fbc5d9ce32192ec441dd01905
                                                            • Opcode Fuzzy Hash: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                            • Instruction Fuzzy Hash: F9518BB2204B4096EB11CB56E8807AE7B70F789B98F504116EF8D17BA8DF7DC549CB00
                                                            Function 00007FFE01416C20 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                            • API String ID: 1099746521-1866435925
                                                            • Opcode ID: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                            • Instruction ID: c8e8352052d63eb4fec2b3ca9f255bdc0a353179aa679d429161b93ca1c33390
                                                            • Opcode Fuzzy Hash: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                            • Instruction Fuzzy Hash: 5A212561E2860BA5FB54CB00E8826F92331EF50388F984036D54E4E5BAFF6DE549C341
                                                            Function 0000000140004FF0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 275stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                              • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                              • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00000001400050DF
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140005233
                                                              • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                            • memcmp.VCRUNTIME140 ref: 00000001400052B4
                                                            • memcmp.VCRUNTIME140 ref: 0000000140005325
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400053DA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturnmemcmp$strcmp
                                                            • String ID: MRDH$SideCarLut
                                                            • API String ID: 916663099-3852011117
                                                            • Opcode ID: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                            • Instruction ID: 38950fd8b35224f21f2e144008351fd49fe11793fcade85143d264d05d5c62af
                                                            • Opcode Fuzzy Hash: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                            • Instruction Fuzzy Hash: 4DD192B2204A8496EB62DF26E8843DE2761F74A7D5F841212FB5D4BAF6EF74C645C300
                                                            Function 00007FFE01459940 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                            • API String ID: 2003779279-1866435925
                                                            • Opcode ID: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                            • Instruction ID: 80de0ec280f5a8533710328f817e950a8a647061d81db7a86eaab1131eef1b43
                                                            • Opcode Fuzzy Hash: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                            • Instruction Fuzzy Hash: 22614E22A08A46C6EF64CF15D4913B96760FB84FC9F548036CA4E4B7BADF6DD846C311
                                                            Function 00007FFE014243F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrowfputwcfwritestd::ios_base::failure::failure
                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                            • API String ID: 1428583292-1866435925
                                                            • Opcode ID: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                            • Instruction ID: 4fb7aa76aee3d2f76a6b928643c77313763c8ce9851e65df1c64e55a9c63b042
                                                            • Opcode Fuzzy Hash: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                            • Instruction Fuzzy Hash: 73717F72619A86D5EB60CF65E4402BD33A0FB54B88F984032EA4D4BB78DF3DD595C341
                                                            Function 00007FFE1A535F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
                                                            • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                            • API String ID: 1852475696-928371585
                                                            • Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                            • Instruction ID: 013cd142a6995ac864fa583159ae1beaf80749e4ddf302ae3493ce6572dbce35
                                                            • Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                            • Instruction Fuzzy Hash: 9551AE62B1CE4696DA20CB26E4912BA6360FF85FA8F0054F6DA4E07A75EF3CE105C300
                                                            Function 00007FFE014596E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 160COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::ios_base::failure::failure.LIBCPMT ref: 00007FFE014598D3
                                                            • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE0144C678), ref: 00007FFE014598E4
                                                            • std::ios_base::failure::failure.LIBCPMT ref: 00007FFE01459927
                                                            • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE0144C678), ref: 00007FFE01459938
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                            • API String ID: 2003779279-1866435925
                                                            • Opcode ID: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                            • Instruction ID: 66ae59013f68dfcfeeb548f4eafe2338b3d37a0c16d0fa0c8215051408f5a97d
                                                            • Opcode Fuzzy Hash: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                            • Instruction Fuzzy Hash: 8F616A22A18A46C5EB64CF19E4913B96760FB80FDCF548036CA4E4B7B6DF6DD846C301
                                                            Function 00007FFE01449E70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: memchrtolower$_errnoisspace
                                                            • String ID: 0123456789abcdefghijklmnopqrstuvwxyz
                                                            • API String ID: 3508154992-4256519037
                                                            • Opcode ID: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                            • Instruction ID: 2738b3d83e9f1c523ff48d86645d2395269c62bb634d77fa7baec5fa1a170d29
                                                            • Opcode Fuzzy Hash: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                            • Instruction Fuzzy Hash: 0C51E522A0D68647E7218E25E42437A76A2FF49798F584135DD8E8B7B4DF3CE842A701
                                                            Function 00007FFE1A53E148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Name::operator+$Name::operator+=
                                                            • String ID: {for
                                                            • API String ID: 179159573-864106941
                                                            • Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                            • Instruction ID: 2f68bad466aacad969667c7b83dca1f850f10dba4ab56afa6acb3d17ffcba425
                                                            • Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                            • Instruction Fuzzy Hash: 24513972B0CA85A9E7119F26D4413FC63A1EB86B68F4480F6EA4C47BA5EF7CE554C310
                                                            Function 00007FFE0141B280 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                            • API String ID: 2003779279-1866435925
                                                            • Opcode ID: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                            • Instruction ID: 7bbbd4ede276b553f84f8ab121fa876702e06d63da7ac003db642e12840d2105
                                                            • Opcode Fuzzy Hash: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                            • Instruction Fuzzy Hash: 80518A62A18A0A81EB50CB19D4D02B973B0FF84FC8F544532DA5E8B7B9DF2CE856C300
                                                            Function 00007FFE1A5368AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A536931
                                                            • GetLastError.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A53693F
                                                            • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A536958
                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A53696A
                                                            • FreeLibrary.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A5369B0
                                                            • GetProcAddress.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A5369BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                            • String ID: api-ms-
                                                            • API String ID: 916704608-2084034818
                                                            • Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                            • Instruction ID: 6bee55ca76f33367972f73decf52de0ff214f3acd376dc3f719c00d5ae84bead
                                                            • Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                            • Instruction Fuzzy Hash: 66319222B1EF4295EE159B0398001B662A4BF86FB0F5945FADD1E077A4EF3CE144C320
                                                            Function 00007FFE1A523558 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A523717,?,?,00000000,00007FFE1A523548,?,?,?,?,00007FFE1A5232C9), ref: 00007FFE1A5235DD
                                                            • GetLastError.KERNEL32(?,?,?,00007FFE1A523717,?,?,00000000,00007FFE1A523548,?,?,?,?,00007FFE1A5232C9), ref: 00007FFE1A5235EB
                                                            • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A523717,?,?,00000000,00007FFE1A523548,?,?,?,?,00007FFE1A5232C9), ref: 00007FFE1A523604
                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A523717,?,?,00000000,00007FFE1A523548,?,?,?,?,00007FFE1A5232C9), ref: 00007FFE1A523616
                                                            • FreeLibrary.KERNEL32(?,?,?,00007FFE1A523717,?,?,00000000,00007FFE1A523548,?,?,?,?,00007FFE1A5232C9), ref: 00007FFE1A52365C
                                                            • GetProcAddress.KERNEL32(?,?,?,00007FFE1A523717,?,?,00000000,00007FFE1A523548,?,?,?,?,00007FFE1A5232C9), ref: 00007FFE1A523668
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874121796.00007FFE1A521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874062623.00007FFE1A520000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874142696.00007FFE1A525000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874167385.00007FFE1A528000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874188173.00007FFE1A529000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a520000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                            • String ID: api-ms-
                                                            • API String ID: 916704608-2084034818
                                                            • Opcode ID: f3ae6e208fe004567e7f0a3f678c73f8fb6582ef1bf2b3c2b3910a50123c0093
                                                            • Instruction ID: ed107697f09d3d3b42af0edb852699912ae8d21a6cf16092f3175d46d70c4cc4
                                                            • Opcode Fuzzy Hash: f3ae6e208fe004567e7f0a3f678c73f8fb6582ef1bf2b3c2b3910a50123c0093
                                                            • Instruction Fuzzy Hash: 2831A121B1EE42D1EE219B93A8005B5239ABF4AFB4F5945B7DD5E063A1DF3CE4498700
                                                            Function 00007FFE014412C4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FFE0144B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B0
                                                              • Part of subcall function 00007FFE0144B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B8
                                                              • Part of subcall function 00007FFE0144B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0C1
                                                              • Part of subcall function 00007FFE0144B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0DD
                                                            • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0144243E), ref: 00007FFE01441309
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0144243E), ref: 00007FFE01441326
                                                            • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0144243E), ref: 00007FFE0144134B
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0144243E), ref: 00007FFE01441368
                                                              • Part of subcall function 00007FFE01414D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01422124,?,?,?,00007FFE014143DB,?,?,?,00007FFE01415B31), ref: 00007FFE01414D72
                                                              • Part of subcall function 00007FFE01414D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01422124,?,?,?,00007FFE014143DB,?,?,?,00007FFE01415B31), ref: 00007FFE01414D98
                                                              • Part of subcall function 00007FFE01414D50: memmove.VCRUNTIME140(?,?,?,00007FFE01422124,?,?,?,00007FFE014143DB,?,?,?,00007FFE01415B31), ref: 00007FFE01414DB0
                                                            Strings
                                                            • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE01441331
                                                            • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE01441373
                                                            • :AM:am:PM:pm, xrefs: 00007FFE01441392
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
                                                            • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                            • API String ID: 2607222871-35662545
                                                            • Opcode ID: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                            • Instruction ID: 78230411b6936e50c9105d0a068bcd6e373a9b45d745c425247c9b7ffccd4a43
                                                            • Opcode Fuzzy Hash: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                            • Instruction Fuzzy Hash: 29212B36A04B4282EB10DF21E4402A973B1EB98FD8F488235DA5D4B776EF3CE585C340
                                                            Function 00007FFE01426A20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FFE0144B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B0
                                                              • Part of subcall function 00007FFE0144B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B8
                                                              • Part of subcall function 00007FFE0144B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0C1
                                                              • Part of subcall function 00007FFE0144B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0DD
                                                            • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0142A96E), ref: 00007FFE01426A5E
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0142A96E), ref: 00007FFE01426A7B
