Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
installer.msi

Overview

General Information

Sample name:installer.msi
Analysis ID:1580451
MD5:7fa13f4bc687a77f71d4f0f3176b6aa7
SHA1:ec01de1a6f113d2b7c641c5bd81fbd97ebcd91aa
SHA256:745193845c716367966c6d32712fe64aa8e266687d9972b0b628c3be0976035c
Tags:LegionLoadermsiRobotDroppertrailbuddymaps-comuser-aachum
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6728 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\installer.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 428 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 3448 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 3138A056C811D1F6BC08A5B6A4F984EC MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 6804 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6644 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ImporterREDServer.exe (PID: 4888 cmdline: "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" MD5: F67792E08586EA936EBCAE43AAB0388D)
        • conhost.exe (PID: 6748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • createdump.exe (PID: 4268 cmdline: "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)
      • conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 3138A056C811D1F6BC08A5B6A4F984EC, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 3448, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6804, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 3138A056C811D1F6BC08A5B6A4F984EC, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 3448, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6804, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 3138A056C811D1F6BC08A5B6A4F984EC, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 3448, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6804, ProcessName: powershell.exe
Sigma detected: Msiexec Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.67.196.179, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 3448, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731
Sigma detected: Suspicious MsiExec Embedding Parent
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 3138A056C811D1F6BC08A5B6A4F984EC, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 3448, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6804, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 3138A056C811D1F6BC08A5B6A4F984EC, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 3448, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 6804, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-24T16:03:17.901402+010028292021A Network Trojan was detected192.168.2.449731172.67.196.179443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 91.8% probability
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C431E5A6-B7FF-4C83-AA62-6161DB3498C7}Jump to behavior
Source: unknownHTTPS traffic detected: 172.67.196.179:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1888418307.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: installer.msi
Source: Binary string: ucrtbase.pdb source: installer.msi
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1900746407.00007FFE148E5000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: installer.msi
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: installer.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: installer.msi
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000A.00000002.1900138812.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: installer.msi
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: installer.msi
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_system\lib\win\release\64\boost_system.pdb source: boost_system.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000A.00000000.1895778507.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: installer.msi
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1888418307.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: installer.msi
Source: Binary string: ucrtbase.pdbUGP source: installer.msi
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: installer.msi, MSI2A5B.tmp.1.dr, MSI2B69.tmp.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: installer.msi
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000A.00000000.1895778507.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: installer.msi
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: installer.msi
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: installer.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: installer.msi, MSI2B39.tmp.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: installer.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: installer.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: installer.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: installer.msi
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: installer.msi
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: installer.msi
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: installer.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: installer.msi
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: installer.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: installer.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: installer.msi, MSI2B39.tmp.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: installer.msi
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EBEA330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,10_2_00007FFE0EBEA330

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49731 -> 172.67.196.179:443
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: trailbuddymaps.com
Source: unknownHTTP traffic detected: POST /updater.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: trailbuddymaps.comContent-Length: 71Cache-Control: no-cache
Source: installer.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: installer.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: installer.msiString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: powershell.exe, 00000003.00000002.1848503567.0000000008820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
Source: installer.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: installer.msiString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: installer.msiString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: installer.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: installer.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: installer.msiString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
Source: installer.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000003.00000002.1845276239.000000000625A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: installer.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: installer.msiString found in binary or memory: http://ocsp.digicert.com0K
Source: installer.msiString found in binary or memory: http://ocsp.digicert.com0N
Source: installer.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000003.00000002.1842459659.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: installer.msiString found in binary or memory: http://schemas.mick
Source: powershell.exe, 00000003.00000002.1842459659.00000000051F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1842459659.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: installer.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ImporterREDServer.exe, 0000000A.00000002.1900138812.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.drString found in binary or memory: http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-
Source: powershell.exe, 00000003.00000002.1842459659.00000000051F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBkq
Source: installer.msiString found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
Source: powershell.exe, 00000003.00000002.1845276239.000000000625A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1845276239.000000000625A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1845276239.000000000625A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.1842459659.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1842459659.0000000005659000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: classes_nocoops.jsa.1.drString found in binary or memory: https://java.oracle.com/
Source: powershell.exe, 00000003.00000002.1845276239.000000000625A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: installer.msiString found in binary or memory: https://trailbuddymaps.com/updater.phpx
Source: installer.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownHTTPS traffic detected: 172.67.196.179:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\592104.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI29ED.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2A5B.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2A9B.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2AEA.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B39.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B69.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2BA9.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4963.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{C431E5A6-B7FF-4C83-AA62-6161DB3498C7}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5599.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI55AA.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\592107.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\592107.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI29ED.tmpJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04DA32A03_2_04DA32A0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_000000014001222010_2_0000000140012220
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_000000014000839010_2_0000000140008390
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_0000000140007FC010_2_0000000140007FC0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EC03F0010_2_00007FFE0EC03F00
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EBFDF1010_2_00007FFE0EBFDF10
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EC0071010_2_00007FFE0EC00710
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EC1B69810_2_00007FFE0EC1B698
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EBED81010_2_00007FFE0EBED810
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EBEC78010_2_00007FFE0EBEC780
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EC0478010_2_00007FFE0EC04780
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EBF8FB010_2_00007FFE0EBF8FB0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EBFBCD010_2_00007FFE0EBFBCD0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EC144E010_2_00007FFE0EC144E0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EC06C8410_2_00007FFE0EC06C84
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EBF644010_2_00007FFE0EBF6440
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EBF946010_2_00007FFE0EBF9460
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EC00C6010_2_00007FFE0EC00C60
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EC0547010_2_00007FFE0EC05470
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EBFCDF010_2_00007FFE0EBFCDF0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EC1BDA010_2_00007FFE0EC1BDA0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EC195A810_2_00007FFE0EC195A8
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EC12D7010_2_00007FFE0EC12D70
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EC0633810_2_00007FFE0EC06338
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EC1A27C10_2_00007FFE0EC1A27C
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EBFABB010_2_00007FFE0EBFABB0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EC0434010_2_00007FFE0EC04340
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EBF60D010_2_00007FFE0EBF60D0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EC1288010_2_00007FFE0EC12880
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EBEE8B010_2_00007FFE0EBEE8B0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EC0220810_2_00007FFE0EC02208
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EC1F9DA10_2_00007FFE0EC1F9DA
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EBEF9B010_2_00007FFE0EBEF9B0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE1A45750810_2_00007FFE1A457508
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: String function: 000000014000BC30 appears 53 times
Source: api-ms-win-core-handle-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: installer.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenameDataUploader.dllF vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenameucrtbase.dllj% vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenamevcruntime140.dllT vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenamemsvcp140.dllT vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs installer.msi
Source: dvacore.dll.1.drBinary string: Win.FileUtils path: Throw file exception with last error (HRESULT): $$$/dvacore/utility/FileUtils_WIN/Unknown=Unknown$$$/dvacore/utility/FileUtils_WIN/Invalid=Invalid$$$/dvacore/utility/FileUtils_WIN/Removable=Removable$$$/dvacore/utility/FileUtils_WIN/Fixed=Local Disk$$$/dvacore/utility/FileUtils_WIN/Network=Network$$$/dvacore/utility/FileUtils_WIN/CDROM=CD-ROM$$$/dvacore/utility/FileUtils_WIN/RAMDisk=RAM Disk_:\Device\Floppy\\?\\\?\UNC (error Unable to delete \/.\\127.0.0.1xt4
Source: classification engineClassification label: mal64.evad.winMSI@17/91@1/1
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_0000000140010BE0 GetLastError,FormatMessageA,10_2_0000000140010BE0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EBEA7B0 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn,10_2_00007FFE0EBEA7B0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML60AD.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3512:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5232:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_03
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFA693C1C9851578A8.TMPJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\installer.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3138A056C811D1F6BC08A5B6A4F984EC
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3138A056C811D1F6BC08A5B6A4F984ECJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dvacore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: libzip.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_system.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_date_time.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_threads.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_filesystem.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dvaunittesting.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: utest.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C431E5A6-B7FF-4C83-AA62-6161DB3498C7}Jump to behavior
Source: installer.msiStatic file information: File size 60283392 > 1048576
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1888418307.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: installer.msi
Source: Binary string: ucrtbase.pdb source: installer.msi
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1900746407.00007FFE148E5000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: installer.msi
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: installer.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: installer.msi
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000A.00000002.1900138812.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: installer.msi
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: installer.msi
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_system\lib\win\release\64\boost_system.pdb source: boost_system.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000A.00000000.1895778507.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: installer.msi
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000000.1888418307.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: installer.msi
Source: Binary string: ucrtbase.pdbUGP source: installer.msi
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: installer.msi, MSI2A5B.tmp.1.dr, MSI2B69.tmp.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: installer.msi
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000A.00000000.1895778507.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: installer.msi
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: installer.msi
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: installer.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: installer.msi, MSI2B39.tmp.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: installer.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: installer.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: installer.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: installer.msi
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: installer.msi
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: installer.msi
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: installer.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: installer.msi
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: installer.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: installer.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: installer.msi, MSI2B39.tmp.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: installer.msi
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]
Source: vcruntime140.dll.1.drStatic PE information: section name: _RDATA
Source: UnRar.exe.1.drStatic PE information: section name: _RDATA
Source: BCUninstaller.exe.1.drStatic PE information: section name: _RDATA
Source: createdump.exe.1.drStatic PE information: section name: _RDATA
Source: MSI55AA.tmp.1.drStatic PE information: section name: .fptable
Source: MSI29ED.tmp.1.drStatic PE information: section name: .fptable
Source: MSI2A5B.tmp.1.drStatic PE information: section name: .fptable
Source: MSI2A9B.tmp.1.drStatic PE information: section name: .fptable
Source: MSI2AEA.tmp.1.drStatic PE information: section name: .fptable
Source: MSI2B39.tmp.1.drStatic PE information: section name: .fptable
Source: MSI2B69.tmp.1.drStatic PE information: section name: .fptable
Source: MSI2BA9.tmp.1.drStatic PE information: section name: .fptable
Source: MSI4963.tmp.1.drStatic PE information: section name: .fptable
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04DABD8C push esp; ret 3_2_04DABD93
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07C306C3 push es; ret 3_2_07C306CE
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2BA9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI55AA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI29ED.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2AEA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4963.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2A9B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B39.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2A5B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B69.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI55AA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B39.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2A5B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI29ED.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2AEA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2BA9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2A9B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4963.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B69.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EC1C0C0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_00007FFE0EC1C0C0
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4234Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 703Jump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2BA9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2A9B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI55AA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2B39.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2A5B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI29ED.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2AEA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4963.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2B69.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeAPI coverage: 8.2 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4888Thread sleep count: 4234 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4308Thread sleep count: 703 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6556Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6748Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EBEA330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,10_2_00007FFE0EBEA330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: classes_nocoops.jsa.1.drBinary or memory string: [Ljava/lang/VirtualMachineError;
Source: classes_nocoops.jsa.1.drBinary or memory string: ,jdk.vm.ci.hotspot.HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: ()Ljdk/vm/ci/runtime/JVMCICompiler;
Source: classes_nocoops.jsa.1.drBinary or memory string: VirtualMachineError.java
Source: MSI2B39.tmp.1.drBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk/vm/ci/common/JVMCIError
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk.vm.ci.services.JVMCIServiceLocator
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk.vm.ci.hotspot.aarch64.AArch64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: &jdk.vm.ci.services.JVMCIServiceLocator
Source: classes_nocoops.jsa.1.drBinary or memory string: ()Ljdk/vm/ci/runtime/JVMCIRuntime;
Source: classes_nocoops.jsa.1.drBinary or memory string: java/lang/VirtualMachineError.class
Source: classes_nocoops.jsa.1.drBinary or memory string: 7jdk.vm.ci.hotspot.amd64.AMD64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: <"()Ljdk/vm/ci/runtime/JVMCIRuntime;
Source: classes_nocoops.jsa.1.drBinary or memory string: [Ljava/lang/VirtualMachineError;
Source: classes_nocoops.jsa.1.drBinary or memory string: java/lang/VirtualMachineError
Source: classes_nocoops.jsa.1.drBinary or memory string: org.graalvm.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
Source: classes_nocoops.jsa.1.drBinary or memory string: %jdk/vm/ci/hotspot/HotSpotJVMCIRuntime
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk/vm/ci/hotspot/HotSpotJVMCIRuntime
Source: classes_nocoops.jsa.1.drBinary or memory string: ;jdk.vm.ci.hotspot.aarch64.AArch64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk/vm/ci/runtime/JVMCI
Source: classes_nocoops.jsa.1.drBinary or memory string: )()Ljdk/vm/ci/hotspot/HotSpotJVMCIRuntime;
Source: classes_nocoops.jsa.1.drBinary or memory string: UG#java/lang/VirtualMachineError.class
Source: classes_nocoops.jsa.1.drBinary or memory string: #()Ljdk/vm/ci/runtime/JVMCICompiler;
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk.vm.ci.hotspot.HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk.vm.ci.hotspot.amd64.AMD64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: <org.graalvm.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
Source: classes_nocoops.jsa.1.drBinary or memory string: Ljava/lang/VirtualMachineError;
Source: classes_nocoops.jsa.1.drBinary or memory string: ()Ljdk/vm/ci/hotspot/HotSpotJVMCIRuntime;
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 7_2_00007FF7B8DF2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF7B8DF2ECC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 7_2_00007FF7B8DF2984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF7B8DF2984
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 7_2_00007FF7B8DF2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF7B8DF2ECC
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 7_2_00007FF7B8DF3074 SetUnhandledExceptionFilter,7_2_00007FF7B8DF3074
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_0000000140011004 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0000000140011004
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_0000000140011D78 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0000000140011D78
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_0000000140011F24 SetUnhandledExceptionFilter,10_2_0000000140011F24
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE0EC32CDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FFE0EC32CDC
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE148E4568 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FFE148E4568
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 10_2_00007FFE1A46004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FFE1A46004C