                                                            • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0142A96E), ref: 00007FFE01426A9B
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0142A96E), ref: 00007FFE01426AB8
                                                              • Part of subcall function 00007FFE01414DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01426AB5,?,?,?,?,?,?,?,?,?,00007FFE0142A96E), ref: 00007FFE01414DF9
                                                              • Part of subcall function 00007FFE01414DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01426AB5,?,?,?,?,?,?,?,?,?,00007FFE0142A96E), ref: 00007FFE01414E28
                                                              • Part of subcall function 00007FFE01414DD0: memmove.VCRUNTIME140(?,?,00000000,00007FFE01426AB5,?,?,?,?,?,?,?,?,?,00007FFE0142A96E), ref: 00007FFE01414E3F
                                                            Strings
                                                            • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE01426AC3
                                                            • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE01426A86
                                                            • :AM:am:PM:pm, xrefs: 00007FFE01426AD4
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
                                                            • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                            • API String ID: 2607222871-3743323925
                                                            • Opcode ID: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                            • Instruction ID: aa19a06bc41a9e765bfe12d54d648233757542ac1d47066531da4036e56938b6
                                                            • Opcode Fuzzy Hash: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                            • Instruction Fuzzy Hash: C2214F22908B4282EB10DF21E45426973B1FB99BD8F444135DA4E4B776EF7CE984C741
                                                            Function 00007FFE1A5325E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: abort$AdjustPointer
                                                            • String ID:
                                                            • API String ID: 1501936508-0
                                                            • Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                            • Instruction ID: b8b84502707dbb4a39dd8ddb30bd53527bc5a15179d70697402766f6ae676e2b
                                                            • Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                            • Instruction Fuzzy Hash: B9515AA2B0EE4281EA659B17954463C6394BFA6FE4B1584FBDA4E067A5DE3CE441C300
                                                            Function 00007FFE1A5327CC Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: abort$AdjustPointer
                                                            • String ID:
                                                            • API String ID: 1501936508-0
                                                            • Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                            • Instruction ID: 4c12f51f128d9c81e1833d6a26f9b931d0a21b71dd5c548733415ccb8a2fd3ae
                                                            • Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                            • Instruction Fuzzy Hash: DA519062F0DF4291EA658B17944463CA394AFA6FE0F0984FBDA4E067A5DF7CE481C310
                                                            Function 00007FFE01449950 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                            • String ID:
                                                            • API String ID: 578106097-0
                                                            • Opcode ID: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                            • Instruction ID: 079009ad6e3f01c5a189410434fad806194ffa58cf5ac783be70072123e1abc6
                                                            • Opcode Fuzzy Hash: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                            • Instruction Fuzzy Hash: 6D61B222B1CA8287EB11DF61E4805BE6722FB89748F504532EA4D5B6B9DF3CD54AD700
                                                            Function 00007FFE014490D0 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                            • String ID:
                                                            • API String ID: 578106097-0
                                                            • Opcode ID: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                            • Instruction ID: 24b178c8c49ef5e7ef3819ad44c339b46b7fc5da2d4f94bd896548436fbf338b
                                                            • Opcode Fuzzy Hash: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                            • Instruction Fuzzy Hash: 1161B222B1C94293EB11DF61E4806BF6722FB99748F500532EE4E5B6B9DE3CE54AD700
                                                            Function 000000014000C2E0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 164COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                              • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                              • Part of subcall function 000000014000C8A0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000014000C98E
                                                            • memcpy.VCRUNTIME140 ref: 000000014000C3C8
                                                            • memcpy.VCRUNTIME140 ref: 000000014000C427
                                                              • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0B6
                                                              • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0C4
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000C52F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: memcpy$__acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturn
                                                            • String ID: REDR3D-x64.dll$[LOAD PATH ] %s$[TEST TEST] IGNORING REDIRECT %s
                                                            • API String ID: 1244713665-103080910
                                                            • Opcode ID: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                            • Instruction ID: cfd617ef930489ab8aca6008b2e9167fc097850ba9bca21f1b358ae0caa8a91c
                                                            • Opcode Fuzzy Hash: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                            • Instruction Fuzzy Hash: 8E719AB2721A4086EB12CF66E8443DD37B1F749BD8F484622EF195BBA9DB38C181C340
                                                            Function 00007FFE1A535520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: FileHeader_local_unwind
                                                            • String ID: MOC$RCC$csm$csm
                                                            • API String ID: 2627209546-1441736206
                                                            • Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                            • Instruction ID: 98af42da1edb0a369400b7acc8aacb75340877a401e8efc4a43537c8acc532d0
                                                            • Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                            • Instruction Fuzzy Hash: B5515F72B0DA118AEA609F37904137D66A0FFC6FA8F5420F7EA4D467A5DE3CE4418A01
                                                            Function 00000001400074F0 Relevance: 10.6, APIs: 7, Instructions: 131COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                            • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                            • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                            • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                            • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                            • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                            • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                                            • String ID:
                                                            • API String ID: 1492985063-0
                                                            • Opcode ID: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                            • Instruction ID: c8404d0b7dac135a461826d57f818375c200501a51cfbfcecc82e8383ca51cf8
                                                            • Opcode Fuzzy Hash: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                            • Instruction Fuzzy Hash: 11515F72600A4082EB62CF1BE5947A9A7A0F789FE5F15C611EF9E477F1CB7AC5468300
                                                            Function 00007FFE0141BA68 Relevance: 10.6, APIs: 7, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01441347), ref: 00007FFE0141BB38
                                                            • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01441347), ref: 00007FFE0141BB48
                                                            • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01441347), ref: 00007FFE0141BB5D
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01441347), ref: 00007FFE0141BB91
                                                            • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01441347), ref: 00007FFE0141BB9B
                                                            • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01441347), ref: 00007FFE0141BBAB
                                                            • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01441347), ref: 00007FFE0141BBBB
                                                              • Part of subcall function 00007FFE014625AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01415AF8), ref: 00007FFE014625C6
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: memmove$memset$_invalid_parameter_noinfo_noreturnmalloc
                                                            • String ID:
                                                            • API String ID: 1468981775-0
                                                            • Opcode ID: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                            • Instruction ID: f92d4c4cdab42ffd062f4b2cbec260cb088ae9a02893415b7fa1b735c06c4f8e
                                                            • Opcode Fuzzy Hash: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                            • Instruction Fuzzy Hash: A041A262B08A8291EB14EF56E5442A9A361FB44BD4F544536EF5D0FBBADEBCD041C340
                                                            Function 00007FFE014258B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrowsetvbufstd::ios_base::failure::failure
                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                            • API String ID: 2924853686-1866435925
                                                            • Opcode ID: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                            • Instruction ID: a931cb3e174fc13939811d96526f14c9a3bd38dca6c3ea64d63c3fe7ce622ac4
                                                            • Opcode Fuzzy Hash: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                            • Instruction Fuzzy Hash: E0418872A18B8696EB548F24E4413AD33B0FB24B98F944131DA4C4F6B9DF3CE5A4C740
                                                            Function 00007FFE01422FAC Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: CurrentThread$xtime_get
                                                            • String ID:
                                                            • API String ID: 1104475336-0
                                                            • Opcode ID: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                            • Instruction ID: 0b86e5e729bdacbf1bc3aaa22ec92df8b0a7d6c4c78d64a535a2afd4528056c0
                                                            • Opcode Fuzzy Hash: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                            • Instruction Fuzzy Hash: D941D872A08647C6EB64CF16E44426D73B0FB58B89F918035DB4E8A6B4DE3DE8C5C712
                                                            Function 00007FFE01433B28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE01433B56
                                                              • Part of subcall function 00007FFE0144B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B0
                                                              • Part of subcall function 00007FFE0144B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B8
                                                              • Part of subcall function 00007FFE0144B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0C1
                                                              • Part of subcall function 00007FFE0144B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0DD
                                                            • _Maklocstr.LIBCPMT ref: 00007FFE01433BCF
                                                            • _Maklocstr.LIBCPMT ref: 00007FFE01433BE5
                                                            • _Getvals.LIBCPMT ref: 00007FFE01433C8A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Maklocstr$Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                            • String ID: false$true
                                                            • API String ID: 2626534690-2658103896
                                                            • Opcode ID: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                            • Instruction ID: 1c227797e8d4fdc34ad09614bfe4df8f10436714aaebca2c07110ebda80ea022
                                                            • Opcode Fuzzy Hash: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                            • Instruction Fuzzy Hash: 53413C26B18B919AF710DF74E4401ED33B1FB9874CB445226EE4D2BA69EF38D596C340
                                                            Function 00007FFE1A53D740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: NameName::atol
                                                            • String ID: `template-parameter$void
                                                            • API String ID: 2130343216-4057429177
                                                            • Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                            • Instruction ID: 8f50cac90c26c8a1d22a0b8bc4d53e193e35bae95b6bd2238095fd8f5ccf0a26
                                                            • Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                            • Instruction Fuzzy Hash: AF414922F0CF5688FB009BA2D8512BC2371BF4ABA4F5454BACE0D17A65EF78A509C350
                                                            Function 00007FFE1A538624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Name::operator+
                                                            • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                            • API String ID: 2943138195-2211150622
                                                            • Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                            • Instruction ID: dfee26fb4fea986748f878a99bbc57f1da13dbde16fa75e52a9c869253554502
                                                            • Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                            • Instruction Fuzzy Hash: 25413772B1CF8688FB168B66E8402BC37A0BF4AB58F4441BADA4D53764EF3CA545C750
                                                            Function 00007FFE1A53A31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Name::operator+
                                                            • String ID: char $int $long $short $unsigned
                                                            • API String ID: 2943138195-3894466517
                                                            • Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                            • Instruction ID: 8db53833b7a01839e029b66513b7da1be11942a1800b005db6759b0eca91be54
                                                            • Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                            • Instruction Fuzzy Hash: 65414932F1CA6689F7158B6AE8441BC37B1BF8AB64F4481F6CA0C56B68DF3D9544C710
                                                            Function 00007FFE0141C0A0 Relevance: 9.3, APIs: 6, Instructions: 318stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturnmemsetstrcspn$localeconvmemmove
                                                            • String ID:
                                                            • API String ID: 3009415009-0
                                                            • Opcode ID: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                            • Instruction ID: 3e262e65b911d0d406488bb2fa92d993d2dad6ae570e1dbb16e5297fca19db25
                                                            • Opcode Fuzzy Hash: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                            • Instruction Fuzzy Hash: 14E14A22B49B8685FB10DBA9D8406AC6771FB49B98F504136DE5D2BBB9DF3CD44AC300
                                                            Function 00007FFE014400EC Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Dunscale$_errno
                                                            • String ID:
                                                            • API String ID: 2900277114-0
                                                            • Opcode ID: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                            • Instruction ID: 531a395ed3cbe3c0c5f465d9d4f97b4d93a2b43e4b51842960f4a84c15485599
                                                            • Opcode Fuzzy Hash: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                            • Instruction Fuzzy Hash: 45A1BE32E086469BEB109F2685800FD6762FF55798F544231FB0A1B5F6EF3CB4A69740
                                                            Function 00007FFE014486F0 Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Dunscale$_errno
                                                            • String ID:
                                                            • API String ID: 2900277114-0
                                                            • Opcode ID: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                            • Instruction ID: 73b28421f76cdb5e8826ebd33a51d01e61fdde7371f11a90c9cb9543b5f6c6a9
                                                            • Opcode Fuzzy Hash: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                            • Instruction Fuzzy Hash: CCA1BF27D18E4B97E711DEB484411BE2363FF66799F508231EA4E2E5B5EF3CA0968300
                                                            Function 000000014000AF60 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 192COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                                            • String ID: R3DAPI 7.3.1-44A14 (20200513 W64S)
                                                            • API String ID: 2665656946-1215215629
                                                            • Opcode ID: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                            • Instruction ID: 1f94f83d43c849715069b53280c3cf1e8531b19b99bc01c412034d7b6d4e24df
                                                            • Opcode Fuzzy Hash: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                            • Instruction Fuzzy Hash: B19122B1211A8499EB22DF27F8503DA7361F74ABD4F884222EB490B7B9DB7EC141C701
                                                            Function 00007FFE01418F20 Relevance: 9.2, APIs: 6, Instructions: 185COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: fgetc
                                                            • String ID:
                                                            • API String ID: 2807381905-0
                                                            • Opcode ID: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                            • Instruction ID: cd61fb6de3cf48ef87164710ff4c0013cea302bf250a4f240901dc2ecaab81f7
                                                            • Opcode Fuzzy Hash: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                            • Instruction Fuzzy Hash: B7912B72605A8288EB50CF25C4943AC37A1FB58B9CF551236EA5E4BBB9DF39D594C300
                                                            Function 00007FFE0144B960 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                            • String ID:
                                                            • API String ID: 3490103321-0
                                                            • Opcode ID: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                            • Instruction ID: 9318ea0371ae56c95009aefc52f794881da0ae2967fca506a51b98bcab2b479c
                                                            • Opcode Fuzzy Hash: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                            • Instruction Fuzzy Hash: 2761B422B1CA8287E721DF61E8805BE6722FB95744F504532EE4D5BAB9DF3CD54ACB00
                                                            Function 00007FFE0144B1C0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                            • String ID:
                                                            • API String ID: 3490103321-0
                                                            • Opcode ID: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                            • Instruction ID: a565dca952cf57d86b2ee2dfabd4e1da94e12b4ca79633a6438fe599a4ccc255
                                                            • Opcode Fuzzy Hash: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                            • Instruction Fuzzy Hash: 4B61B222B1CA4283E711DF62E4805FE6722FB95744F500532EE4E5BAB5DE3CE54A8B00
                                                            Function 00007FFE01419A58 Relevance: 9.1, APIs: 6, Instructions: 112COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                            • String ID:
                                                            • API String ID: 2016347663-0
                                                            • Opcode ID: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                            • Instruction ID: 72a3dc2b3bee80bb5d45bdb829e419ead6fb672e4bb64fceefccde3e513776cd
                                                            • Opcode Fuzzy Hash: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                            • Instruction Fuzzy Hash: F441B26271864691EF149B16E5142A96361FB44BE8F584635DF6D0FBFADE7CE041C300
                                                            Function 00007FFE0141A000 Relevance: 9.1, APIs: 6, Instructions: 93fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: FileHandle$CloseCreateInformation
                                                            • String ID:
                                                            • API String ID: 1240749428-0
                                                            • Opcode ID: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                            • Instruction ID: 41c9fd78ee745237269fc171de7038e315c84f1c14f9dd330968b5469b0e2f7e
                                                            • Opcode Fuzzy Hash: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                            • Instruction Fuzzy Hash: 24419C22F096828AF760CF70A8507AA37B0AB487ACF115735EA1C4BAB4DF3CD5958740
                                                            Function 00007FFE1A5362D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                            • String ID:
                                                            • API String ID: 3741236498-0
                                                            • Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                            • Instruction ID: 441f241423cfb34a15b79d0cf8f282f0e25f341d526130a1db0268484af0c1fc
                                                            • Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                            • Instruction Fuzzy Hash: AC31B221B1DB9590EA118B27A80457A73A0FF8AFE4B5555FADE2D037A0EE3DD442C310
                                                            Function 00000001400117B8 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_configthreadlocale_initialize_narrow_environment_initialize_onexit_table_onexit
                                                            • String ID:
                                                            • API String ID: 2153537742-0
                                                            • Opcode ID: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                            • Instruction ID: 534899ad21150968aac174715d7514135b35f9473fc5e80356d1b8ef46292b69
                                                            • Opcode Fuzzy Hash: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                            • Instruction Fuzzy Hash: 95115E38A0024155FA5FB7F398173EC11969FAC3C4F454524BB498F2F3EE7B88658662
                                                            Function 00007FFE01412F50 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE01415F96), ref: 00007FFE01412F59
                                                            • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01415F96), ref: 00007FFE01412F6B
                                                            • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE01415F96), ref: 00007FFE01412F7A
                                                            • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE01415F96), ref: 00007FFE01412FE0
                                                            • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE01415F96), ref: 00007FFE01412FEE
                                                            • _wcsdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE01415F96), ref: 00007FFE01413001
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: __pctype_func$___lc_codepage_func___lc_locale_name_func_wcsdupcalloc
                                                            • String ID:
                                                            • API String ID: 490008815-0
                                                            • Opcode ID: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                            • Instruction ID: b817c57e0e68e29036a249a9856357228480eaef089f57235d84f02805354103
                                                            • Opcode Fuzzy Hash: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                            • Instruction Fuzzy Hash: 5D21FF62E18B8583E7018F38D5152783760FB69B8DF15A224CE8C1A236DF7DE5D5C340
                                                            Function 0000000140007850 Relevance: 9.0, APIs: 6, Instructions: 21fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle$FileUnmapView
                                                            • String ID:
                                                            • API String ID: 260491571-0
                                                            • Opcode ID: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                            • Instruction ID: e4157fc547da492297a5d265050bc8fab675aa544c6886f43f24823cbbcadd6d
                                                            • Opcode Fuzzy Hash: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                            • Instruction Fuzzy Hash: 1DF01438616E00D5FA07DB63ECA83A427A1BB8DBD9F440211EB4E4B331DE3F85998300
                                                            Function 00007FFE1A5338A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: abort$CallEncodePointerTranslator
                                                            • String ID: MOC$RCC
                                                            • API String ID: 2889003569-2084237596
                                                            • Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                            • Instruction ID: 55dbf0f9a6f14d12056fcb565902045fecf3254740b3f942bf11110ca60b9df2
                                                            • Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                            • Instruction Fuzzy Hash: C6916373B08B858AE710CB66E4402BD7BA0FB45BA8F1441AAEE8D57765DF38D195C700
                                                            Function 00007FFE1A521B3C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874121796.00007FFE1A521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874062623.00007FFE1A520000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874142696.00007FFE1A525000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874167385.00007FFE1A528000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874188173.00007FFE1A529000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a520000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: abort$CallEncodePointerTranslator
                                                            • String ID: MOC$RCC
                                                            • API String ID: 2889003569-2084237596
                                                            • Opcode ID: b9d59197ed9058caaff3681df3c64902a43601032ad083162a420140406a310d
                                                            • Instruction ID: 4041125877b45f1c88b538e6028854dc272e2846602365e5d00c92e1da0ab92b
                                                            • Opcode Fuzzy Hash: b9d59197ed9058caaff3681df3c64902a43601032ad083162a420140406a310d
                                                            • Instruction Fuzzy Hash: 2C919377B08B81CAE710CBA6D8402BD7BA1FB45BA8F1441ABEA4D17765DF38D195CB00
                                                            Function 00007FFE1A53BB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Name::operator+
                                                            • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                            • API String ID: 2943138195-757766384
                                                            • Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                            • Instruction ID: 9f74497f2fc56d1a7475553cacc5e65d7be2e0b4612b24877036a67dda4f10f9
                                                            • Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                            • Instruction Fuzzy Hash: AE716C71B0CE8684EB248F26D9552BC66A0BF46BA4F4445FBDA4D07AB9DF3CA250C310
                                                            Function 000000014000ABD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 150COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcmp.VCRUNTIME140 ref: 000000014000AD12
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000ADD5
                                                              • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                              • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: __acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnmemcmp
                                                            • String ID: @$[FAIL INT. ] path '%s' already exists at index %u$[FAIL INT. ] too many paths
                                                            • API String ID: 3207467095-2931640462
                                                            • Opcode ID: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                            • Instruction ID: 2da19ac7c4dfbac8c42f28ebd32a6b72bd3b2cb838895640dc67fbc0c8e08b7c