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss56bd.ps1" -propfile "c:\users\user\appdata\local\temp\msi56aa.txt" -scriptfile "c:\users\user\appdata\local\temp\scr56ab.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr56ac.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss56bd.ps1" -propfile "c:\users\user\appdata\local\temp\msi56aa.txt" -scriptfile "c:\users\user\appdata\local\temp\scr56ab.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr56ac.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: ___lc_locale_name_func,GetLocaleInfoEx,10_2_00007FFE0EC0EFC0
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 7_2_00007FF7B8DF2DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_00007FF7B8DF2DA0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		1
Replication Through Removable Media		1
Command and Scripting Interpreter		1
Windows Service		1
Windows Service		21
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		1
Scripting		11
Process Injection		1
Disable or Modify Tools		LSASS Memory11
Security Software Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS21
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Obfuscated Files or Information		Cached Domain Credentials11
Peripheral Device Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Timestomp		DCSync1
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc Filesystem24
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
File Deletion		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580451 Sample: installer.msi Startdate: 24/12/2024 Architecture: WINDOWS Score: 64 49 trailbuddymaps.com 2->49 55 Suricata IDS alerts for network traffic 2->55 57 AI detected suspicious sample 2->57 59 Sigma detected: Suspicious Script Execution From Temp Folder 2->59 61 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->61 9 msiexec.exe 139 107 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 35 C:\Windows\Installer\MSI55AA.tmp, PE32 9->35 dropped 37 C:\Windows\Installer\MSI4963.tmp, PE32 9->37 dropped 39 C:\Windows\Installer\MSI2BA9.tmp, PE32 9->39 dropped 41 52 other files (none is malicious) 9->41 dropped 14 msiexec.exe 14 9->14         started        19 cmd.exe 1 9->19         started        21 createdump.exe 1 9->21         started        process6 dnsIp7 51 trailbuddymaps.com 172.67.196.179, 443, 49731 CLOUDFLARENETUS United States 14->51 43 C:\Users\user\AppData\Local\...\scr56AB.ps1, Unicode 14->43 dropped 45 C:\Users\user\AppData\Local\...\pss56BD.ps1, Unicode 14->45 dropped 47 C:\Users\user\AppData\Local\...\msi56AA.txt, Unicode 14->47 dropped 53 Bypasses PowerShell execution policy 14->53 23 powershell.exe 17 14->23         started        25 ImporterREDServer.exe 1 19->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        file8 signatures9 process10 process11 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dll0%ReversingLabs
C:\Windows\Installer\MSI29ED.tmp0%ReversingLabs
C:\Windows\Installer\MSI2A5B.tmp0%ReversingLabs
C:\Windows\Installer\MSI2A9B.tmp0%ReversingLabs
C:\Windows\Installer\MSI2AEA.tmp0%ReversingLabs
C:\Windows\Installer\MSI2B39.tmp0%ReversingLabs
C:\Windows\Installer\MSI2B69.tmp0%ReversingLabs
C:\Windows\Installer\MSI2BA9.tmp0%ReversingLabs
C:\Windows\Installer\MSI4963.tmp0%ReversingLabs
C:\Windows\Installer\MSI55AA.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://java.oracle.com/0%Avira URL Cloudsafe
https://trailbuddymaps.com/updater.phpx0%Avira URL Cloudsafe
https://trailbuddymaps.com/updater.php0%Avira URL Cloudsafe
http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-0%Avira URL Cloudsafe
http://schemas.mick0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
trailbuddymaps.com
172.67.196.179
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://trailbuddymaps.com/updater.phptrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1845276239.000000000625A000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://crl.micropowershell.exe, 00000003.00000002.1848503567.0000000008820000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1842459659.0000000005346000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1842459659.0000000005346000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://go.micropowershell.exe, 00000003.00000002.1842459659.0000000005659000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/powershell.exe, 00000003.00000002.1845276239.000000000625A000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://java.oracle.com/classes_nocoops.jsa.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1845276239.000000000625A000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Licensepowershell.exe, 00000003.00000002.1845276239.000000000625A000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Iconpowershell.exe, 00000003.00000002.1845276239.000000000625A000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.mickinstaller.msifalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-ImporterREDServer.exe, 0000000A.00000002.1900138812.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://aka.ms/pscore6lBkqpowershell.exe, 00000003.00000002.1842459659.00000000051F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://trailbuddymaps.com/updater.phpxinstaller.msifalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aka.ms/winui2/webview2download/Reload():installer.msifalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1842459659.00000000051F1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1842459659.0000000005346000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              172.67.196.179
                              		trailbuddymaps.comUnited States
                              		13335CLOUDFLARENETUStrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1580451
                              Start date and time:2024-12-24 16:02:12 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 7m 34s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:15
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:installer.msi
                              Detection:MAL
                              Classification:mal64.evad.winMSI@17/91@1/1
                              EGA Information:
                              • Successful, ratio: 33.3%
                              HCA Information:
                              • Successful, ratio: 93%
                              • Number of executed functions: 12
                              • Number of non-executed functions: 182
                              Cookbook Comments:
                              • Found application associated with file extension: .msi

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                              • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target ImporterREDServer.exe, PID 4888 because there are no executed function
                              • Execution Graph export aborted for target powershell.exe, PID 6804 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • VT rate limit hit for: installer.msi

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              10:03:18API Interceptor6x Sleep call for process: powershell.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              CLOUDFLARENETUSSetup.exeGet hashmaliciousLummaCBrowse
                              • 104.21.88.181
                              badvbscript.htmlGet hashmaliciousUnknownBrowse
                              • 1.1.1.1
                              #U65b0#U5efa #U6587#U672c#U6587#U6863.ps1Get hashmaliciousUnknownBrowse
                              • 172.67.201.143
                              https://u48635528.ct.sendgrid.net/ls/click?upn=u001.9c3qucD-2BQzNTT0bmLRTJr37m0fhz0zdKJtvEO5GYL-2FheRuyVOh-2FQG4V3oBgBPYNynDxn_I1ksFJapfNmw0nKrksu71KTxdlg2CVrjzBUVofCtIEhaWkhL1Pph-2Ffg-2BCFbPvkCL9SX-2Fn-2BNBrku3RcjHS1atB8ladrmemt-2BtQU5680xhgoUl-2FmS0Bdj-2FOfednny-2F-2Bj2bwjjubeRvrpN0J7TGLD3CnNRzymiQOzypjCqxHhzmXtY2EWHJMJBxjl-2FHlyEIekWjEdTpTsRC8R5LaI-2BXF4kV8UeUtXxyFJLbYiR3fqcWt2evvBBECu9MeQj8TLZrmfuTf-2BJQraijp8-2BcIdxf8rnVxjHoJK1lo9-2Bkao444JbRSinVA-2FoUxeuAtdlrITU1Z6gHAn7DLZstY4XJkhkT16-2F2TN4CFt2LQ-2BEh9GWg4EPlocPi8ljTs-2B9D9RVbWdc3s2Vk2VPHSj20oCO3-2FalihBzGJuaYie5tnYaz6wBF3EqNzMXmVqRnMZwSYuGRwSMVhkchytYzt3hUH-2F51IUfn7nuhHUcUbdS8nBYneAMuB2eSDRn8IZzUkExLUascCVn8T9ImEyo0qhVsBPdJjfT9L3qli9clY1N-2BhQXDZgQnsN1Bs9PujeLzem37C62BvWnqPnqvXh5vbcvseiZwTP35DEJysw-3D-3D#mlyon@wc.comGet hashmaliciousHTMLPhisherBrowse
                              • 104.17.25.14
                              vce exam simulator 2.2.1 crackk.exeGet hashmaliciousLummaCBrowse
                              • 104.21.33.227
                              iUKUR1nUyD.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                              • 172.67.199.72
                              j6ks0Fxu6t.exeGet hashmaliciousLummaCBrowse
                              • 104.21.36.201
                              wIgjKoo9iI.exeGet hashmaliciousLummaCBrowse
                              • 104.21.36.201
                              Canvas of Kings_N6xC-S2.exeGet hashmaliciousUnknownBrowse
                              • 104.20.86.8
                              Canvas of Kings_N6xC-S2.exeGet hashmaliciousUnknownBrowse
                              • 104.20.86.8

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              37f463bf4616ecd445d4a1937da06e19#U65b0#U5efa #U6587#U672c#U6587#U6863.ps1Get hashmaliciousUnknownBrowse
                              • 172.67.196.179
                              T1#U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousNitolBrowse
                              • 172.67.196.179
                              Canvas of Kings_N6xC-S2.exeGet hashmaliciousUnknownBrowse
                              • 172.67.196.179
                              Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                              • 172.67.196.179
                              installer.msiGet hashmaliciousUnknownBrowse
                              • 172.67.196.179
                              Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                              • 172.67.196.179
                              Violated Heroine_91zbZ-1.exeGet hashmaliciousUnknownBrowse
                              • 172.67.196.179
                              3gPZmVbozD.msiGet hashmaliciousUnknownBrowse
                              • 172.67.196.179
                              fkawMJ7FH8.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, StealcBrowse
                              • 172.67.196.179
                              ChoForgot.exeGet hashmaliciousVidarBrowse
                              • 172.67.196.179

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exeE8vC8KRIp1.msiGet hashmaliciousUnknownBrowse
                                installer.msiGet hashmaliciousUnknownBrowse
                                  3gPZmVbozD.msiGet hashmaliciousUnknownBrowse
                                    setup.msiGet hashmaliciousUnknownBrowse
                                      installer.msiGet hashmaliciousUnknownBrowse
                                        setup.msiGet hashmaliciousUnknownBrowse
                                          Setup.msiGet hashmaliciousUnknownBrowse
                                            q9bzWO2X1r.msiGet hashmaliciousUnknownBrowse

                                              Created / dropped Files

                                              C:\Config.Msi\592106.rbs

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:modified
                                              Size (bytes):20973
                                              Entropy (8bit):5.794136217395393
                                              Encrypted:false
                                              SSDEEP:384:ty8TAZq9brlh/gCmtZMBbTYV5Lx6p446S6NLOuxQa03bqyXz3LF0bNP4Z0S0T7Jw:ty8TAZq9brlh/gCmtZMBbTYV5Lx6p44l
                                              MD5:EBA19351793AD458FD5E3E78644B8E04
                                              SHA1:817168B473C37BE862C635F0EB190980FDD3A5CA
                                              SHA-256:52884DDFA04D57707332AB096D5F0AEA5C8D224DB62B7FCDE75F36F48F2B6120
                                              SHA-512:029273940C24A837C34FA2C911E1C44FA19E84AA2F1D07432607CFE3510B1CF00814897C588FA9CECA6F5A450A3E1993345305C75B0CEAB960EED7EDB706DEEF
                                              Malicious:false
                                              Preview:...@IXOS.@.....@kP.Y.@.....@.....@.....@.....@.....@......&.{C431E5A6-B7FF-4C83-AA62-6161DB3498C7}..App x installer..installer.msi.@.....@.....@.....@......icon_22.exe..&.{EEC7FF0D-3F84-42B8-A8DE-D00B0E91B91D}.....@.....@.....@.....@.......@.....@.....@.......@......App x installer......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{C431E5A6-B7FF-4C83-AA62-6161DB3498C7}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{C431E5A6-B7FF-4C83-AA62-6161DB3498C7}.@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}&.{C431E5A6-B7FF-4C83-AA62-6161DB3498C7}.@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}&.{C431E5A6-B7FF-4C83-AA62-6161DB3498C7}.@......&.{DE28A560-E5E1-4035-8CA3-44934686A249}&.{C431E5A6-B7FF-4C83-AA62-6161DB3498C7}.@......&.{03D39B98-E7BB-4062-BD92-307D642A5CF1}&.{C431E5A6-B7FF-4C83-AA62-6161DB3498C7}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{C4