                                                            • Opcode Fuzzy Hash: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                            • Instruction Fuzzy Hash: DC5169B2B10A5489EB11CF6AE8407DD37B1F709BA8F504216EF2A67BE9DB74C581C740
                                                            Function 00007FFE1A533690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: abort$CallEncodePointerTranslator
                                                            • String ID: MOC$RCC
                                                            • API String ID: 2889003569-2084237596
                                                            • Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                            • Instruction ID: 1a411bf3eebd0cf35ff1481b0f3d1a66eb583ef3b722ff249820aa8b9cc95aa6
                                                            • Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                            • Instruction Fuzzy Hash: C7617976B09B858AE714CF66D0803BD77A0FB85BA8F0442A6EE4D17B69CF78E155C700
                                                            Function 00007FFE0144BBD8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0144B212), ref: 00007FFE0144BBFE
                                                            • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0144B212), ref: 00007FFE0144BC0F
                                                            • iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0144B212), ref: 00007FFE0144BC76
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: iswspace$iswxdigit
                                                            • String ID: (
                                                            • API String ID: 3812816871-3887548279
                                                            • Opcode ID: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                            • Instruction ID: cca0c3041353bfbb4d34223ef757313bf51bd715973408abecb85841c847b3f9
                                                            • Opcode Fuzzy Hash: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                            • Instruction Fuzzy Hash: D05190A6D0855383EF249F62D5502F972A2EF20BC9F488036DE8D4E0B4EF7DE842C211
                                                            Function 00007FFE01449CD4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01449122), ref: 00007FFE01449CFA
                                                            • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01449122), ref: 00007FFE01449D0B
                                                            • isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01449122), ref: 00007FFE01449D64
                                                            • isalnum.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01449122), ref: 00007FFE01449E14
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: isspace$isalnumisxdigit
                                                            • String ID: (
                                                            • API String ID: 3355161242-3887548279
                                                            • Opcode ID: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                            • Instruction ID: ca80e27e502a609bc5772a26ade187ea63d9c6ee30028578c7fda0dffc444f5e
                                                            • Opcode Fuzzy Hash: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                            • Instruction Fuzzy Hash: 1841C156D0818257EB348F31E9153F66B93DF29B98F189031CADC0F6B6DE1EE806A711
                                                            Function 00007FFE014339E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FFE0144B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B0
                                                              • Part of subcall function 00007FFE0144B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B8
                                                              • Part of subcall function 00007FFE0144B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0C1
                                                              • Part of subcall function 00007FFE0144B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0DD
                                                            • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFE0142A22C), ref: 00007FFE01433A25
                                                              • Part of subcall function 00007FFE0141B794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01441347,?,?,?,?,?,?,?,?,?,00007FFE0144243E), ref: 00007FFE0141B7BF
                                                              • Part of subcall function 00007FFE0141B794: memmove.VCRUNTIME140(?,?,00000000,00007FFE01441347,?,?,?,?,?,?,?,?,?,00007FFE0144243E), ref: 00007FFE0141B7DB
                                                            • _Getvals.LIBCPMT ref: 00007FFE01433A61
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
                                                            • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                            • API String ID: 3031888307-3573081731
                                                            • Opcode ID: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                            • Instruction ID: 0e95b67e882d44c123d77bc0337291a7b061e4da60e8cb94f7aa0f1183e05406
                                                            • Opcode Fuzzy Hash: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                            • Instruction Fuzzy Hash: 26418C72A08B8197E725DF22958056D7BA0FB85B81B054235DB8987E31DF7CF562CB00
                                                            Function 00007FFE01433CB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE01433CE2
                                                              • Part of subcall function 00007FFE0144B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B0
                                                              • Part of subcall function 00007FFE0144B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B8
                                                              • Part of subcall function 00007FFE0144B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0C1
                                                              • Part of subcall function 00007FFE0144B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0DD
                                                            • _Maklocstr.LIBCPMT ref: 00007FFE01433D5B
                                                            • _Maklocstr.LIBCPMT ref: 00007FFE01433D71
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                            • String ID: false$true
                                                            • API String ID: 309754672-2658103896
                                                            • Opcode ID: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                            • Instruction ID: 8b8325617f06a337b076a7059f9a8e6d69007a5c4c01e28240098622cb80dda4
                                                            • Opcode Fuzzy Hash: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                            • Instruction Fuzzy Hash: 4D418B27B18B559AE710CFB0E4401ED33B1FB98788B404126EE4D2BB29EF38D5A5C390
                                                            Function 00007FFE014183E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                            • API String ID: 2003779279-1866435925
                                                            • Opcode ID: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                            • Instruction ID: 4eeb914c0a916e77622838d435eea569766d0cc5a37b7adf6f7268bf67a2152d
                                                            • Opcode Fuzzy Hash: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                            • Instruction Fuzzy Hash: 2D21BB62A1864792EB14DB15E6413B96370FF507C8F944035EB8E4BAB9EF3CE1A5C300
                                                            Function 00007FFE01418D10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                            • API String ID: 2003779279-1866435925
                                                            • Opcode ID: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                            • Instruction ID: 0773cff5275ffa2a06ae627a496f33df2ba31d1a0294fe6a56924ef9337e96f5
                                                            • Opcode Fuzzy Hash: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                            • Instruction Fuzzy Hash: 28F08161A1860B96EF58CB00D8826F93331FB50788FA44435D65D4E5B9EF3DE54BC741
                                                            Function 0000000140006B70 Relevance: 7.8, APIs: 5, Instructions: 255COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ?Recycle@MemoryRecycler@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140006CC6
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140006CF5
                                                            • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006D52
                                                            • memcpy.VCRUNTIME140 ref: 0000000140006DD5
                                                            • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006E6E
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: D@std@@@std@@Pninc@?$basic_streambuf@U?$char_traits@$MemoryRecycle@Recycler@allocator@dvacore@@_invalid_parameter_noinfo_noreturnmemcpy
                                                            • String ID:
                                                            • API String ID: 3275830057-0
                                                            • Opcode ID: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                            • Instruction ID: 3173563bc62d35887f7c9779bdd612006aafe20ffacca945d5b8f48763ffbb63
                                                            • Opcode Fuzzy Hash: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                            • Instruction Fuzzy Hash: 5CA16BB2704B8485EB16CF2AE5443A977A2F389FE8F584516EF8D177A4DB38C895C340
                                                            Function 00007FFE01424A60 Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: fgetwc
                                                            • String ID:
                                                            • API String ID: 2948136663-0
                                                            • Opcode ID: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                            • Instruction ID: a34ab06c71b7c215af44f07bf641489a8a398ca547d9394cc5d076f9b2df94f7
                                                            • Opcode Fuzzy Hash: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                            • Instruction Fuzzy Hash: 08814E72605A41C8DB20CF65C0903AC33A1FB58B88F965536EA4E4BBB9DF7DD594C311
                                                            Function 0000000140009FD0 Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                                            • String ID:
                                                            • API String ID: 2665656946-0
                                                            • Opcode ID: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                            • Instruction ID: 6f8685d0ee64a854513a2710a76b76ebba126a19a16799565d604b2c87d49ee9
                                                            • Opcode Fuzzy Hash: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                            • Instruction Fuzzy Hash: 884191B2304B8495EE16DB27B9043D9A395A74EBE0F440625BF6D0B7E5DE7CC081C304
                                                            Function 00007FFE0141B90C Relevance: 7.6, APIs: 5, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01441347), ref: 00007FFE0141B9D3
                                                            • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01441347), ref: 00007FFE0141B9E1
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01441347), ref: 00007FFE0141BA1A
                                                            • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01441347), ref: 00007FFE0141BA24
                                                            • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01441347), ref: 00007FFE0141BA32
                                                              • Part of subcall function 00007FFE014625AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01415AF8), ref: 00007FFE014625C6
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: memmovememset$_invalid_parameter_noinfo_noreturnmalloc
                                                            • String ID:
                                                            • API String ID: 3042321802-0
                                                            • Opcode ID: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                            • Instruction ID: 8c78d73b026dcab8933b0421f0733d4de8df29eaa83b131e4e968074459db27e
                                                            • Opcode Fuzzy Hash: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                            • Instruction Fuzzy Hash: 1E31C722B1868291EF149F56A5043BE6362FB04BD4F584531EF5D0FBB6DEBCE0829301
                                                            Function 00007FFE1A539FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: NameName::$Name::operator+
                                                            • String ID:
                                                            • API String ID: 826178784-0
                                                            • Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                            • Instruction ID: 609a5f5545df136b8435a2d2338e33e32412857adb40e1dcaf06d2dd9b2951fc
                                                            • Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                            • Instruction Fuzzy Hash: FC412722F0DE9688EB10CB22D8801B837A4BF96FA0B5440F7DA5D537A5EF39E955C300
                                                            Function 00007FFE01414C30 Relevance: 7.5, APIs: 6, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FFE01422160: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FFE01414C3E,?,?,00000000,00007FFE01415B5B), ref: 00007FFE0142216F
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01415B5B), ref: 00007FFE01414C47
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01415B5B), ref: 00007FFE01414C5B
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01415B5B), ref: 00007FFE01414C6F
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01415B5B), ref: 00007FFE01414C83
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01415B5B), ref: 00007FFE01414C97
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01415B5B), ref: 00007FFE01414CAB
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: free$setlocale
                                                            • String ID:
                                                            • API String ID: 294139027-0
                                                            • Opcode ID: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                            • Instruction ID: eb8ba863c0791b3f989b84fb6012148eceffda270351705b5163ad621877a522
                                                            • Opcode Fuzzy Hash: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                            • Instruction Fuzzy Hash: C7111722A06A0681FB599FA1C0E573923A1EF84F88F180135CA0E0D178DF6DD8D4D381
                                                            Function 00007FFE01423380 Relevance: 7.5, APIs: 5, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: __acrt_iob_func$abortfputcfputs
                                                            • String ID:
                                                            • API String ID: 2697642930-0
                                                            • Opcode ID: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                            • Instruction ID: 54db314a33b49ae8eaec797e9bdde6a853a6273a5aace3a8c135896fe4242f23
                                                            • Opcode Fuzzy Hash: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                            • Instruction Fuzzy Hash: ACE0ECA4A1864386E7186B61EC1D33463369F48BD6F240038C90F8E378CE2C54894213
                                                            Function 00007FFE0143C480 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                            • String ID: %.0Lf$0123456789-
                                                            • API String ID: 4032823789-3094241602
                                                            • Opcode ID: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                            • Instruction ID: 24ae590b99ecef154e29063f2824b751d10f3aac075d2855184c3f1ad480e946
                                                            • Opcode Fuzzy Hash: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                            • Instruction Fuzzy Hash: BB712872B19B5699EB00CFA5D4942AC2371EB48BD8F404136DE4D6BBB8DE3CD55AC340
                                                            Function 00007FFE01446E40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturnmemchrmemmove
                                                            • String ID: 0123456789-
                                                            • API String ID: 2457263114-3850129594
                                                            • Opcode ID: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                            • Instruction ID: 9fd62b714fdc37f77922afbe3d8e33b0f3fd57b7b8954efcfa38ac4ea8116fb5
                                                            • Opcode Fuzzy Hash: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                            • Instruction Fuzzy Hash: 50716C22B09B869AFB10CBA5D4502AC7771EB59BD8F440136DE8D1BBB9CE3CD45AC300
                                                            Function 000000014000CA70 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 174COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CB86
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CCD1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                            • String ID: gfffffff$gfffffff
                                                            • API String ID: 3668304517-161084747
                                                            • Opcode ID: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                            • Instruction ID: 0937b4d6cc115db4af66b3ecbb46b401b0ea56f4de858bbb036e92e46f157e0a
                                                            • Opcode Fuzzy Hash: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                            • Instruction Fuzzy Hash: D151B5B2311B8942EE25CB17F945799B355E748BE4F048226AFAD8B7E4DF38D081C301
                                                            Function 00007FFE014470C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: memset$_invalid_parameter_noinfo_noreturnswprintf_s
                                                            • String ID: %.0Lf
                                                            • API String ID: 1248405305-1402515088
                                                            • Opcode ID: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                            • Instruction ID: 1fa75feb718412b81ae5161d8148cdf91885d57a74f89c96211459a06a233562
                                                            • Opcode Fuzzy Hash: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                            • Instruction Fuzzy Hash: A6616F22B08B8686EB11DBB5E8502AD7772EB59B98F544135EE4D2BB79DF3CD046C300
                                                            Function 00007FFE1A534044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FFE1A536710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A53239E), ref: 00007FFE1A53671E
                                                            • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A5341C3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: abort
                                                            • String ID: $csm$csm
                                                            • API String ID: 4206212132-1512788406
                                                            • Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                            • Instruction ID: f94bd2f6ee013b0f5ef064bd4bf5aa4cd285101840c6bae28b81c84547c3d211
                                                            • Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                            • Instruction Fuzzy Hash: AD71923A70CA8186D7648B1694507797FA0FF86FA6F0481B6EF8D47AA6CE3CD451C740
                                                            Function 00007FFE1A5220B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FFE1A52349C: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFE1A521222), ref: 00007FFE1A5234DC
                                                            • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A52222F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874121796.00007FFE1A521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874062623.00007FFE1A520000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874142696.00007FFE1A525000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874167385.00007FFE1A528000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874188173.00007FFE1A529000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a520000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: abort
                                                            • String ID: $csm$csm
                                                            • API String ID: 4206212132-1512788406
                                                            • Opcode ID: a09d5685cbd6900e1f150081fbd72c345e37c8c45745b80ef19bb6454a475952
                                                            • Instruction ID: 22ef36ce075acee253cb6c37d81559cc7d8e1440bd60ba9e14a3d2dd00cfb6e5
                                                            • Opcode Fuzzy Hash: a09d5685cbd6900e1f150081fbd72c345e37c8c45745b80ef19bb6454a475952
                                                            • Instruction Fuzzy Hash: 3A718236A0CA81C6D7618BA2945077D7BA2EB02FE5F0481B7EE4C57AA5CF3CD491C700
                                                            Function 00007FFE1A533E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FFE1A536710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A53239E), ref: 00007FFE1A53671E
                                                            • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A533F13
                                                            • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE1A533F23
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Frameabort$EmptyHandler3::StateUnwind
                                                            • String ID: csm$csm
                                                            • API String ID: 4108983575-3733052814
                                                            • Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                            • Instruction ID: d97c5460246ee17a826f15377bd7d26be3eb26be9688e44686fc9df53f140255
                                                            • Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                            • Instruction Fuzzy Hash: E4512C32B0CA8286EA648B16944427976A0FF96FB5F5441B7DA8D47BA6CF3CE451CB00
                                                            Function 00007FFE01412500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Exception$RaiseThrowabort
                                                            • String ID: csm
                                                            • API String ID: 3758033050-1018135373
                                                            • Opcode ID: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                            • Instruction ID: 64690a98770a43034f6c06233693951bbd995451578f740f88ce7e3fd5bc95a1
                                                            • Opcode Fuzzy Hash: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                            • Instruction Fuzzy Hash: 17513C22904BC586EB25CF28C4502A833A0FB58B9CF259725DA5D4B7B6DF79E5D5C300
                                                            Function 00007FFE0141F950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0141F8D4
                                                            • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0141F8E6
                                                            • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0141F96B
                                                              • Part of subcall function 00007FFE01414D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01422124,?,?,?,00007FFE014143DB,?,?,?,00007FFE01415B31), ref: 00007FFE01414D72
                                                              • Part of subcall function 00007FFE01414D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01422124,?,?,?,00007FFE014143DB,?,?,?,00007FFE01415B31), ref: 00007FFE01414D98
                                                              • Part of subcall function 00007FFE01414D50: memmove.VCRUNTIME140(?,?,?,00007FFE01422124,?,?,?,00007FFE014143DB,?,?,?,00007FFE01415B31), ref: 00007FFE01414DB0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: setlocale$freemallocmemmove
                                                            • String ID: bad locale name
                                                            • API String ID: 4085402405-1405518554
                                                            • Opcode ID: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                            • Instruction ID: b372beb3ab6787f67d4f79338c048e4410eec26d3251c17dce2c3adba93db136
                                                            • Opcode Fuzzy Hash: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                            • Instruction Fuzzy Hash: 2731B262F1C69241FB65DB1AA44017A62A2AF84BC4F588036DE5D4F7B5DF3CE88E8340
                                                            Function 00007FFE014338A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FFE0144B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B0
                                                              • Part of subcall function 00007FFE0144B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B8
                                                              • Part of subcall function 00007FFE0144B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0C1
                                                              • Part of subcall function 00007FFE0144B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0DD
                                                            • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFE0142A07C), ref: 00007FFE014338E1
                                                              • Part of subcall function 00007FFE0141B794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01441347,?,?,?,?,?,?,?,?,?,00007FFE0144243E), ref: 00007FFE0141B7BF
                                                              • Part of subcall function 00007FFE0141B794: memmove.VCRUNTIME140(?,?,00000000,00007FFE01441347,?,?,?,?,?,?,?,?,?,00007FFE0144243E), ref: 00007FFE0141B7DB
                                                              • Part of subcall function 00007FFE014267B0: _Maklocstr.LIBCPMT ref: 00007FFE014267E0
                                                              • Part of subcall function 00007FFE014267B0: _Maklocstr.LIBCPMT ref: 00007FFE014267FF
                                                              • Part of subcall function 00007FFE014267B0: _Maklocstr.LIBCPMT ref: 00007FFE0142681E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
                                                            • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                            • API String ID: 2504686060-3573081731
                                                            • Opcode ID: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                            • Instruction ID: 7fa7350438b8b9cbb2524abfdabfde3b470c2bc5d875c1fda88463499f198a70
                                                            • Opcode Fuzzy Hash: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                            • Instruction Fuzzy Hash: 45419C72A08B829BE724CF21D59056E7BA1FB84781B054235DB894BA31DF7CF5A6CB00
                                                            Function 00007FFE0144430C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FFE0144B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B0
                                                              • Part of subcall function 00007FFE0144B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B8
                                                              • Part of subcall function 00007FFE0144B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0C1
                                                              • Part of subcall function 00007FFE0144B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0DD
                                                            • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,0000003F,?,00000001,00007FFE01442278), ref: 00007FFE0144434D
                                                              • Part of subcall function 00007FFE0141B794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01441347,?,?,?,?,?,?,?,?,?,00007FFE0144243E), ref: 00007FFE0141B7BF
                                                              • Part of subcall function 00007FFE0141B794: memmove.VCRUNTIME140(?,?,00000000,00007FFE01441347,?,?,?,?,?,?,?,?,?,00007FFE0144243E), ref: 00007FFE0141B7DB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
                                                            • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                            • API String ID: 462457024-3573081731
                                                            • Opcode ID: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                            • Instruction ID: 1f24446cd94b53de50e8aaab4bf7572f94264dd049c9c3a63525190ef529e6b8
                                                            • Opcode Fuzzy Hash: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                            • Instruction Fuzzy Hash: 6E41B072A08B829BE764CF25D58066D7BA1FB84B85B184235DB8947E31DF7CF562CB00
                                                            Function 00007FFE1A53A714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: NameName::
                                                            • String ID: %lf
                                                            • API String ID: 1333004437-2891890143
                                                            • Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                            • Instruction ID: d1cb95642941fd45f01bff71cc34e70669a6f8dbc50eb8b6b98e7dac3ba66477
                                                            • Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                            • Instruction Fuzzy Hash: AF318022B0CE8585EA20CB26A85027A6360FF86F94F4481F7EA9E47665DF3CE5428740
                                                            Function 00007FFE0141A4C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: FileFindNext$wcscpy_s
                                                            • String ID: .