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1360
                                              Entropy (8bit):5.414845440181211
                                              Encrypted:false
                                              SSDEEP:24:3Uyt3WSKco4KmZjKbmOIKod6lss4RPQoUP7mZ9t7J0gt/NK3R82ia8HSVbV:ky9WSU4xympgv4RIoUP7mZ9tK8NWR82z
                                              MD5:0AF2B56956B2A454549FD8BB99D9565A
                                              SHA1:15A0A6176A39136BE948A88C9EC431D5F52298F8
                                              SHA-256:B28F0959939DE6B869BAF884EF52CB70B2444A1005767D5528B2E1F81573ED2B
                                              SHA-512:0695418FB617BFE2E486871B0CA94F8C22E5A29D440E06DD9F34141CB1E85A24DF4E44855322DDA9C51C5B867A132F6233F63A60F7A17B26200B7421A39E589D
                                              Malicious:false
                                              Preview:@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ac42ywzw.pnj.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfwxtefk.zro.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\msi56AA.txt

                                              Download File
                                              Process:C:\Windows\SysWOW64\msiexec.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                              Category:dropped
                                              Size (bytes):96
                                              Entropy (8bit):2.99798449505456
                                              Encrypted:false
                                              SSDEEP:3:QmalTuOIAlSRYplflbPRYplf955:Qmalt9lLZiLN
                                              MD5:F26BF481CA203C7D611850139ACBEF41
                                              SHA1:EA86C45B436D1B8F5F42F87AE5034332A5BCFEC4
                                              SHA-256:A6AE6BBFC3486BA26A9A3C67B127D6972D16B8B925BDE4AF20880EE1B1D997CB
                                              SHA-512:D1D2AE7C30A146AC1A85BDC133CE1F105AFC6F4EC8C5BD21A8EAACD0910929D3A9FCB540AB533A253C296C51DC71D1AE58749F7449DAB1C530E82D78D3544E4E
                                              Malicious:true
                                              Preview:..C.e.v.e.r.a.l.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .T.r.i.a.l.N.o.w. .:.<.-.>.:. .0. .<.<.:.>.>. .

                                              C:\Users\user\AppData\Local\Temp\pss56BD.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\msiexec.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):6668
                                              Entropy (8bit):3.5127462716425657
                                              Encrypted:false
                                              SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                              MD5:30C30EF2CB47E35101D13402B5661179
                                              SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                              SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                              SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                              Malicious:true
                                              Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                              C:\Users\user\AppData\Local\Temp\scr56AB.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\msiexec.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):250
                                              Entropy (8bit):3.576902729499699
                                              Encrypted:false
                                              SSDEEP:6:QfFok79idK3fclQ9zgltHN+KiVmMXFVrMTlp1LlG7JidK3fpdInO:QfF3IugM/XFVrMTWNvn
                                              MD5:479FAC6E0C05C5A57698619AFE51DEF2
                                              SHA1:1AF4A4DB75ACE8324ED7BFF59D711E80A7BDB821
                                              SHA-256:700080D274E5629A2BFA0D47B9BAF53AD69E67A64A2B04D84115D5851AB3DDBD
                                              SHA-512:B0B5065C216EBC1124B985F3FF86EE7C7E7E9B994190D1103C454EDD602E0242B7160BFFB202538470254675DFACAC6159F1A459B979DAD563BDED84FCED193E
                                              Malicious:true
                                              Preview:..$.o.i.g.n.q.p. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".C.e.v.e.r.a.l.S.e.s.".....$.a.v.o.i.j.g. .=. .[.u.i.n.t.3.2.].(.$.o.i.g.n.q.p. .-.r.e.p.l.a.c.e. .'.b.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".T.r.i.a.l.N.o.w.". .$.a.v.o.i.j.g.

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exe

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):310928
                                              Entropy (8bit):6.001677789306043
                                              Encrypted:false
                                              SSDEEP:3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
                                              MD5:147B71C906F421AC77F534821F80A0C6
                                              SHA1:3381128CA482A62333E20D0293FDA50DC5893323
                                              SHA-256:7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
                                              SHA-512:2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Joe Sandbox View:
                                              • Filename: E8vC8KRIp1.msi, Detection: malicious, Browse
                                              • Filename: installer.msi, Detection: malicious, Browse
                                              • Filename: 3gPZmVbozD.msi, Detection: malicious, Browse
                                              • Filename: setup.msi, Detection: malicious, Browse
                                              • Filename: installer.msi, Detection: malicious, Browse
                                              • Filename: setup.msi, Detection: malicious, Browse
                                              • Filename: Setup.msi, Detection: malicious, Browse
                                              • Filename: q9bzWO2X1r.msi, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}|...|...|....../p....../v....../1...u.a.l....../u...|........./v....../}...Rich|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):117496
                                              Entropy (8bit):6.136079902481222
                                              Encrypted:false
                                              SSDEEP:1536:P4ynPKh5ilvitpOeRZBMZTWTKnSU3hGe+K8b9Ate83CtyxZMPXR0qmOi4:PjoiaUDahe+B92e9tiMPXR0qmOX
                                              MD5:F67792E08586EA936EBCAE43AAB0388D
                                              SHA1:4A5B4009DE72DB003D57F8A4416D17F95B3539A8
                                              SHA-256:4D434BB99C771524C35222E5C65EBEE87FD2F16DDA05BF6191F9723EECE2434D
                                              SHA-512:F9E69377201E2DC577792F01B71ED3C9AF6C8AD52DD9E139C99EF1D9096F3EB7796F89642242BE8CEE4030EA9CF60EF1AA93D1B0890326A83CB9063E919F1E4A
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,|..B/..B/..B/.../..B/.G...B/.F...B/.A...B/.C...B/.C...B/..G...B/<.C...B/..C/..B/<.G...B/<../..B/.../..B/<.@...B/Rich..B/................PE..d.....-a..........#............................@.....................................].... .................................................D...,...............`....................]..T...................P_..(...P^...............0..H............................text............................... ..`.rdata...o...0...p..."..............@..@.data...@...........................@....pdata..`...........................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exe