                                                            • API String ID: 544952861-248832578
                                                            • Opcode ID: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                            • Instruction ID: 1d5bea19f6bee54e9743a335d6a870423702ef5f66a8345a47529f7504f9030b
                                                            • Opcode Fuzzy Hash: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                            • Instruction Fuzzy Hash: 6B216362A0D6C286FB709F25E8443B973A0EB49BD8F984131DA8D4B6B4DF7CD449CB41
                                                            Function 00007FFE01416C00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                            • String ID: ios_base::badbit set
                                                            • API String ID: 1099746521-3882152299
                                                            • Opcode ID: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                            • Instruction ID: 044e741be4737a1d96e2cca1e4e9eb6eec8bf72287a448c93a65f9447036af59
                                                            • Opcode Fuzzy Hash: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                            • Instruction Fuzzy Hash: 1E01F951F2C607A1FB18CB15D4419BD2322EF90788F258536D54E0E9B9FFBDE506C240
                                                            Function 00007FFE1A532400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FFE1A536710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A53239E), ref: 00007FFE1A53671E
                                                            • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A53243E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: abortterminate
                                                            • String ID: MOC$RCC$csm
                                                            • API String ID: 661698970-2671469338
                                                            • Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                            • Instruction ID: 71b0fc6e5e28853ddfe2614336c8319ef393e8049bc7849868c0392f889cfc5a
                                                            • Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                            • Instruction Fuzzy Hash: 4CF08C36A0CE4681EB505F23A18007D3261FF99FA0F0850F7D74802262CF3CD4A0C611
                                                            Function 00007FFE1A521268 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FFE1A52349C: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFE1A521222), ref: 00007FFE1A5234DC
                                                            • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A5212A6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874121796.00007FFE1A521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874062623.00007FFE1A520000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874142696.00007FFE1A525000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874167385.00007FFE1A528000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874188173.00007FFE1A529000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a520000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: abortterminate
                                                            • String ID: MOC$RCC$csm
                                                            • API String ID: 661698970-2671469338
                                                            • Opcode ID: 603a5f7e1ffd35de89984d0ad558701558f89ae88de5ad9bc6a09e4dc68ebe23
                                                            • Instruction ID: 33dcd009b9bcdcf74be9ab238a61138e29bdd3d7b58a1313a071bd6da6d7ecee
                                                            • Opcode Fuzzy Hash: 603a5f7e1ffd35de89984d0ad558701558f89ae88de5ad9bc6a09e4dc68ebe23
                                                            • Instruction Fuzzy Hash: AEF08C3AA0CA06C2E7106BA3A18817932A1FF4AF60F0950F3E74842262CF3CD990CB40
                                                            Function 00007FFE1A53E9E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __C_specific_handler.LIBVCRUNTIME ref: 00007FFE1A53E9F0
                                                              • Part of subcall function 00007FFE1A53EC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1A53ECF0
                                                              • Part of subcall function 00007FFE1A53EC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1A53E9F5), ref: 00007FFE1A53ED3F
                                                              • Part of subcall function 00007FFE1A536710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A53239E), ref: 00007FFE1A53671E
                                                            • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A53EA1A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
                                                            • String ID: csm$f
                                                            • API String ID: 2451123448-629598281
                                                            • Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                            • Instruction ID: fe0d4b3af82a2f3562fd1e2f783c302dc6d51a382ce8b4787ba6c53bdc702396
                                                            • Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                            • Instruction Fuzzy Hash: E3E06575F1CB4681E7206BA3B18513D26E5BF96F74F1480FADE4807666CE3CE8D09601
                                                            Function 00007FFE1A539CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Name::operator+
                                                            • String ID:
                                                            • API String ID: 2943138195-0
                                                            • Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                            • Instruction ID: de3f9428d105a4ed303fede87917347479305529f309faa4fec75df94d2a6e69
                                                            • Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                            • Instruction Fuzzy Hash: D8917CA2F0CE96C9F7118B62D8503BC27B0BF82B68F5440F6DA4D576A5DF78A845C340
                                                            Function 00007FFE1A53A44C Relevance: 6.1, APIs: 4, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Name::operator+$NameName::
                                                            • String ID:
                                                            • API String ID: 168861036-0
                                                            • Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                            • Instruction ID: a639e284ee3b93c8ada01ab0927e6416d7c231f45bed8e4c2a68f0a66268a526
                                                            • Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                            • Instruction Fuzzy Hash: BB513972F1DA9688EB11CF62E8403BC37A0BB96B64F5440B6DA0E47BA5DF3AD441C750
                                                            Function 0000000140001ED0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: memset$_invalid_parameter_noinfo_noreturnmemcpy
                                                            • String ID:
                                                            • API String ID: 3533975685-0
                                                            • Opcode ID: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                            • Instruction ID: 948ad675966271c9991ceaad39470193d7d81f5c1b48440d7dc352eab6ab828f
                                                            • Opcode Fuzzy Hash: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                            • Instruction Fuzzy Hash: B431B4B2711A9451EA06DF66F5443EDA291A788BE0F548635AF6C077E5EF38C4E2C300
                                                            Function 00007FFE01426DC8 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memmove.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE014267E5), ref: 00007FFE01426EA1
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE014267E5), ref: 00007FFE01426EF2
                                                            • memmove.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE014267E5), ref: 00007FFE01426EFC
                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE01426F3D
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                            • String ID:
                                                            • API String ID: 2016347663-0
                                                            • Opcode ID: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                            • Instruction ID: 5b1b8a6918adef91544fa3504ba068df147f04043be8914ed6ae7a8a4377a136
                                                            • Opcode Fuzzy Hash: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                            • Instruction Fuzzy Hash: 6C41DF72B0864691EF149B16E11417D6255AB18BE4F9A4631EE6D0FBF8EE7CE081C302
                                                            Function 00007FFE01419BE8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                            • String ID:
                                                            • API String ID: 2016347663-0
                                                            • Opcode ID: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                            • Instruction ID: 8efd666a677db17718290f75229ccc64e98aec654983f9d4c33f6e10aa4d56ee
                                                            • Opcode Fuzzy Hash: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                            • Instruction Fuzzy Hash: 7131D161B0864695EF149F16E554269A3A5AF04BE8F548231DE7D0FBF5EE7CE082C300
                                                            Function 00007FFE0143FD50 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Xp_movx$Xp_setw_errnoldexpmemmove
                                                            • String ID:
                                                            • API String ID: 2295688418-0
                                                            • Opcode ID: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                            • Instruction ID: d3edba0ca45e3befd9223cce8179d2de5111e36059aa06cb82bd9098fe226c5b
                                                            • Opcode Fuzzy Hash: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                            • Instruction Fuzzy Hash: B041D422E1CA4686F7519B2590422FA6360EF88B54F544231EE4D1F7B6DF3CE90E8A12
                                                            Function 00007FFE01413160 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcislower
                                                            • String ID:
                                                            • API String ID: 2234106055-0
                                                            • Opcode ID: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                            • Instruction ID: dd227dbb5d666021ed13e9ad3b4e0a8fee303607104b06a04483a73eff6c4a5f
                                                            • Opcode Fuzzy Hash: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                            • Instruction Fuzzy Hash: D231C522A0C78282F7219F16A85437D7AA1FB94BE5F184035DE8E0BBB9DE3CE445C711
                                                            Function 00007FFE01413020 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcisupper
                                                            • String ID:
                                                            • API String ID: 3857474680-0
                                                            • Opcode ID: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                            • Instruction ID: ea94d35f3b37b074e5ee02de0bcdacc9f5b6a004469b563e2d1683afc3668b93
                                                            • Opcode Fuzzy Hash: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                            • Instruction Fuzzy Hash: F231CFA2A0C68282FB158F15A85437D6EA1FB90BE5F184035DA8E0F7BDDE2DE484C711
                                                            Function 00007FFE1A53C87C Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Name::operator+
                                                            • String ID:
                                                            • API String ID: 2943138195-0
                                                            • Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                            • Instruction ID: 66b11d71bcb604f444492588a7f3d036d757cea31ad410e0699a2a9156765480
                                                            • Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                            • Instruction Fuzzy Hash: 44416773A08B9589E701CF66E8413BC37A0FB86B68F5480A6DA4E57769DF78A445C310
                                                            Function 00007FFE0144AF70 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,00000000,?,?,?,00007FFE0143E921), ref: 00007FFE0144AFB7
                                                            • memmove.VCRUNTIME140(?,00000000,?,?,?,00007FFE0143E921), ref: 00007FFE0144AFDB
                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE0143E921), ref: 00007FFE0144AFE8
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE0143E921), ref: 00007FFE0144B05B
                                                              • Part of subcall function 00007FFE01412E30: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE01412E5A
                                                              • Part of subcall function 00007FFE01412E30: LCMapStringEx.KERNEL32 ref: 00007FFE01412E9E
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: String___lc_locale_name_funcfreemallocmemmovewcsnlen
                                                            • String ID:
                                                            • API String ID: 1076354707-0
                                                            • Opcode ID: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                            • Instruction ID: f5a7d629221aeac8fb29fd5107f10880fbe08268ae29eed0d317b620b0fb25a0
                                                            • Opcode Fuzzy Hash: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                            • Instruction Fuzzy Hash: 5D21F861B08BD286E7209F12A40056AAA95FB45FE4F584635DE6D1FBF5DF3CD4428700
                                                            Function 00007FFE0141ABB4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _wfsopen$fclosefseek
                                                            • String ID:
                                                            • API String ID: 1261181034-0
                                                            • Opcode ID: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                            • Instruction ID: 8809d1ae0d24fc9beba0e9b8c8782a0e8323d5fc4118effd5e8f87c79be837cf
                                                            • Opcode Fuzzy Hash: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                            • Instruction Fuzzy Hash: 7031B621B1A68642FB69CB16A45567673A1FF85FC4F5C4534CE0E4BBB4EE3CE8418740
                                                            Function 00007FFE0141AAA0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _fsopen$fclosefseek
                                                            • String ID:
                                                            • API String ID: 410343947-0
                                                            • Opcode ID: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                            • Instruction ID: 586b0165894cd21c58ec28be050e1d4fcc88959605995f19d3e7ceef8857d44e
                                                            • Opcode Fuzzy Hash: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                            • Instruction Fuzzy Hash: 2631B621B297C641EB69CB16A45567576A2FF85FC8F584934CF0D8B7B4DE3CE9418300
                                                            Function 0000000140010660 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$FormatFreeLibraryMessage
                                                            • String ID:
                                                            • API String ID: 4174221723-0
                                                            • Opcode ID: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                            • Instruction ID: 329cc6dd5267e1a20a6fc7da630ad77381380cdf8f0f417e816be49fa379c834
                                                            • Opcode Fuzzy Hash: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                            • Instruction Fuzzy Hash: F4315072A18B8441EB128B26E4453AE6751E79DBF4F249301F7FD0B6F9DBB9D5C08600
                                                            Function 00007FFE0144A5D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFE0144576B), ref: 00007FFE0144A604
                                                            • ___lc_collate_cp_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFE0144576B), ref: 00007FFE0144A60E
                                                              • Part of subcall function 00007FFE014126E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE01412728