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):506008
                                              Entropy (8bit):6.4284173495366845
                                              Encrypted:false
                                              SSDEEP:6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
                                              MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
                                              SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
                                              SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
                                              SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):12224
                                              Entropy (8bit):6.596101286914553
                                              Encrypted:false
                                              SSDEEP:192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
                                              MD5:919E653868A3D9F0C9865941573025DF
                                              SHA1:EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
                                              SHA-256:2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
                                              SHA-512:6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):12224
                                              Entropy (8bit):6.640081558424349
                                              Encrypted:false
                                              SSDEEP:192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
                                              MD5:7676560D0E9BC1EE9502D2F920D2892F
                                              SHA1:4A7A7A99900E41FF8A359CA85949ACD828DDB068
                                              SHA-256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
                                              SHA-512:F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):11712
                                              Entropy (8bit):6.6023398138369505
                                              Encrypted:false
                                              SSDEEP:192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
                                              MD5:AC51E3459E8FCE2A646A6AD4A2E220B9
                                              SHA1:60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
                                              SHA-256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
                                              SHA-512:6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):11720
                                              Entropy (8bit):6.614262942006268
                                              Encrypted:false
                                              SSDEEP:192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
                                              MD5:B0E0678DDC403EFFC7CDC69AE6D641FB
                                              SHA1:C1A4CE4DED47740D3518CD1FF9E9CE277D959335
                                              SHA-256:45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
                                              SHA-512:2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):11720
                                              Entropy (8bit):6.654155040985372
                                              Encrypted:false
                                              SSDEEP:192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
                                              MD5:94788729C9E7B9C888F4E323A27AB548
                                              SHA1:B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
                                              SHA-256:ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
                                              SHA-512:AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):15304
                                              Entropy (8bit):6.548897063441128
                                              Encrypted:false
                                              SSDEEP:192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
                                              MD5:580D9EA2308FC2D2D2054A79EA63227C
                                              SHA1:04B3F21CBBA6D59A61CD839AE3192EA111856F65
                                              SHA-256:7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
                                              SHA-512:97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):11712
                                              Entropy (8bit):6.622041192039296
                                              Encrypted:false
                                              SSDEEP:192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
                                              MD5:35BC1F1C6FBCCEC7EB8819178EF67664
                                              SHA1:BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
                                              SHA-256:7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
                                              SHA-512:9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):11720
                                              Entropy (8bit):6.730719514840594
                                              Encrypted:false
                                              SSDEEP:192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
                                              MD5:3BF4406DE02AA148F460E5D709F4F67D
                                              SHA1:89B28107C39BB216DA00507FFD8ADB7838D883F6
                                              SHA-256:349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
                                              SHA-512:5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):11720
                                              Entropy (8bit):6.626458901834476
                                              Encrypted:false
                                              SSDEEP:192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
                                              MD5:BBAFA10627AF6DFAE5ED6E4AEAE57B2A
                                              SHA1:3094832B393416F212DB9107ADD80A6E93A37947
                                              SHA-256:C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
                                              SHA-512:D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):12232
                                              Entropy (8bit):6.577869728469469
                                              Encrypted:false
                                              SSDEEP:192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
                                              MD5:3A4B6B36470BAD66621542F6D0D153AB
                                              SHA1:5005454BA8E13BAC64189C7A8416ECC1E3834DC6
                                              SHA-256:2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
                                              SHA-512:84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):11712
                                              Entropy (8bit):6.6496318655699795
                                              Encrypted:false
                                              SSDEEP:192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
                                              MD5:A038716D7BBD490378B26642C0C18E94
                                              SHA1:29CD67219B65339B637A1716A78221915CEB4370
                                              SHA-256:B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
                                              SHA-512:43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):12736
                                              Entropy (8bit):6.587452239016064
                                              Encrypted:false
                                              SSDEEP:192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
                                              MD5:D75144FCB3897425A855A270331E38C9
                                              SHA1:132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
                                              SHA-256:08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
                                              SHA-512:295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):14280
                                              Entropy (8bit):6.658205945107734
                                              Encrypted:false
                                              SSDEEP:384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
                                              MD5:8ACB83D102DABD9A5017A94239A2B0C6
                                              SHA1:9B43A40A7B498E02F96107E1524FE2F4112D36AE
                                              SHA-256:059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
                                              SHA-512:B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):12224
                                              Entropy (8bit):6.621310788423453
                                              Encrypted:false
                                              SSDEEP:96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
                                              MD5:808F1CB8F155E871A33D85510A360E9E
                                              SHA1:C6251ABFF887789F1F4FC6B9D85705788379D149
                                              SHA-256:DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
                                              SHA-512:441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):11720
                                              Entropy (8bit):6.7263193693903345
                                              Encrypted:false
                                              SSDEEP:192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
                                              MD5:CFF476BB11CC50C41D8D3BF5183D07EC
                                              SHA1:71E0036364FD49E3E535093E665F15E05A3BDE8F
                                              SHA-256:B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
                                              SHA-512:7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):12744
                                              Entropy (8bit):6.601327134572443
                                              Encrypted:false
                                              SSDEEP:192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
                                              MD5:F43286B695326FC0C20704F0EEBFDEA6
                                              SHA1:3E0189D2A1968D7F54E721B1C8949487EF11B871
                                              SHA-256:AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
                                              SHA-512:6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):14272
                                              Entropy (8bit):6.519411559704781
                                              Encrypted:false
                                              SSDEEP:192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
                                              MD5:E173F3AB46096482C4361378F6DCB261
                                              SHA1:7922932D87D3E32CE708F071C02FB86D33562530
                                              SHA-256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
                                              SHA-512:3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):12232
                                              Entropy (8bit):6.659079053710614
                                              Encrypted:false
                                              SSDEEP:192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
                                              MD5:9C9B50B204FCB84265810EF1F3C5D70A
                                              SHA1:0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
                                              SHA-256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
                                              SHA-512:EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):11200
                                              Entropy (8bit):6.7627840671368835
                                              Encrypted:false
                                              SSDEEP:192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
                                              MD5:0233F97324AAAA048F705D999244BC71
                                              SHA1:5427D57D0354A103D4BB8B655C31E3189192FC6A
                                              SHA-256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
                                              SHA-512:8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):12224
                                              Entropy (8bit):6.590253878523919
                                              Encrypted:false
                                              SSDEEP:192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
                                              MD5:E1BA66696901CF9B456559861F92786E
                                              SHA1:D28266C7EDE971DC875360EB1F5EA8571693603E
                                              SHA-256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
                                              SHA-512:08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):11720
                                              Entropy (8bit):6.672720452347989
                                              Encrypted:false
                                              SSDEEP:192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
                                              MD5:7A15B909B6B11A3BE6458604B2FF6F5E
                                              SHA1:0FEB824D22B6BEEB97BCE58225688CB84AC809C7
                                              SHA-256:9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
                                              SHA-512:D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):13760
                                              Entropy (8bit):6.575688560984027
                                              Encrypted:false
                                              SSDEEP:192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
                                              MD5:6C3FCD71A6A1A39EAB3E5C2FD72172CD
                                              SHA1:15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
                                              SHA-256:A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
                                              SHA-512:EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):12232
                                              Entropy (8bit):6.70261983917014
                                              Encrypted:false
                                              SSDEEP:192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
                                              MD5:D175430EFF058838CEE2E334951F6C9C
                                              SHA1:7F17FBDCEF12042D215828C1D6675E483A4C62B1
                                              SHA-256:1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
                                              SHA-512:6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):12744
                                              Entropy (8bit):6.599515320379107
                                              Encrypted:false
                                              SSDEEP:192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
                                              MD5:9D43B5E3C7C529425EDF1183511C29E4
                                              SHA1:07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
                                              SHA-256:19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
                                              SHA-512:C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):12232
                                              Entropy (8bit):6.690164913578267
                                              Encrypted:false
                                              SSDEEP:192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
                                              MD5:43E1AE2E432EB99AA4427BB68F8826BB
                                              SHA1:EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
                                              SHA-256:3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
                                              SHA-512:40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):11720
                                              Entropy (8bit):6.615761482304143
                                              Encrypted:false
                                              SSDEEP:192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
                                              MD5:735636096B86B761DA49EF26A1C7F779
                                              SHA1:E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
                                              SHA-256:5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
                                              SHA-512:3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):12744
                                              Entropy (8bit):6.627282858694643
                                              Encrypted:false
                                              SSDEEP:192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
                                              MD5:031DC390780AC08F498E82A5604EF1EB
                                              SHA1:CF23D59674286D3DC7A3B10CD8689490F583F15F
                                              SHA-256:B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
                                              SHA-512:1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):15816
                                              Entropy (8bit):6.435326465651674
                                              Encrypted:false
                                              SSDEEP:192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
                                              MD5:285DCD72D73559678CFD3ED39F81DDAD
                                              SHA1:DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
                                              SHA-256:6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
                                              SHA-512:84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):12232
                                              Entropy (8bit):6.5874576656353145
                                              Encrypted:false
                                              SSDEEP:192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
                                              MD5:5CCE7A5ED4C2EBAF9243B324F6618C0E
                                              SHA1:FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
                                              SHA-256:AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
                                              SHA-512:FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):13768
                                              Entropy (8bit):6.645869978118917
                                              Encrypted:false
                                              SSDEEP:192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
                                              MD5:41FBBB054AF69F0141E8FC7480D7F122
                                              SHA1:3613A572B462845D6478A92A94769885DA0843AF
                                              SHA-256:974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
                                              SHA-512:97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):61176
                                              Entropy (8bit):5.850944458899023
                                              Encrypted:false
                                              SSDEEP:1536:8dAqjxlblBAeX9cMPqnLQmnSPFCCBXuk9:8d1l59cJbSNZBXuO
                                              MD5:3B02A4FCAAC283D3C5E082B62F88BE25
                                              SHA1:C230237FA2BEF46A4C9649871EE46BBA89958C4E
                                              SHA-256:D02FB06775ED21CE1124C5A9BA42D7E00872C4CAF3933F0852FFD98591EE9790
                                              SHA-512:9FE3ACDC6CDC51F56AB205A669F3865FB18DA79750A62E896615AF98F4D37B4A5DADB898126B421133CBD86805A1A84D1C92A429F88AA2152D07939BEBEB93B0
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.X.F...F...F...>O..F.......F.......F.......F.......F.......F...F...F..-/...F..-/...F..-/#..F...FK..F..-/...F..Rich.F..........PE..d.....-a.........." .....X...|.......Y.................................................... .....................................................x.......h.......................0...P...T.......................(....................p..X............................text....V.......X.................. ..`.rdata...X...p...Z...\..............@..@.data...............................@....pdata..............................@..@.rsrc...h...........................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):127224
                                              Entropy (8bit):6.217127607919178
                                              Encrypted:false
                                              SSDEEP:1536:KOMFt1bvZ+4WYoIW9YAlqlEO/NiuE0PJmISN10ZpzdUAsSAl9/mEzuEVvHV7Gvru:fMFZ+4azlqlEO/0d0PkIxPYGX6
                                              MD5:ABDA3CF0D286D6CC5EC2CB1B49DBC180
                                              SHA1:85CA9C24AD7CF07830E86607723770645D724C28
                                              SHA-256:5549E8D3C90AFC8A90558529FE0127CE8A36805D853ED2BBD2A832E497D07405
                                              SHA-512:AF813D4529C7971C6427E84C21275F2D703495E8BCDE72112ED400FCF2BFD64D1E3754E7A8D95A4D1953472C3C9821EF0444CD844F02AE31FA2C5FA8D93E66CF
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'y.fI*.fI*.fI*...*.fI*..M+.fI*..J+.fI*..L+.fI*..H+.fI*..H+.fI*..H+.fI*.fH*.fI*..L+.fI*..I+.fI*...*.fI*.f.*.fI*..K+.fI*Rich.fI*................PE..d.....-a.........." ......................................................... ............ ..........................................x..|B..............p.......@...............D....>..T...................0@..(...0?............... ...............................text...p........................... ..`.rdata....... ......................@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc..D...........................@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):418040
                                              Entropy (8bit):6.1735291180760505
                                              Encrypted:false
                                              SSDEEP:6144:vJXvKtM+eZLmd2Mht6hBj2+1J3Hw2iojntPqbmdv0Pz:vJXvcMRZLmd2Mht6hBj3A2iW8WO
                                              MD5:1CC74B77B1A0B6F14B19F45412D62227
                                              SHA1:25C8D5B1DD13C826AC97995E2265E7960877A869
                                              SHA-256:1314E7F48DCFAA9ED62AD80C19D4EAD856C6D216D6F80B8EFA1A3803087C506A
                                              SHA-512:CA88D9DB167FEE11DCF88FD365DBAEF9E2704996E622F1523943C5AF54D6AE2546D860DB86B20757C89FA52E4140D474EB0EA4A69042AA4CAAF6125E0D5381D9
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+ ..Es..Es..Es...s..Es..Ar..Es..Fr..Es..@r..Es..Dr..Es..Dr..Es..Ds(.Es..@r..Es..Er..Es..s..Es...s..Es..Gr..EsRich..Es........PE..d.....-a.........." .........:.......................................................4.... .........................................`n...T...........p.......0..d2...D.................T...................0...(...0................ ...............................text...\........................... ..`.rdata..h.... ......................@..@.data....7.......0..................@....pdata..d2...0...4..................@..@.rsrc........p.......8..............@..@.reloc...............>..............@..B................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):698104
                                              Entropy (8bit):6.463466021766765
                                              Encrypted:false
                                              SSDEEP:12288:rtCgw2rHcLfk4heNe39mSOWE64h/5+JLkxBdmmVaSV:JCglHsfb9vzE64h/CAxBdmmVaSV
                                              MD5:087DAF44CD13B79E4D59068B3A1C6250
                                              SHA1:653FB242A44C7742764C77D8249D00DDDC1C867E
                                              SHA-256:7AAFC98B0189C4DB66E03EC69B0DA58E59F5728FA9C37F7A61D1531E4D146FD6
                                              SHA-512:3BB7494191EDDA18416B425762EA35B1C614CA420E6D0A8BBA5B9749C453F2552435FC97CF4532E088BBEC2B57A7DC9F782F7C7CEC67F96A33511C367F6A5052
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>.B.P.B.P.B.P.K...N.P...T.J.P...S.@.P...U.Z.P...Q.F.P...Q.G.P.B.Q...P..U.P.P..P.C.P...C.P.B...C.P..R.C.P.RichB.P.........................PE..d.....-a.........." ................l................................................s.... ..........................................7..T...4...........X....`...D...................Q..T...................@S..(...@R..................H............................text............................... ..`.rdata...V.......X..................@..@.data...`(...0..."..................@....pdata...D...`...F...6..............@..@.rsrc...X............|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):31480
                                              Entropy (8bit):5.969706735107452
                                              Encrypted:false
                                              SSDEEP:384:rTnmLAtoAmXkI4WW9jLU7gJX5ZGz/5UtxcNPMUyZJKSm/dAgZsHL4DhAm:noxXzI5Z05uqlyEiRUhR
                                              MD5:CC2C7E9435E8F818F3114AEFCC84E053
                                              SHA1:F106C5EEAA3545CB85BA1217F40E4AE8F047E69E
                                              SHA-256:59415F12FF688B58C9180A545F4836A4C2DDF472C232B3BE9FAB7965F9980924
                                              SHA-512:316D0F0374DA2818CC1A83A6F8BE8E70CCCC2D9F37DB54DF9322FF26FF436EB18532CEB549F286E569E1A6B82BA1345FFE4A7ADC678AE450FC5C3C637F24259D
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{...{...{...r.e.....)...h...)...s...)...y...)....... ...x...{...E......y......z......z...{.a.z......z...Rich{...........PE..d.....-a.........." .....,...4......@0................................................... ..........................................T......tU..x.......`....p.......^..............0F..T....................G..(....F...............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...h....`.......N..............@....pdata.......p.......R..............@..@.rsrc...`............V..............@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):103672
                                              Entropy (8bit):5.851546804507911
                                              Encrypted:false
                                              SSDEEP:1536:DkEZwX0tTbIIJdLJABqKSimO9K64vaO4WpgXyhchiUKcvKXMnVOlVS:QErbXvAxO41yhcBvKXwaVS
                                              MD5:129051E3B7B8D3CC55559BEDBED09486
                                              SHA1:E257D69C91594C623A8649AC3F76DC4B0C4D8EDF
                                              SHA-256:73BFA0700A1C1631483D1ADC79A5225066A28A5CA94D70267DE6B0573BF11BDF
                                              SHA-512:6DCF486B58A0C8E16CB0A2A0B7C53812275DF7E55CEBE94B645517D2A061A67CA3B9CFDDA4F94E89BE57D3B629540C4A45DD153EF84DB90E46D06257A936831A
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X..............&........................................&.............&......&......&.J.......".....&......Rich............................PE..d.....-a.........." ................4...............................................:..... ..........................................J.......[..........`............x..............`...T.......................(....................................................text............................... ..`.rdata.............................@..@.data........p.......N..............@....pdata...............\..............@..@.rsrc...`............n..............@..@.reloc...............t..............@..B........................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):57488
                                              Entropy (8bit):6.382541157520703
                                              Encrypted:false
                                              SSDEEP:768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
                                              MD5:71F796B486C7FAF25B9B16233A7CE0CD
                                              SHA1:21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
                                              SHA-256:B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
                                              SHA-512:A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):4664568
                                              Entropy (8bit):6.259383987199329
                                              Encrypted:false
                                              SSDEEP:49152:AroFmAk9nrwChDI061WcO0ABWmIex2MvOGL//VCsHqwApmqamnBObTETCAtdB8n:0tI0OWiVmIek+QpmqtB+9
                                              MD5:A6A89F55416DB79D9E13B82685A04D60
                                              SHA1:EDE6DE1377BBE28E1F0D0DEF095367F1E788FE3B
                                              SHA-256:22D7C730C0092CDE5E339276F45882ACF4E172269153C6A328D83314DBACEF4B
                                              SHA-512:D2A734AE3ACC3033C050634839E32F90AE29862D77EC28B87945D62D44562ED56AC2A4266BC70F0F42CACCC0A7D93B07E2B42D7FFCEFE2F599A6A9DC2F26C583
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........$n..J=..J=..J=...=..J=..N<..J=..I<..J=..O<..J=..K<..J=..N<..J=..L<..J=..K<..J=..K<..J=..K=i.J=..N<..J=..O<U.J=..J<..J=..=..J=...=..J=..H<..J=Rich..J=................PE..d.....-a.........." ......+..........f(.......................................I.......H... ..........................................7>.8.....A......@I.......G......G......PI..F....1.T...................0.1.(...0.1...............+..............................text.....+.......+................. ..`.rdata.......+.......+.............@..@.data....'...`B......DB.............@....pdata.......G.......E.............@..@.rsrc........@I.......F.............@..@.reloc...F...PI..H....F.............@..B........................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):215288
                                              Entropy (8bit):6.050529290720027
                                              Encrypted:false
                                              SSDEEP:3072:emvBIfdYtwUTAgsHW0Akz0dMtTWYUQ4TyjEXv8pQxI88hw:ekBIATA1z7tTzovXv8Kxzj
                                              MD5:BF5EE5008353BB5C52DCF8821082CE6B
                                              SHA1:F85B517F96FE87D953925D05238345A03594C8F8
                                              SHA-256:9273A49CAC32ACA5358A77D41DE00FEB589ED3285B2B2E07E9CE9CEBF80BAA31
                                              SHA-512:B5862D1679AB4F44B228C3E52F5CB98616BF089BAD5EC3BBB63ABDCABDDB55C71C36628E2945C7460AA33F836D85A1A320BF2C704072B307A3B719CD3C6A8549
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[..5...5...5......5...1...5...6...5...0...5...4...5...4...5.#.4...5...4.-.5.#.0...5.#.5...5.#....5.......5.#.7...5.Rich..5.........PE..d.....-a.........." .........j...............................................p............ ..............................................!...........P..h....0.......,.......`..........T...........................@................................................text............................... ..`.rdata..............................@..@.data....$..........................@....pdata.......0... ..................@..@.rsrc...h....P......."..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ghiuoqfj.rar