                                                              • Part of subcall function 00007FFE014126E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0141274E
                                                              • Part of subcall function 00007FFE014126E0: GetCPInfo.KERNEL32 ref: 00007FFE01412792
                                                            • memcmp.VCRUNTIME140(?,?,?,?,?,?,?,00007FFE0144576B), ref: 00007FFE0144A631
                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FFE0144576B), ref: 00007FFE0144A66F
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: __strncnt$Info___lc_collate_cp_func___lc_locale_name_func_errnomemcmp
                                                            • String ID:
                                                            • API String ID: 3421985146-0
                                                            • Opcode ID: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                            • Instruction ID: b5fa5c70a73e93cef0eeff36d4f411083ac5a66dcf306c33de4f989bfc79fdcd
                                                            • Opcode Fuzzy Hash: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                            • Instruction Fuzzy Hash: 9C216271B08B8287EB108F269540129B7A6FBD8FD4B554139DA9E5B7B4CF3CE8018701
                                                            Function 000000014000FAA0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                              • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                              • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: __acrt_iob_func__stdio_common_vfprintfmemset
                                                            • String ID: [FINALIZE ] %08X %s$[UNLOAD LIB]$[UNLOAD LIB] %08X %s
                                                            • API String ID: 1351999747-1487749591
                                                            • Opcode ID: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                            • Instruction ID: 71482a23b425682d2a021b79c21f529c824127a60a25d7ce3ea3483a94a8a675
                                                            • Opcode Fuzzy Hash: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                            • Instruction Fuzzy Hash: 42213972215B8485E352DF22E5503DE37A4F74CF88F588129EB890BB69CF39C662D750
                                                            Function 00007FFE0144B090 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B0
                                                            • ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B8
                                                            • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0C1
                                                            • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0DD
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_func
                                                            • String ID:
                                                            • API String ID: 3203701943-0
                                                            • Opcode ID: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                            • Instruction ID: 27995d93114d3393fdb3d30b3ff7f043faee3ff724d081a72b0c0096806cb4ac
                                                            • Opcode Fuzzy Hash: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                            • Instruction Fuzzy Hash: F701C4A2E15B9287EB058F7AD804178B7B0FB58BC9B149235DA4E8B734DE3CD0D28700
                                                            Function 00007FFE01448620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: memmove$FormatFreeLocalMessage
                                                            • String ID: unknown error
                                                            • API String ID: 725469203-3078798498
                                                            • Opcode ID: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                            • Instruction ID: 17afe8b569a1dc4d99b5589d7fa99b251464cae2d884bfb8ff4c8378664d8cf4
                                                            • Opcode Fuzzy Hash: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                            • Instruction Fuzzy Hash: 75116D2260878682E7209F25E14036DB7A1FB99BCCF484234EA8C0F7BACF7CD5548741
                                                            Function 00007FFE01412468 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: malloc
                                                            • String ID: MOC$RCC$csm
                                                            • API String ID: 2803490479-2671469338
                                                            • Opcode ID: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                            • Instruction ID: 43a87895358fa856cccaa51a70cdbb50e5a988a60a8125b08d7d15fa9ed93871
                                                            • Opcode Fuzzy Hash: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                            • Instruction Fuzzy Hash: FF018421E4810286EB749F15A54457D32B1EF48B88F285036DB0D8F7B5DEACA891C642
                                                            Function 00007FFE0143C9A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                            • String ID: 0123456789-
                                                            • API String ID: 4032823789-3850129594
                                                            • Opcode ID: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                            • Instruction ID: 41f23bc4f4aecb7ff73831e3e223233bb9cebddefe4a28db44b47c6b657fc8d3
                                                            • Opcode Fuzzy Hash: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                            • Instruction Fuzzy Hash: 8D714872B19B5699EB10DFA5E4902AC2371EB48BD8F404136DE4D6BBB8DE3CD45AC340
                                                            Function 00007FFE0143CC30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                            • String ID: %.0Lf
                                                            • API String ID: 296878162-1402515088
                                                            • Opcode ID: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                            • Instruction ID: a8b2f1102494e6dbe1d52788783155a2dd870cf7debdd3a0096720409bd415ac
                                                            • Opcode Fuzzy Hash: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                            • Instruction Fuzzy Hash: 30715C32B08B9685EB11CB66E8402AD73B1EB98B98F544132EE4D6BB79DF3CD455C340
                                                            Function 00007FFE0143C710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                            • String ID: %.0Lf
                                                            • API String ID: 296878162-1402515088
                                                            • Opcode ID: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                            • Instruction ID: 0e720c3b4451121ce69fa7f4d10a1d784ad0a86bd7410e5a35948518414bc234
                                                            • Opcode Fuzzy Hash: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                            • Instruction Fuzzy Hash: 40714D22B08B8685EB11CB66E8402AD63B1EF94BD8F514132EE4D6BB79DF3CD455C340
                                                            Function 00007FFE01448F00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: rand_s
                                                            • String ID: invalid random_device value
                                                            • API String ID: 863162693-3926945683
                                                            • Opcode ID: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                            • Instruction ID: f9b9ba42e8c784d570e027da5a9500613acdb36e002085c0ed20191c1881b9f7
                                                            • Opcode Fuzzy Hash: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                            • Instruction Fuzzy Hash: 8351F462D18E868AF3529B34C4511BB6366FF2A3CCF144732E61E3E5B5DF2DE4929200
                                                            Function 00007FFE1A534710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: abort$CreateFrameInfo
                                                            • String ID: csm
                                                            • API String ID: 2697087660-1018135373
                                                            • Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                            • Instruction ID: f7f131ed5dccea3007f1aa77877381869e52ecf36d6b516042412206feaeb24a
                                                            • Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                            • Instruction Fuzzy Hash: E9512B7671CB8186D620AB17A04127E77B5FB8ABA1F1405B6DB8D07B66CF38E461CB00
                                                            Function 00007FFE1A522590 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FFE1A52349C: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFE1A521222), ref: 00007FFE1A5234DC
                                                            • _CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE1A522666
                                                            • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A5226C4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874121796.00007FFE1A521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874062623.00007FFE1A520000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874142696.00007FFE1A525000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874167385.00007FFE1A528000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874188173.00007FFE1A529000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a520000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: abort$CreateFrameInfo
                                                            • String ID: csm
                                                            • API String ID: 2697087660-1018135373
                                                            • Opcode ID: 6e99a40f12b24c169b8c8d77f5cbd6e99d42a79d20cf72913f8a52ee3316c6bc
                                                            • Instruction ID: 819e488be140511e8acabbd7ab315257f12f2524bedc085ae2ebbf0166cb6849
                                                            • Opcode Fuzzy Hash: 6e99a40f12b24c169b8c8d77f5cbd6e99d42a79d20cf72913f8a52ee3316c6bc
                                                            • Instruction Fuzzy Hash: D8515A7661CB41C6D620AF52A08427E77A5FB8AFA0F1415B6EB8D07B66DF3CE451CB00
                                                            Function 00007FFE01447330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Strftime_invalid_parameter_noinfo_noreturn
                                                            • String ID: !%x
                                                            • API String ID: 1195835417-1893981228
                                                            • Opcode ID: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                            • Instruction ID: 4be17fc74d9bd47712fa1e4128ce1c7e5eefdb8c14388b600ea9d89bae55e80a
                                                            • Opcode Fuzzy Hash: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                            • Instruction Fuzzy Hash: AE416862F14A9299FB008BA5D8417FC3B71EB48798F444532EE5D2BAA9DF3C9186C300
                                                            Function 00007FFE014132D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE01413305
                                                              • Part of subcall function 00007FFE014625AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01415AF8), ref: 00007FFE014625C6
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE014157FA,?,?,?,00007FFE01414438), ref: 00007FFE014132FE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                            • String ID: ios_base::failbit set
                                                            • API String ID: 1934640635-3924258884
                                                            • Opcode ID: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                            • Instruction ID: cc2cf07ec1e50d03e7dc88cac36d53d76753856fc7d5ed92b0a641e4167d5cc2
                                                            • Opcode Fuzzy Hash: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                            • Instruction Fuzzy Hash: F421B421B09B8595DB70CF11E5442AAB3A4FB48BE0F544631EE9C4BBB9EF3CD5458704
                                                            Function 00007FFE1A539BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: Name::operator+
                                                            • String ID: void$void
                                                            • API String ID: 2943138195-3746155364
                                                            • Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                            • Instruction ID: 6d1d44f62ee5a8f2598de29236c61aeedd567e38c12f4c28790ba6cc887ffc0a
                                                            • Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                            • Instruction Fuzzy Hash: A7312762F1CE5988FB10CB62E8510FC37B0BB89B58B4405BADE4E53B69EF389144C750
                                                            Function 000000014000E370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000000014000FAA0: memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000E441
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                            • String ID: [FAIL LOAD ] %s$[LOAD LIB ] %s
                                                            • API String ID: 1654775311-1428855073
                                                            • Opcode ID: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                            • Instruction ID: e1e0474e3a99f30cd742c56738cdfbd4506b2c38850e860c1e011aff6007d584
                                                            • Opcode Fuzzy Hash: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                            • Instruction Fuzzy Hash: EC218EB2714B8481FA16CB1AF44439A6362E78DBE4F544321BBA94BAF9DF38C181C740
                                                            Function 00007FFE0141F1B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFE0141C744), ref: 00007FFE0141F1D4
                                                              • Part of subcall function 00007FFE0144B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B0
                                                              • Part of subcall function 00007FFE0144B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0B8
                                                              • Part of subcall function 00007FFE0144B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0C1
                                                              • Part of subcall function 00007FFE0144B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01416093), ref: 00007FFE0144B0DD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                            • String ID: false$true
                                                            • API String ID: 2502581279-2658103896
                                                            • Opcode ID: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                            • Instruction ID: 08892b7f947a3a59789def9685527f51600b2f674d3ae24b34741ea0e7e71a54
                                                            • Opcode Fuzzy Hash: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                            • Instruction Fuzzy Hash: 39218176608B8691E720DF21E4403A937B0FB98BA8F484532DA9C0B779DF3CD595C780
                                                            Function 00007FFE1A53604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: FileHeader$ExceptionRaise
                                                            • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                            • API String ID: 3685223789-3176238549
                                                            • Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                            • Instruction ID: 2e7033c215fcb6bc7fb7089690df9eaf4ea99f5ff855eece9ab13efdae4accf1
                                                            • Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                            • Instruction Fuzzy Hash: 3701B161B2DE4692EE009B16E4511B96320FFD1FA4F4060F7E60E07ABAEF6CD404C710
                                                            Function 00007FFE1A5363F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFileHeaderRaise
                                                            • String ID: csm
                                                            • API String ID: 2573137834-1018135373
                                                            • Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                            • Instruction ID: c4682dba150fd1e7b3611c8f821ee4c8cf76714fe250407acccca985c27949dd
                                                            • Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                            • Instruction Fuzzy Hash: 57112E32A1CB4182EB518F16E44026A7BA5FB85F94F1841B5DE8D07B64EF3DD5518700