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:RAR archive data, v5
                                              Category:dropped
                                              Size (bytes):358590
                                              Entropy (8bit):7.999564476045291
                                              Encrypted:true
                                              SSDEEP:6144:Akpt96f/6iWl5+i+R6545BZw6FWCkEjUR1pA94Wjgfpbrud:Np3SiT596FrkcURAeS
                                              MD5:B898D40131A6DC8943F210B52C9C3C46
                                              SHA1:F7BDFC9A1EF145C25D8D32C95F84DC62D6928534
                                              SHA-256:762467221492397A1A76C8439846A6C60B2094FF2206D7D90062AB02098AFA72
                                              SHA-512:B139ED67F35D33713923714E003F88826C680969A8A47D7BFCEE1F0BCBA80ED0AC9B1BACEB786123348C9CA997F04C565D1FCB6961A4128A5D545E323DFF2D4D
                                              Malicious:false
                                              Preview:Rar!....[y}.!......OS.$H:B.6.....w...H}.x........s.3..)...*R.*..-'R.X.k.{...0&..).n.....A0........L..............9........g..3i......E..E..s0.b..Pr...3(.....0D.......u...=.&.....%.....?.>$&...E./s|$D|.}.1RP...Fkv.6.)d...L.I..}..?'...O%.&..b.f.I./....R...kD....qS:n_..:.g.....$.2..~$.b..b<m.C..K.r.}{+. ..X.._X.p]g...(...L...U..?0.?G...3.....y)};\i.Y@.n(....8.=@.my.v...z.?.......A..5...%J.....igPq....6V.."}....q.E<........B..Q.'l->FBEbpS>?...f.&..%sgw<k$D..9...D...T....h.V..9..,E.E-].6{....n....Z.N%...j..=.4..%.... a".Zp...JV.c...'..Qr...[g.Qv:P..'..^...c..y^..i*.../a..b0..cRT.G0.^.....R.`..LH.[..p(.....:.2'7.*j(.?...]......I.+...8..d......{..*5e x!$<.%.` .m...3.md`.8......Y/.Y*.i.6.$..<$.6.m.b=7.1..pX..F:.*.....b....[...z...RD1..;.W..6..iiZ:K.SQ.VCRD7.f.4.....a........9....F.RM..a..i.D.D.2..Y{.3sf..^..9].fm.3..o.....+..."g.].z.LM1>.p..%]X...>...=...!....s...v..ny..q....@Y....V.@;.h..VS.J.k.SB...6.p....F..N'e...]@@JJe.u..W..}-O.@...1B

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):566704
                                              Entropy (8bit):6.494428734965787
                                              Encrypted:false
                                              SSDEEP:12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
                                              MD5:6DA7F4530EDB350CF9D967D969CCECF8
                                              SHA1:3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
                                              SHA-256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
                                              SHA-512:1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:DOS batch file, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):22
                                              Entropy (8bit):3.879664004902594
                                              Encrypted:false
                                              SSDEEP:3:mKDDlR+7H6U:hOD6U
                                              MD5:D9324699E54DC12B3B207C7433E1711C
                                              SHA1:864EB0A68C2979DCFF624118C9C0618FF76FA76C
                                              SHA-256:EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
                                              SHA-512:E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
                                              Malicious:false
                                              Preview:@echo off..Start "" %1

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\classes.jsa

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):12124160
                                              Entropy (8bit):4.1175508751036585
                                              Encrypted:false
                                              SSDEEP:49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
                                              MD5:8A13CBE402E0BBF3DA56315F0EBA7F8E
                                              SHA1:EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
                                              SHA-256:7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
                                              SHA-512:46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
                                              Malicious:false
                                              Preview:.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\classes_nocoops.jsa

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):12124160
                                              Entropy (8bit):4.117842215789484
                                              Encrypted:false
                                              SSDEEP:49152:lIsY5NLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8v:lYNDUK7k59
                                              MD5:8DD2CDF8B1702DEE25F4BC2DCE10DA8F
                                              SHA1:7AE8D142C41159D65C7AB9598C90EC1DF33138D1
                                              SHA-256:B19E92D742D8989D275BB34FB7828211969997D38FF9250D9561F432D5C5F62C
                                              SHA-512:6CEBD788559543623A3F54154F6C84E31A9716CFFA19D199087F0704CC9016F54CF0B3CFF6D8DB65428138EEB12553B23EBA7EDAF5B64A050A077DD2951286B0
                                              Malicious:false
                                              Preview:....j..L.........*.\.....................................+..............................j..-.....................................!>.............................|<:.......................A.......@...... t...............................".....................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.datatransfer.jmod

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Java jmod module version 1.0
                                              Category:dropped
                                              Size (bytes):51389
                                              Entropy (8bit):7.916683616123071
                                              Encrypted:false
                                              SSDEEP:768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
                                              MD5:8F4C0388762CD566EAE3261FF8E55D14
                                              SHA1:B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
                                              SHA-256:AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
                                              SHA-512:1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
                                              Malicious:false
                                              Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^*#.j...R.A..qV.1o...p.....|._.-N$.!.;X....|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be.*.eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.*t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N....*..r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.desktop.jmod

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Java jmod module version 1.0
                                              Category:dropped
                                              Size (bytes):12133334
                                              Entropy (8bit):7.944474086295981
                                              Encrypted:false
                                              SSDEEP:196608:h6fa1BzmQR9sZTGVq8B4ISiOCC0SabOyigGRA7OtuPZIWeXB:6a1gk+8B4IS8S2OyiJRA7OtYZaB
                                              MD5:E3705B15388EC3BDFE799AD5DB80B172
                                              SHA1:0B9B77F028727C73265393A68F37FC69C30205BD
                                              SHA-256:BE59AC0E673827B731CF5616B41DA11581A5863285FEA1A0696AA4F93796BCC3
                                              SHA-512:CA44B3E7658232FCC19C9AD223455F326D34B17384E566B8CAF0F7409D71B2B86F4089BF4A35128EC6CFFE080DF84C69C72C22B230FB0F2F8CB345442318F737
                                              Malicious:false
                                              Preview:JM..PK.........n/Q................classes/module-info.class.X...e../.l.!..!.#..M..."..g..#.B.........0;{.AAD.EE..QQQ.aG....{.]....7......~.{....k...{....<HD...4.......x%?G.4_St.Z...\..].+c..t.t........iC./...gZ..].8C..D'M...\3.+~5......z.<.f1..2.v./.As.Lv.....`2.M%...d.h..S`....YC.....D.u0-l.V#.5.,.e..)[..[.v..*............d.I...A........A+&."..8g.)"..E..1!.Z.]....Ak..5.......<'..L8bC..V4.U2.~$...i....)."I...O...d:......@..S...w0m...-....2..x....z.....O....k.8.}....P.....=..I/...<../.d..k....43VL.i...........C.S|`..!b.8....3.Ey..S..e..+.../T..j...g..B.@q9.."..>.LU..2-i....-.!....Z....g.BGl.j..R...Z.D.YJ.Kd...9 l.FN4.Rk.22..b..Rn...u..x.,...j.I.aZ.....X[{L.e..Z#..`.Z...*8..[.p..0.(...j..W..-M...V..H7.c.KN...5e.."...t[um..R...UF.c..1.....z|z.EeO..j..k.V..\x.8.....et;.9.^.Pa..+......U....Iu.q.t....HY.g...q.......omK...FKr1.F..F?.i.d../.]....68..L.........W..s.CU.|y.....zE..Q\...82..W.i[.#Q..xm......P..u.<.#...yC...,........~B..|sF.

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.instrument.jmod

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Java jmod module version 1.0
                                              Category:dropped
                                              Size (bytes):41127
                                              Entropy (8bit):7.961466748192397
                                              Encrypted:false
                                              SSDEEP:768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
                                              MD5:D039093C051B1D555C8F9B245B3D7FA0
                                              SHA1:C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
                                              SHA-256:4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
                                              SHA-512:334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
                                              Malicious:false
                                              Preview:JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...*A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z|*.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.logging.jmod

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Java jmod module version 1.0
                                              Category:dropped
                                              Size (bytes):113725
                                              Entropy (8bit):7.928841651831531
                                              Encrypted:false
                                              SSDEEP:3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
                                              MD5:3A03EF8F05A2D0472AE865D9457DAB32
                                              SHA1:7204170A08115A16A50D5A06C3DE7B0ADB6113B1
                                              SHA-256:584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
                                              SHA-512:1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
                                              Malicious:false
                                              Preview:JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm......*..Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h.*.^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz|..^.........8q..{...}.*G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j*..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.management.jmod

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Java jmod module version 1.0
                                              Category:dropped
                                              Size (bytes):896846
                                              Entropy (8bit):7.923431656723031
                                              Encrypted:false
                                              SSDEEP:12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
                                              MD5:C6FBB7D49CAA027010C2A817D80CA77C
                                              SHA1:4191E275E1154271ABF1E54E85A4FF94F59E7223
                                              SHA-256:1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
                                              SHA-512:FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
                                              Malicious:false
                                              Preview:JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..|..]{.........S|...(cu/..i.d.z...[....'.M|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):639224
                                              Entropy (8bit):6.219852228773659
                                              Encrypted:false
                                              SSDEEP:12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
                                              MD5:01DACEA3CBE5F2557D0816FC64FAE363
                                              SHA1:566064A9CB1E33DB10681189A45B105CDD504FD4
                                              SHA-256:B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
                                              SHA-512:C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):98224
                                              Entropy (8bit):6.452201564717313
                                              Encrypted:false
                                              SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                              MD5:F34EB034AA4A9735218686590CBA2E8B
                                              SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                              SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                              SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):37256
                                              Entropy (8bit):6.297533243519742
                                              Encrypted:false
                                              SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
                                              MD5:135359D350F72AD4BF716B764D39E749
                                              SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
                                              SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
                                              SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Microsoft\Installer\{C431E5A6-B7FF-4C83-AA62-6161DB3498C7}\icon_22.exe

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:MS Windows icon resource - 7 icons, 256x256, 32 bits/pixel, -128x-128, 32 bits/pixel
                                              Category:dropped
                                              Size (bytes):372526
                                              Entropy (8bit):4.467275942115759
                                              Encrypted:false
                                              SSDEEP:3072:aAVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOzzCIhZ:LCANx6xPZX9mBW
                                              MD5:B52B2D1D4C9E56CA24AB0CD0730CC5AD
                                              SHA1:C70A3683DF57DE3096CA58F314C0B649035392CC
                                              SHA-256:73CDA59B9158F5DCA967A6EC24A3608C672DCA63F714BFD7B7B5F81C1303F457
                                              SHA-512:CDCAB1C415B87948AD45C967D6C50EA24935D7E58CFC30717E2943D9CE9F5DDEFCB5E60BCE58F9F387635EA30E1A0399DBA644316CC53F1802BAE73B76CB1BFA
                                              Malicious:false
                                              Preview:............ .( ..v......... .(.... ..@@.... .(B...(..00.... ..%...j.. .... ............... .....>......... .h......(............. ...... ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Installer\592104.msi

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {EEC7FF0D-3F84-42B8-A8DE-D00B0E91B91D}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Dec 24 10:35:19 2024, Last Saved Time/Date: Tue Dec 24 10:35:19 2024, Last Printed: Tue Dec 24 10:35:19 2024, Number of Pages: 450
                                              Category:dropped
                                              Size (bytes):60283392
                                              Entropy (8bit):7.201442780923238
                                              Encrypted:false
                                              SSDEEP:786432:YWZXjVmrjV7eIAtehOTZ2oZ4sdUuzt/NCaY2ksCb:YWRVmrjV7eIvhOTZTRjVCa1t
                                              MD5:7FA13F4BC687A77F71D4F0F3176B6AA7
                                              SHA1:EC01DE1A6F113D2B7C641C5BD81FBD97EBCD91AA
                                              SHA-256:745193845C716367966C6D32712FE64AA8E266687D9972B0B628C3BE0976035C
                                              SHA-512:FF47814943F092D9EAE6375A039E109564B5A04AFE38E71A887B3D1362B121588D8BAB3E01CDBEFE0188F93D046064C0AEEE8718C9B4A09B2AECB64C967810DB
                                              Malicious:false
                                              Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...N...K...L...e...O...""..P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                              C:\Windows\Installer\592107.msi

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {EEC7FF0D-3F84-42B8-A8DE-D00B0E91B91D}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Dec 24 10:35:19 2024, Last Saved Time/Date: Tue Dec 24 10:35:19 2024, Last Printed: Tue Dec 24 10:35:19 2024, Number of Pages: 450
                                              Category:dropped
                                              Size (bytes):60283392
                                              Entropy (8bit):7.201442780923238
                                              Encrypted:false
                                              SSDEEP:786432:YWZXjVmrjV7eIAtehOTZ2oZ4sdUuzt/NCaY2ksCb:YWRVmrjV7eIvhOTZTRjVCa1t
                                              MD5:7FA13F4BC687A77F71D4F0F3176B6AA7
                                              SHA1:EC01DE1A6F113D2B7C641C5BD81FBD97EBCD91AA
                                              SHA-256:745193845C716367966C6D32712FE64AA8E266687D9972B0B628C3BE0976035C
                                              SHA-512:FF47814943F092D9EAE6375A039E109564B5A04AFE38E71A887B3D1362B121588D8BAB3E01CDBEFE0188F93D046064C0AEEE8718C9B4A09B2AECB64C967810DB
                                              Malicious:false
                                              Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...N...K...L...e...O...""..P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                              C:\Windows\Installer\MSI29ED.tmp

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1021792
                                              Entropy (8bit):6.608727172078022
                                              Encrypted:false
                                              SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                              MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                              SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                              SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                              SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                              C:\Windows\Installer\MSI2A5B.tmp

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1021792
                                              Entropy (8bit):6.608727172078022
                                              Encrypted:false
                                              SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                              MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                              SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                              SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                              SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                              C:\Windows\Installer\MSI2A9B.tmp

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1021792
                                              Entropy (8bit):6.608727172078022
                                              Encrypted:false
                                              SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                              MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                              SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                              SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                              SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                              C:\Windows\Installer\MSI2AEA.tmp

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1021792
                                              Entropy (8bit):6.608727172078022
                                              Encrypted:false
                                              SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                              MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                              SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                              SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                              SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                              C:\Windows\Installer\MSI2B39.tmp

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1201504
                                              Entropy (8bit):6.4557937684843365
                                              Encrypted:false
                                              SSDEEP:24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
                                              MD5:E83D774F643972B8ECCDB3A34DA135C5
                                              SHA1:A58ECCFB12D723C3460563C5191D604DEF235D15
                                              SHA-256:D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
                                              SHA-512:CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.|CF..@G.|DF..@G.|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

                                              C:\Windows\Installer\MSI2B69.tmp

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1021792
                                              Entropy (8bit):6.608727172078022
                                              Encrypted:false
                                              SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                              MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                              SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                              SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                              SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                              C:\Windows\Installer\MSI2BA9.tmp

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1021792
                                              Entropy (8bit):6.608727172078022
                                              Encrypted:false
                                              SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                              MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                              SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                              SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                              SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                              C:\Windows\Installer\MSI4963.tmp

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):380520
                                              Entropy (8bit):6.512348002260683
                                              Encrypted:false
                                              SSDEEP:6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
                                              MD5:FFDAACB43C074A8CB9A608C612D7540B
                                              SHA1:8F054A7F77853DE365A7763D93933660E6E1A890
                                              SHA-256:7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
                                              SHA-512:A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

                                              C:\Windows\Installer\MSI5599.tmp

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):393113
                                              Entropy (8bit):4.736420847328014
                                              Encrypted:false
                                              SSDEEP:3072:AZ9EAVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOzzT:AZ91CANx6xPZX9mB2
                                              MD5:341DFE59DBB6A570B4775DF612E973C4
                                              SHA1:9A608EDFD486C8A0CDFF476E57383602E9305590
                                              SHA-256:2105C544E2BE4F1F459D3EA4F62579B169DB85B994E81BC667026DA41E2F5EAC
                                              SHA-512:274B6B4AC059C67C65CFCDB88A41ED857375C6BA20720F39BAD5CC38AFB17E687FEA6672FAC4C4BDB3C2B6DC2305113ABB97E1002BEC542AFFD11CE7A5872E45
                                              Malicious:false
                                              Preview:...@IXOS.@.....@iP.Y.@.....@.....@.....@.....@.....@......&.{C431E5A6-B7FF-4C83-AA62-6161DB3498C7}..App x installer..installer.msi.@.....@.....@.....@......icon_22.exe..&.{EEC7FF0D-3F84-42B8-A8DE-D00B0E91B91D}.....@.....@.....@.....@.......@.....@.....@.......@......App x installer......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@4....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F}C.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}8.21:\Software\Coors Q Corporation\App x installer\Version.@.......@.....@.....@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}N.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll.@.......@.....@.....@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}U.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dl

                                              C:\Windows\Installer\MSI55AA.tmp

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):787808
                                              Entropy (8bit):6.693392695195763
                                              Encrypted:false
                                              SSDEEP:24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
                                              MD5:8CF47242B5DF6A7F6D2D7AF9CC3A7921
                                              SHA1:B51595A8A113CF889B0D1DD4B04DF16B3E18F318
                                              SHA-256:CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
                                              SHA-512:748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

                                              C:\Windows\Installer\SourceHash{C431E5A6-B7FF-4C83-AA62-6161DB3498C7}

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):20480
                                              Entropy (8bit):1.1626262200630437
                                              Encrypted:false
                                              SSDEEP:12:JSbX72FjeT3AGiLIlHVRpiBh/7777777777777777777777777vDHFIyNM/Yq6E+:J2QI5A5Ne6sF
                                              MD5:510E000ECAA23B80A5D90FBFAA3BF74A
                                              SHA1:FBC89A1944541D0D0CE5A00EC138C20F9CD334DA
                                              SHA-256:77E0C4B5DB1FF32468999E0ED76B8614C475EBBB095A2B88B78CAB5F58120AF3
                                              SHA-512:3816D69CB6ABDCEA9634A8AD2F55844F9EAD23DEDB6C118214ADB35A8CDA69D84FC4C088F3AA58029BFF61D247817E1D2D583F3AB40C4408C912C4E996729347
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Installer\inprogressinstallinfo.ipi

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):20480
                                              Entropy (8bit):1.5833652069145
                                              Encrypted:false
                                              SSDEEP:48:EFm8PhXuRc06WXJaBT5uMx5E4mMoAECiCyVSCvovX2ySCOTTsWR:EHhX1RBT1fE2ECeiXj8sWR
                                              MD5:688D46097DA21040B5B663148AD74148
                                              SHA1:D80BD9ABE7E4B2AC812B459FA2090933A2361E76
                                              SHA-256:DCCF1061E453400F6FC173A75CECAEF461121404D16F14BCEA680A3541545784
                                              SHA-512:8A733B1557721A8578683E089B471EEED1F8A07D982A5FFCFCF5ABD161AB06650F47A5F43445E8BB6BDF417B4B4B7ACE6FAA40BCF15C38F4D68F50D9816CBD56
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):432220
                                              Entropy (8bit):5.375168362396
                                              Encrypted:false
                                              SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauq:zTtbmkExhMJCIpErl
                                              MD5:3BA5D764E154CE6C22A277CE92F580BF
                                              SHA1:1C8DC39366189D865B5B2A848D74D03F17EB1957
                                              SHA-256:B24112D7DB61C2471150EC40956CAF45C60EF2D81577587CB5E941C23178D8D3
                                              SHA-512:4941BD8C332E39325F58673A7088957BE2E443D125C0ABE732A5797E7CC11E71060974A09BBE704D494FE4FA28B3899DC23760949E412CDD8BFC712EF67082DF
                                              Malicious:false
                                              Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                              C:\Windows\Temp\~DF1532B0E5BE53704F.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF1D164618692E272C.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):0.07048067372614193
                                              Encrypted:false
                                              SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOIyNM/KdqwM4EgXLIiVky6l7:2F0i8n0itFzDHFIyNM/Yq6EgX27
                                              MD5:0695C37787288CCA0CDDBBE7AB4F8335
                                              SHA1:BF1F1A1C508991BEBC267B363703BC8A17DDA06B
                                              SHA-256:2CF79386177470F3597D0D8403C6ABC0B445E1C4DDBFA484D4B728E7BE9733B6
                                              SHA-512:F4FD6BC35695AA1CF60BCC47AD8AA3A2BEFE7A98D2106A464BDC899C20B0D37DC44F719FCCD37E8D5C7099460918D4FEFF6BDE4C140A75B346DBAF35B730C4D3
                                              Malicious:false
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF1E3A5800360CA94D.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF3733BBF1C279C69A.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):1.2674856050041188
                                              Encrypted:false
                                              SSDEEP:48:50PupI+CFXJPT5EVEMx5E4mMoAECiCyVSCvovX2ySCOTTsWR:mPT3TuVdfE2ECeiXj8sWR
                                              MD5:2F393B9F8E73DE5ACC42598F27016BB4
                                              SHA1:9D53B9C879A7EECE00A5F7E00CDD258D4E6F2349
                                              SHA-256:C3554AB743B76B3AECF2D2EDA3FBE0A22F29AC3FCA452D59E495ADAB1BF9C323
                                              SHA-512:577F408FE096088EDA4128C68B0EE8BA4EEFD1CCD57E432BAD3079FB02CDA42C4DC773F08537B0A56E07A4DC5E20A90B391C6803A6121312B985364A655A9902
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF4AFD094CB6DB1597.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF99F9FC8BD15D75EC.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):20480
                                              Entropy (8bit):1.5833652069145
                                              Encrypted:false
                                              SSDEEP:48:EFm8PhXuRc06WXJaBT5uMx5E4mMoAECiCyVSCvovX2ySCOTTsWR:EHhX1RBT1fE2ECeiXj8sWR
                                              MD5:688D46097DA21040B5B663148AD74148
                                              SHA1:D80BD9ABE7E4B2AC812B459FA2090933A2361E76
                                              SHA-256:DCCF1061E453400F6FC173A75CECAEF461121404D16F14BCEA680A3541545784
                                              SHA-512:8A733B1557721A8578683E089B471EEED1F8A07D982A5FFCFCF5ABD161AB06650F47A5F43445E8BB6BDF417B4B4B7ACE6FAA40BCF15C38F4D68F50D9816CBD56
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DFA693C1C9851578A8.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):73728
                                              Entropy (8bit):0.14454399875454077
                                              Encrypted:false
                                              SSDEEP:48:psWRyTeySCTmMoAECiCyVSCvovXEEyxP:psWRoRECeiXEEy
                                              MD5:7EAD34F92D922B7A68B7830137076A24
                                              SHA1:51F65000B5F18667D7A6B911B17354AFAC776833
                                              SHA-256:5699B84A624924B679BB273A628946E134C1B32AAB8DC3F57923D6274C812B4F
                                              SHA-512:80FBC471AD07F4766FA7E0685B9185DA5D6AA91AC03C9A09D673C4A369E6B1BCD6B8210443C48139E3F189F3FC0818BDCF046C46138B97C5056E82871411AD8A
                                              Malicious:false
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DFAB1B6D022B5864A8.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):1.2674856050041188
                                              Encrypted:false
                                              SSDEEP:48:50PupI+CFXJPT5EVEMx5E4mMoAECiCyVSCvovX2ySCOTTsWR:mPT3TuVdfE2ECeiXj8sWR
                                              MD5:2F393B9F8E73DE5ACC42598F27016BB4
                                              SHA1:9D53B9C879A7EECE00A5F7E00CDD258D4E6F2349
                                              SHA-256:C3554AB743B76B3AECF2D2EDA3FBE0A22F29AC3FCA452D59E495ADAB1BF9C323
                                              SHA-512:577F408FE096088EDA4128C68B0EE8BA4EEFD1CCD57E432BAD3079FB02CDA42C4DC773F08537B0A56E07A4DC5E20A90B391C6803A6121312B985364A655A9902
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DFAF8545830B8C22C5.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):1.2674856050041188
                                              Encrypted:false
                                              SSDEEP:48:50PupI+CFXJPT5EVEMx5E4mMoAECiCyVSCvovX2ySCOTTsWR:mPT3TuVdfE2ECeiXj8sWR
                                              MD5:2F393B9F8E73DE5ACC42598F27016BB4
                                              SHA1:9D53B9C879A7EECE00A5F7E00CDD258D4E6F2349
                                              SHA-256:C3554AB743B76B3AECF2D2EDA3FBE0A22F29AC3FCA452D59E495ADAB1BF9C323
                                              SHA-512:577F408FE096088EDA4128C68B0EE8BA4EEFD1CCD57E432BAD3079FB02CDA42C4DC773F08537B0A56E07A4DC5E20A90B391C6803A6121312B985364A655A9902
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DFC9EB8C3F528A2344.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):20480
                                              Entropy (8bit):1.5833652069145
                                              Encrypted:false
                                              SSDEEP:48:EFm8PhXuRc06WXJaBT5uMx5E4mMoAECiCyVSCvovX2ySCOTTsWR:EHhX1RBT1fE2ECeiXj8sWR
                                              MD5:688D46097DA21040B5B663148AD74148
                                              SHA1:D80BD9ABE7E4B2AC812B459FA2090933A2361E76
                                              SHA-256:DCCF1061E453400F6FC173A75CECAEF461121404D16F14BCEA680A3541545784
                                              SHA-512:8A733B1557721A8578683E089B471EEED1F8A07D982A5FFCFCF5ABD161AB06650F47A5F43445E8BB6BDF417B4B4B7ACE6FAA40BCF15C38F4D68F50D9816CBD56
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DFCCE253544FE4A88A.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DFF38F92FB4340F433.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              \Device\ConDrv