                                                            Function 00007FFE1A5231C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874121796.00007FFE1A521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874062623.00007FFE1A520000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874142696.00007FFE1A525000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874167385.00007FFE1A528000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874188173.00007FFE1A529000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a520000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFileHeaderRaise
                                                            • String ID: csm
                                                            • API String ID: 2573137834-1018135373
                                                            • Opcode ID: 9f7a33d673fc978609ae4b898b368f5314f81222cced0233053e09beae7f99e8
                                                            • Instruction ID: eb552fdd4f7f480a04821428787996e33e0e88dd629c091692159d5a69ba89b4
                                                            • Opcode Fuzzy Hash: 9f7a33d673fc978609ae4b898b368f5314f81222cced0233053e09beae7f99e8
                                                            • Instruction Fuzzy Hash: CD112B3261CB4582EB108B56F84026977A1FB89FA8F5842B2EF9D07765DF3CD555CB00
                                                            Function 00007FFE01416A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE01416A3D
                                                              • Part of subcall function 00007FFE01414DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01426AB5,?,?,?,?,?,?,?,?,?,00007FFE0142A96E), ref: 00007FFE01414DF9
                                                              • Part of subcall function 00007FFE01414DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01426AB5,?,?,?,?,?,?,?,?,?,00007FFE0142A96E), ref: 00007FFE01414E28
                                                              • Part of subcall function 00007FFE01414DD0: memmove.VCRUNTIME140(?,?,00000000,00007FFE01426AB5,?,?,?,?,?,?,?,?,?,00007FFE0142A96E), ref: 00007FFE01414E3F
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE01416A5A
                                                            Strings
                                                            • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE01416A65
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: free$Getmonthsmallocmemmove
                                                            • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece
                                                            • API String ID: 794196016-2030377133
                                                            • Opcode ID: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                            • Instruction ID: 0b44b094cde341cc57ff21e1f9ff91eccc70673921ba72c7457bdb2b2d982b77
                                                            • Opcode Fuzzy Hash: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                            • Instruction Fuzzy Hash: B3E0C922A15B4292EB409B12F5842696370FB48BD9F885035DA0E0AB75DF7CE4A4C300
                                                            Function 00007FFE014169E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE014169ED
                                                              • Part of subcall function 00007FFE01414DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01426AB5,?,?,?,?,?,?,?,?,?,00007FFE0142A96E), ref: 00007FFE01414DF9
                                                              • Part of subcall function 00007FFE01414DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01426AB5,?,?,?,?,?,?,?,?,?,00007FFE0142A96E), ref: 00007FFE01414E28
                                                              • Part of subcall function 00007FFE01414DD0: memmove.VCRUNTIME140(?,?,00000000,00007FFE01426AB5,?,?,?,?,?,?,?,?,?,00007FFE0142A96E), ref: 00007FFE01414E3F
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE01416A0A
                                                            Strings
                                                            • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE01416A15
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: free$Getdaysmallocmemmove
                                                            • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                            • API String ID: 2126063425-3283725177
                                                            • Opcode ID: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                            • Instruction ID: e7a6181f581b25e5daa63b1ca90944fc64805763fb85f31a2431603943aa9922
                                                            • Opcode Fuzzy Hash: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                            • Instruction Fuzzy Hash: 86E0C922A15B4292EB109B12F58426963A0EB48BD8F984135DA0D0AB75DF7CE8A4C700
                                                            Function 00007FFE01416330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE0141633D
                                                              • Part of subcall function 00007FFE01414D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01422124,?,?,?,00007FFE014143DB,?,?,?,00007FFE01415B31), ref: 00007FFE01414D72
                                                              • Part of subcall function 00007FFE01414D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01422124,?,?,?,00007FFE014143DB,?,?,?,00007FFE01415B31), ref: 00007FFE01414D98
                                                              • Part of subcall function 00007FFE01414D50: memmove.VCRUNTIME140(?,?,?,00007FFE01422124,?,?,?,00007FFE014143DB,?,?,?,00007FFE01415B31), ref: 00007FFE01414DB0
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0141635A
                                                            Strings
                                                            • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE01416365
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: free$Getmonthsmallocmemmove
                                                            • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
                                                            • API String ID: 794196016-4232081075
                                                            • Opcode ID: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                            • Instruction ID: 83323f1edb4a629b73e87c197e89a7b49022c392598e3b0f5a003713e5458cfa
                                                            • Opcode Fuzzy Hash: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                            • Instruction Fuzzy Hash: 57E0C222A19B4292EF009B12F58426963B0EB59BD8F885035DA1D0A775DF7CE9E4C781
                                                            Function 00007FFE014162C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE014162CD
                                                              • Part of subcall function 00007FFE01414D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01422124,?,?,?,00007FFE014143DB,?,?,?,00007FFE01415B31), ref: 00007FFE01414D72
                                                              • Part of subcall function 00007FFE01414D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01422124,?,?,?,00007FFE014143DB,?,?,?,00007FFE01415B31), ref: 00007FFE01414D98
                                                              • Part of subcall function 00007FFE01414D50: memmove.VCRUNTIME140(?,?,?,00007FFE01422124,?,?,?,00007FFE014143DB,?,?,?,00007FFE01415B31), ref: 00007FFE01414DB0
                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE014162EA
                                                            Strings
                                                            • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE014162F5
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: free$Getdaysmallocmemmove
                                                            • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                            • API String ID: 2126063425-3283725177
                                                            • Opcode ID: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                            • Instruction ID: 402fc0a20ce988c76ccc21301f1b0a8a8747f4dff975bf6bae29783ec422df38
                                                            • Opcode Fuzzy Hash: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                            • Instruction Fuzzy Hash: D6E0ED21A15B8292EF049B12F594369A370FF48BC4F888435DA1D0B775EF3CE4A4C700
                                                            Function 0000000140012990 Relevance: 5.1, APIs: 4, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrow
                                                            • String ID:
                                                            • API String ID: 432778473-0
                                                            • Opcode ID: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                            • Instruction ID: 3f6ef9a8942bd25f1c030384d86529519749b139d31aef7b6ed3ba5bf9942206
                                                            • Opcode Fuzzy Hash: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                            • Instruction Fuzzy Hash: 582153B6610A8489E729EE37E8523E92311F78C7D8F149426BF4D4FBAECE31C4518340
                                                            Function 00000001400124D0 Relevance: 5.1, APIs: 4, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1872854235.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                            • Associated: 0000000A.00000002.1872832078.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872876432.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872899069.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1872943905.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrow$_invalid_parameter_noinfo_noreturn
                                                            • String ID:
                                                            • API String ID: 2822070131-0
                                                            • Opcode ID: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                            • Instruction ID: fb8aed582c15149af4c4f009e579fb1eee3dc1aedb4e9a74b926e9b9865ab3f7
                                                            • Opcode Fuzzy Hash: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                            • Instruction Fuzzy Hash: 331151B5710A40C9E71DEB73A8423EA1211EB887C4F149536BF480BA6ECE76C4518740
                                                            Function 00007FFE1A53672C Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,?,00007FFE1A5365B9,?,?,?,?,00007FFE1A53FB22,?,?,?,?,?), ref: 00007FFE1A53674B
                                                            • SetLastError.KERNEL32(?,?,?,00007FFE1A5365B9,?,?,?,?,00007FFE1A53FB22,?,?,?,?,?), ref: 00007FFE1A5367D4
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874223831.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874209482.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874249575.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874270510.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874290348.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast
                                                            • String ID:
                                                            • API String ID: 1452528299-0
                                                            • Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                            • Instruction ID: 0ee3973e0b358cfa8cd0812017aa008c343511199b665b3dec7f189b38af078c
                                                            • Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                            • Instruction Fuzzy Hash: FE113324F0DE5282FA549723A8141362691AF86FB0F5446FED96E07BF5EE2CA8418720
                                                            Function 00007FFE1A5233DC Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,?,00007FFE1A52329D,?,?,?,?,00007FFE1A52411A,?,?,?,?,?), ref: 00007FFE1A5233FB
                                                            • SetLastError.KERNEL32(?,?,?,00007FFE1A52329D,?,?,?,?,00007FFE1A52411A,?,?,?,?,?), ref: 00007FFE1A523483
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1874121796.00007FFE1A521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                            • Associated: 0000000A.00000002.1874062623.00007FFE1A520000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874142696.00007FFE1A525000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874167385.00007FFE1A528000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874188173.00007FFE1A529000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe1a520000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast
                                                            • String ID:
                                                            • API String ID: 1452528299-0
                                                            • Opcode ID: 945a849ef1e4ef306028dce5c92f669efe6900a2f555f55e0f0d86f2d5e2500a
                                                            • Instruction ID: a71db8efae75ca1ec57bd9d3d458c75d77a6fa8ab946461c9a7e7c854444ee1d
                                                            • Opcode Fuzzy Hash: 945a849ef1e4ef306028dce5c92f669efe6900a2f555f55e0f0d86f2d5e2500a
                                                            • Instruction Fuzzy Hash: 7E112E60F0DE12D2EA1597A3A8445792293AF46FB0F0846F7D96E073F6DE2CB4418740
                                                            Function 00007FFE01441DB0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: free
                                                            • String ID:
                                                            • API String ID: 1294909896-0
                                                            • Opcode ID: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                            • Instruction ID: a7c433c765bf6fc29ca3e7a7df75f7acf287aaffdb273a342cda0d227f2f9429
                                                            • Opcode Fuzzy Hash: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                            • Instruction Fuzzy Hash: 98F0E236A19B4292EB449B16EAA41687371FB88FD8F544032CA4E4BB70DF6DE4A58301
                                                            Function 00007FFE01428C60 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: free
                                                            • String ID:
                                                            • API String ID: 1294909896-0
                                                            • Opcode ID: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                            • Instruction ID: d11555019c261e88f24ceb180d038c81811313fc35bfa0f05e1c5abb5c73b372
                                                            • Opcode Fuzzy Hash: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                            • Instruction Fuzzy Hash: 4FF0E732A19B4396EB449B16E9A416873B0FF88FD8F544032CA4D4BB70DF7CE4A58301
                                                            Function 00007FFE01428CD0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: free
                                                            • String ID:
                                                            • API String ID: 1294909896-0
                                                            • Opcode ID: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                            • Instruction ID: dae331a2c7e7b3bbe0873149a93d83371586bdc647cd91e7f2ee6618ccf68570
                                                            • Opcode Fuzzy Hash: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                            • Instruction Fuzzy Hash: 99F0E732A19B4396EB449B16E9A416873B0FB88FD8F544032CA4D4BB74DF7CE4A58301
                                                            Function 00007FFE01428A08 Relevance: 5.0, APIs: 4, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1873895665.00007FFE01411000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01410000, based on PE: true
                                                            • Associated: 0000000A.00000002.1873861101.00007FFE01410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1873966620.00007FFE01465000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874003758.00007FFE01493000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874022420.00007FFE01494000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 0000000A.00000002.1874041260.00007FFE01497000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe01410000_ImporterREDServer.jbxd
                                                            Similarity
                                                            • API ID: free
                                                            • String ID:
                                                            • API String ID: 1294909896-0
                                                            • Opcode ID: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                            • Instruction ID: 52a713f6eb091503dbe00bd79d4092b184c11fbc0160d13ef9225ffb59a6421b
                                                            • Opcode Fuzzy Hash: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                            • Instruction Fuzzy Hash: 93E02676E15A0282EB149F22D8A403863B4FF98FD9F581033CE1E4E274DE6CD8D58301