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):638
                                              Entropy (8bit):4.751962275036146
                                              Encrypted:false
                                              SSDEEP:12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
                                              MD5:15CA959638E74EEC47E0830B90D0696E
                                              SHA1:E836936738DCB6C551B6B76054F834CFB8CC53E5
                                              SHA-256:57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
                                              SHA-512:101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
                                              Malicious:false
                                              Preview:[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

                                              Static File Info

                                              General

                                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {EEC7FF0D-3F84-42B8-A8DE-D00B0E91B91D}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Dec 24 10:35:19 2024, Last Saved Time/Date: Tue Dec 24 10:35:19 2024, Last Printed: Tue Dec 24 10:35:19 2024, Number of Pages: 450
                                              Entropy (8bit):7.201442780923238
                                              TrID:
                                              • Windows SDK Setup Transform Script (63028/2) 88.73%
                                              • Generic OLE2 / Multistream Compound File (8008/1) 11.27%
                                              File name:installer.msi
                                              File size:60'283'392 bytes
                                              MD5:7fa13f4bc687a77f71d4f0f3176b6aa7
                                              SHA1:ec01de1a6f113d2b7c641c5bd81fbd97ebcd91aa
                                              SHA256:745193845c716367966c6d32712fe64aa8e266687d9972b0b628c3be0976035c
                                              SHA512:ff47814943f092d9eae6375a039e109564b5a04afe38e71a887b3d1362b121588d8bab3e01cdbefe0188f93d046064c0aeee8718c9b4a09b2aecb64c967810db
                                              SSDEEP:786432:YWZXjVmrjV7eIAtehOTZ2oZ4sdUuzt/NCaY2ksCb:YWRVmrjV7eIvhOTZTRjVCa1t
                                              TLSH:7ED76C01B3FA4148F2F75EB17EBA45A594BABD521B30C0EF1204A60E1B71BC25BB5763
                                              File Content Preview:........................>............................................2..................................................................x......................................................................................................................

                                              File Icon

                                              Icon Hash:2d2e3797b32b2b99

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-12-24T16:03:17.901402+01002829202ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA1192.168.2.449731172.67.196.179443TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 24, 2024 16:03:16.202416897 CET49731443192.168.2.4172.67.196.179
                                              Dec 24, 2024 16:03:16.202482939 CET44349731172.67.196.179192.168.2.4
                                              Dec 24, 2024 16:03:16.202598095 CET49731443192.168.2.4172.67.196.179
                                              Dec 24, 2024 16:03:16.300321102 CET49731443192.168.2.4172.67.196.179
                                              Dec 24, 2024 16:03:16.300363064 CET44349731172.67.196.179192.168.2.4
                                              Dec 24, 2024 16:03:17.522037029 CET44349731172.67.196.179192.168.2.4
                                              Dec 24, 2024 16:03:17.522191048 CET49731443192.168.2.4172.67.196.179
                                              Dec 24, 2024 16:03:17.874344110 CET49731443192.168.2.4172.67.196.179
                                              Dec 24, 2024 16:03:17.874377012 CET44349731172.67.196.179192.168.2.4
                                              Dec 24, 2024 16:03:17.874751091 CET44349731172.67.196.179192.168.2.4
                                              Dec 24, 2024 16:03:17.874825001 CET49731443192.168.2.4172.67.196.179
                                              Dec 24, 2024 16:03:17.901184082 CET49731443192.168.2.4172.67.196.179
                                              Dec 24, 2024 16:03:17.901319027 CET49731443192.168.2.4172.67.196.179
                                              Dec 24, 2024 16:03:17.901371956 CET44349731172.67.196.179192.168.2.4
                                              Dec 24, 2024 16:03:18.684948921 CET44349731172.67.196.179192.168.2.4
                                              Dec 24, 2024 16:03:18.685018063 CET44349731172.67.196.179192.168.2.4
                                              Dec 24, 2024 16:03:18.685103893 CET49731443192.168.2.4172.67.196.179
                                              Dec 24, 2024 16:03:18.685545921 CET49731443192.168.2.4172.67.196.179
                                              Dec 24, 2024 16:03:18.685545921 CET49731443192.168.2.4172.67.196.179
                                              Dec 24, 2024 16:03:18.685571909 CET49731443192.168.2.4172.67.196.179

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 24, 2024 16:03:15.884284019 CET4970253192.168.2.41.1.1.1
                                              Dec 24, 2024 16:03:16.195291042 CET53497021.1.1.1192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Dec 24, 2024 16:03:15.884284019 CET192.168.2.41.1.1.10xcac8Standard query (0)trailbuddymaps.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Dec 24, 2024 16:03:16.195291042 CET1.1.1.1192.168.2.40xcac8No error (0)trailbuddymaps.com172.67.196.179A (IP address)IN (0x0001)false
                                              Dec 24, 2024 16:03:16.195291042 CET1.1.1.1192.168.2.40xcac8No error (0)trailbuddymaps.com104.21.44.68A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • trailbuddymaps.com

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.449731172.67.196.1794433448C:\Windows\SysWOW64\msiexec.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-24 15:03:17 UTC196OUTPOST /updater.php HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                              User-Agent: AdvancedInstaller
                                              Host: trailbuddymaps.com
                                              Content-Length: 71
                                              Cache-Control: no-cache
                                              2024-12-24 15:03:17 UTC71OUTData Raw: 44 61 74 65 3d 32 34 25 32 46 31 32 25 32 46 32 30 32 34 26 54 69 6d 65 3d 31 30 25 33 41 30 33 25 33 41 31 34 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 38 2e 39 2e 39 26 53 6f 72 6f 71 56 69 6e 73 3d 54 72 75 65
                                              Data Ascii: Date=24%2F12%2F2024&Time=10%3A03%3A14&BuildVersion=8.9.9&SoroqVins=True
                                              2024-12-24 15:03:18 UTC838INHTTP/1.1 500 Internal Server Error
                                              Date: Tue, 24 Dec 2024 15:03:18 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Cache-Control: no-store
                                              cf-cache-status: DYNAMIC
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PpZT%2BpSwJ2vYyV7UAj8inBGAVZm%2FExbpjszPt5StpN0prQGAw1kwsZh7de9y2DxpG5RHIcy5sQjO0l0F6%2BnpTttOMQ4uH79LC7RfB1owIvfJiwegmJfSEYDg0rHPO%2BYYVutVMhY%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8f717a31ed341a44-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1817&min_rtt=1803&rtt_var=705&sent=7&recv=8&lost=0&retrans=0&sent_bytes=2847&recv_bytes=927&delivery_rate=1520041&cwnd=128&unsent_bytes=0&cid=8ae0da85e7bc5de8&ts=1175&x=0"
                                              2024-12-24 15:03:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:10:03:03
                                              Start date:24/12/2024
                                              Path:C:\Windows\System32\msiexec.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\installer.msi"
                                              Imagebase:0x7ff7f5400000
                                              File size:69'632 bytes
                                              MD5 hash:E5DA170027542E25EDE42FC54C929077
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:10:03:04
                                              Start date:24/12/2024
                                              Path:C:\Windows\System32\msiexec.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\msiexec.exe /V
                                              Imagebase:0x7ff7f5400000
                                              File size:69'632 bytes
                                              MD5 hash:E5DA170027542E25EDE42FC54C929077
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:2
                                              Start time:10:03:06
                                              Start date:24/12/2024
                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 3138A056C811D1F6BC08A5B6A4F984EC
                                              Imagebase:0x990000
                                              File size:59'904 bytes
                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:10:03:18
                                              Start date:24/12/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss56BD.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi56AA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr56AB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr56AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                              Imagebase:0x870000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:10:03:18
                                              Start date:24/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:10:03:24
                                              Start date:24/12/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
                                              Imagebase:0x7ff618170000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:10:03:24
                                              Start date:24/12/2024
                                              Path:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"
                                              Imagebase:0x7ff7b8df0000
                                              File size:57'488 bytes
                                              MD5 hash:71F796B486C7FAF25B9B16233A7CE0CD
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:10:03:24
                                              Start date:24/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:10:03:24
                                              Start date:24/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:10:03:25
                                              Start date:24/12/2024
                                              Path:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"
                                              Imagebase:0x140000000
                                              File size:117'496 bytes
                                              MD5 hash:F67792E08586EA936EBCAE43AAB0388D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:10:03:25
                                              Start date:24/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 07C31C14 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1847551574.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7c30000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq
                                                • API String ID: 0-3550614674
                                                • Opcode ID: 30c9ffd154ba86a6f543bf2d88dd5d35a951d3e53a6898a3c600d545a29f1e78
                                                • Instruction ID: 6a5ced09dea7d5462900859a2e55f7597e4f0a5cf4065580b6ddbffa96f2c844
                                                • Opcode Fuzzy Hash: 30c9ffd154ba86a6f543bf2d88dd5d35a951d3e53a6898a3c600d545a29f1e78
                                                • Instruction Fuzzy Hash: 48314DB170025D9FDB159F6DE84056A7BD3AFC4210F24846AE54A8B292DF32CD16C761
                                                Function 04DA8460 Relevance: .3, Instructions: 266COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1842323790.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_4da0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c65f4d13ccfee6959acbbcf9c022adf8c136d20c60a5ddcc8357c6b160a55185
                                                • Instruction ID: 1a29024972244de66d47cd34fb7ada6ebb57ce156d14443cae2cea1ee6a37567
                                                • Opcode Fuzzy Hash: c65f4d13ccfee6959acbbcf9c022adf8c136d20c60a5ddcc8357c6b160a55185
                                                • Instruction Fuzzy Hash: 31A19035A002089FDB14EFA5D944AADBBF2FF84300F158529E806AF369DB34ED59DB41
                                                Function 04DA8BB0 Relevance: .2, Instructions: 189COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1842323790.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_4da0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b2bdf1c068954986c422c599cfb0daeccdc668eeb4fbe2019debc4c15f20b595
                                                • Instruction ID: 48f6849781182fdb83d99b2cfaef066274caff02067ba0119db3bcb0608ae959
                                                • Opcode Fuzzy Hash: b2bdf1c068954986c422c599cfb0daeccdc668eeb4fbe2019debc4c15f20b595
                                                • Instruction Fuzzy Hash: 9171D030A00649CFCB14EF68D894A9EFBF2FF85314F14856AE416DB655DB31AC45CB80
                                                Function 04DA8D1E Relevance: .2, Instructions: 188COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1842323790.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_4da0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6a7ad24e239aba300bbe12bef085df9dc8b9920eb88b75cea809cd13be81dcce
                                                • Instruction ID: d61de16b8be27bfcaeda98bf303819768720bf5331d36e6bfca40f3eb5bfbf55
                                                • Opcode Fuzzy Hash: 6a7ad24e239aba300bbe12bef085df9dc8b9920eb88b75cea809cd13be81dcce
                                                • Instruction Fuzzy Hash: 4E716F70A00648DFDB14EFA5D494AADBBF2FF88304F148429E812AB3A4DB35AD45DF41
                                                Function 04DA8B9B Relevance: .1, Instructions: 114COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1842323790.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_4da0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 711657fc3b727f8fdc2f129767de4afcf833845c7a3b9f9d51902cd581c78d9c
                                                • Instruction ID: 453f61a4b55d009165fa25793d72f1c29d4e759cea5b6335d23d3f5db6ccd157
                                                • Opcode Fuzzy Hash: 711657fc3b727f8fdc2f129767de4afcf833845c7a3b9f9d51902cd581c78d9c
                                                • Instruction Fuzzy Hash: C7416F70A00648CFDB18EFA5C49469DBBF2FF85300F14842EE406AF7A5DB75A849CB95
                                                Function 0346D006 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1841843634.000000000346D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0346D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_346d000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6811de7835fd9ea28d6a9194d2e38ca70699c8bd78c73d23615d90f073ae93a7
                                                • Instruction ID: 73c8a43dedd62b7f2957e1fc18f1e5fad8f6bbe08a7e6b45a9a5cba5e4088a48
                                                • Opcode Fuzzy Hash: 6811de7835fd9ea28d6a9194d2e38ca70699c8bd78c73d23615d90f073ae93a7
                                                • Instruction Fuzzy Hash: 1501407150E3C09FD7128B25C894B52BFB8EF47228F1D85DBD8888F2A3C2699844C772
                                                Function 0346D01D Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1841843634.000000000346D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0346D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_346d000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4c7e072699f64c335104219b181b31923f83f899b7306278e9ef006077d9ee3
                                                • Instruction ID: 99b6308028bb36a3b6fdbe5f4eee3a80040e35e7bbfba2a0f1e9b2a202bfcae1
                                                • Opcode Fuzzy Hash: d4c7e072699f64c335104219b181b31923f83f899b7306278e9ef006077d9ee3
                                                • Instruction Fuzzy Hash: 8301D431A097409AE710CE29CD84767BF9CEF46368F1CC56BEC180E246C2799842C6B6
                                                Function 04DA3E0E Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1842323790.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_4da0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bb9360206bcd22b158edf69521cee16a8070482ef002a1a9696f85e7b5444c64
                                                • Instruction ID: fe695204689f8c6a731410c6041059cc03ff1ed4ed35d84b40dcc615efbd0341
                                                • Opcode Fuzzy Hash: bb9360206bcd22b158edf69521cee16a8070482ef002a1a9696f85e7b5444c64
                                                • Instruction Fuzzy Hash: 6CF0DA35A001059FCB15CF9CD990AEEF7B1FF88324F208159E515A72A1C736AD52CB50
                                                Function 04DA88D5 Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1842323790.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_4da0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 30c2b3b4be289d9ac986e1a8383d6167e99cddb0f6c32e47fb5dfb1f5f6fced9
                                                • Instruction ID: 8eaa6dc6960ee15ae707dd4b37558d46b86e6fc045b8fbcd76b86a42a8217c0a
                                                • Opcode Fuzzy Hash: 30c2b3b4be289d9ac986e1a8383d6167e99cddb0f6c32e47fb5dfb1f5f6fced9
                                                • Instruction Fuzzy Hash: 98F01C74B8030A9FDB04EFA4C5A5B6E7BA2EB45340F104558E5429F368DB78AD498BC0

                                                Non-executed Functions

                                                Function 04DA32A0 Relevance: .3, Instructions: 301COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1842323790.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_4da0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 99f62b62a15effe413a54ff3e69e3926233e2bf50fcfd23540b800ce5238d67f
                                                • Instruction ID: 788fd40700b6b9dcf300a86abf5169ad9e9f7cbba44527cc11651ff31d753913
                                                • Opcode Fuzzy Hash: 99f62b62a15effe413a54ff3e69e3926233e2bf50fcfd23540b800ce5238d67f
                                                • Instruction Fuzzy Hash: 65B1CE307043408FD715DF28D180B6AB7A3AFC9304F644899E8868F7ABDB76E846DB51
                                                Function 07C308B5 Relevance: 6.3, Strings: 5, Instructions: 98COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1847551574.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7c30000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'kq$4'kq$$kq$$kq$$kq
                                                • API String ID: 0-1023320533
                                                • Opcode ID: 4e9e15de6289a93b0c46d21c46c78c2b96810038c8beca963fb9abd283803364
                                                • Instruction ID: b9c15a63eb44bc0ae71992cded43ccafb4e1bd4389016dd78264592d8b3a1fd4
                                                • Opcode Fuzzy Hash: 4e9e15de6289a93b0c46d21c46c78c2b96810038c8beca963fb9abd283803364
                                                • Instruction Fuzzy Hash: AB31F6B3745346CFEF395A26988027BF7A3EB82220B24847FC4418A241DA36C5D5C752
                                                Function 07C30E88 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1847551574.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7c30000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4dk$4dk$$kq$$kq$$kq
                                                • API String ID: 0-1437879050
                                                • Opcode ID: c72077a466a3ad0b4e0a531e238dcf8bc11f050b95568f7b3b6835e78dd425f3
                                                • Instruction ID: 877bfdef6a7ef275c32ad7709779db33135f0bfe8b5bdbddb23cb4154b448e3b
                                                • Opcode Fuzzy Hash: c72077a466a3ad0b4e0a531e238dcf8bc11f050b95568f7b3b6835e78dd425f3
                                                • Instruction Fuzzy Hash: C8110DF33102069BD738A56A989163767D78FC5651B14843ED545C7392DE3AC981C3B1
                                                Function 07C304D3 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1847551574.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7c30000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'kq$4'kq$$kq$$kq
                                                • API String ID: 0-1727931526
                                                • Opcode ID: ac712e7db331a8850805ebd1d749c3f4166edae8ab06b8a947d75ad047890ae9
                                                • Instruction ID: 5069a7d1b9b3abf383d8af22abdacadcf19716a6343d3bab2d0bd72b801ae414
                                                • Opcode Fuzzy Hash: ac712e7db331a8850805ebd1d749c3f4166edae8ab06b8a947d75ad047890ae9
                                                • Instruction Fuzzy Hash: 3C01A7A270E7C54FC737666928205666FB35F8351072A01EBC081CF3A7CD194D46C3A7

                                                Execution Graph

                                                Execution Coverage:3.4%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:1.7%
                                                Total number of Nodes:701
                                                Total number of Limit Nodes:1
                                                execution_graph 2489 7ff7b8df2700 2490 7ff7b8df2710 2489->2490 2502 7ff7b8df2bd8 2490->2502 2492 7ff7b8df2ecc 7 API calls 2493 7ff7b8df27b5 2492->2493 2494 7ff7b8df2734 _RTC_Initialize 2500 7ff7b8df2797 2494->2500 2510 7ff7b8df2e64 InitializeSListHead 2494->2510 2500->2492 2501 7ff7b8df27a5 2500->2501 2503 7ff7b8df2be9 2502->2503 2507 7ff7b8df2c1b 2502->2507 2504 7ff7b8df2c58 2503->2504 2508 7ff7b8df2bee __scrt_release_startup_lock 2503->2508 2505 7ff7b8df2ecc 7 API calls 2504->2505 2506 7ff7b8df2c62 2505->2506 2507->2494 2508->2507 2509 7ff7b8df2c0b _initialize_onexit_table 2508->2509 2509->2507 2977 7ff7b8df733c _seh_filter_exe 2978 7ff7b8df1d39 2979 7ff7b8df1d40 2978->2979 2979->2979 2980 7ff7b8df2040 22 API calls 2979->2980 2982 7ff7b8df18a0 2979->2982 2980->2982 2981 7ff7b8df1d76 2983 7ff7b8df2660 __GSHandlerCheck_EH 8 API calls 2981->2983 2982->2981 2984 7ff7b8df1dd0 2982->2984 2987 7ff7b8df20c0 21 API calls 2982->2987 2985 7ff7b8df1d87 2983->2985 2986 7ff7b8df1450 6 API calls 2984->2986 2986->2981 2987->2982 2988 7ff7b8df74d6 2989 7ff7b8df3b54 11 API calls 2988->2989 2992 7ff7b8df74e9 2989->2992 2990 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2991 7ff7b8df752e 2990->2991 2993 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2991->2993 2994 7ff7b8df4104 10 API calls 2992->2994 2996 7ff7b8df751a __GSHandlerCheck_EH 2992->2996 2995 7ff7b8df753b 2993->2995 2994->2996 2997 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2995->2997 2996->2990 2998 7ff7b8df7548 2997->2998 2514 7ff7b8df7411 2515 7ff7b8df7495 2514->2515 2516 7ff7b8df7429 2514->2516 2516->2515 2521 7ff7b8df43d0 2516->2521 2518 7ff7b8df7476 2519 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2518->2519 2520 7ff7b8df748b terminate 2519->2520 2520->2515 2524 7ff7b8df43ec 2521->2524 2523 7ff7b8df43d9 2523->2518 2525 7ff7b8df4404 2524->2525 2526 7ff7b8df440b GetLastError 2524->2526 2525->2523 2538 7ff7b8df6678 2526->2538 2539 7ff7b8df6498 __vcrt_FlsAlloc 5 API calls 2538->2539 2540 7ff7b8df669f TlsGetValue 2539->2540 2545 7ff7b8df1590 2548 7ff7b8df3d50 2545->2548 2547 7ff7b8df15b2 2549 7ff7b8df3d5f free 2548->2549 2550 7ff7b8df3d67 2548->2550 2549->2550 2550->2547 2551 7ff7b8df1510 2552 7ff7b8df3cc0 __std_exception_copy 2 API calls 2551->2552 2553 7ff7b8df1539 2552->2553 2554 7ff7b8df7290 2555 7ff7b8df72a3 2554->2555 2556 7ff7b8df72b0 2554->2556 2558 7ff7b8df1e80 2555->2558 2559 7ff7b8df1e93 2558->2559 2560 7ff7b8df1eb7 2558->2560 2559->2560 2561 7ff7b8df1ed8 _invalid_parameter_noinfo_noreturn 2559->2561 2560->2556 2562 7ff7b8df7090 2563 7ff7b8df70d2 __GSHandlerCheckCommon 2562->2563 2564 7ff7b8df70fa 2563->2564 2566 7ff7b8df3d78 2563->2566 2567 7ff7b8df3da8 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 2566->2567 2568 7ff7b8df3e99 2567->2568 2569 7ff7b8df3e64 RtlUnwindEx 2567->2569 2568->2564 2569->2567 2573 7ff7b8df3090 2574 7ff7b8df30c4 2573->2574 2575 7ff7b8df30a8 2573->2575 2575->2574 2580 7ff7b8df41c0 2575->2580 2579 7ff7b8df30e2 2581 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2580->2581 2582 7ff7b8df30d6 2581->2582 2583 7ff7b8df41d4 2582->2583 2584 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2583->2584 2585 7ff7b8df41dd 2584->2585 2585->2579 2999 7ff7b8df27d0 3003 7ff7b8df3074 SetUnhandledExceptionFilter 2999->3003 3004 7ff7b8df1550 3005 7ff7b8df3d50 __std_exception_destroy free 3004->3005 3006 7ff7b8df1567 3005->3006 3007 7ff7b8df48c7 abort 3008 7ff7b8df4024 3015 7ff7b8df642c 3008->3015 3011 7ff7b8df4031 3027 7ff7b8df6714 3015->3027 3018 7ff7b8df402d 3018->3011 3020 7ff7b8df44ac 3018->3020 3019 7ff7b8df6460 __vcrt_uninitialize_locks DeleteCriticalSection 3019->3018 3032 7ff7b8df65e8 3020->3032 3028 7ff7b8df6498 __vcrt_FlsAlloc 5 API calls 3027->3028 3029 7ff7b8df674a 3028->3029 3030 7ff7b8df675f InitializeCriticalSectionAndSpinCount 3029->3030 3031 7ff7b8df6444 3029->3031 3030->3031 3031->3018 3031->3019 3033 7ff7b8df6498 __vcrt_FlsAlloc 5 API calls 3032->3033 3034 7ff7b8df660d TlsAlloc 3033->3034 2586 7ff7b8df195f 2587 7ff7b8df196d 2586->2587 2587->2587 2588 7ff7b8df1a23 2587->2588 2602 7ff7b8df1ee0 2587->2602 2591 7ff7b8df1a67 BuildCatchObjectHelperInternal 2588->2591 2616 7ff7b8df2230 2588->2616 2592 7ff7b8df18a0 2591->2592 2593 7ff7b8df1da2 _invalid_parameter_noinfo_noreturn 2591->2593 2597 7ff7b8df1dd0 2592->2597 2598 7ff7b8df1d76 2592->2598 2601 7ff7b8df20c0 21 API calls 2592->2601 2594 7ff7b8df1da9 WSAGetLastError 2593->2594 2595 7ff7b8df1450 6 API calls 2594->2595 2595->2598 2596 7ff7b8df2660 __GSHandlerCheck_EH 8 API calls 2599 7ff7b8df1d87 2596->2599 2600 7ff7b8df1450 6 API calls 2597->2600 2598->2596 2600->2598 2601->2592 2606 7ff7b8df1f25 2602->2606 2615 7ff7b8df1f04 BuildCatchObjectHelperInternal 2602->2615 2603 7ff7b8df2031 2604 7ff7b8df17e0 21 API calls 2603->2604 2605 7ff7b8df2036 2604->2605 2610 7ff7b8df1720 Concurrency::cancel_current_task 4 API calls 2605->2610 2606->2603 2608 7ff7b8df1f74 2606->2608 2609 7ff7b8df1fa9 2606->2609 2607 7ff7b8df2690 5 API calls 2614 7ff7b8df1f92 BuildCatchObjectHelperInternal 2607->2614 2608->2605 2608->2607 2612 7ff7b8df2690 5 API calls 2609->2612 2609->2614 2613 7ff7b8df203c 2610->2613 2611 7ff7b8df202a _invalid_parameter_noinfo_noreturn 2611->2603 2612->2614 2614->2611 2614->2615 2615->2588 2617 7ff7b8df225e 2616->2617 2618 7ff7b8df23ab 2616->2618 2619 7ff7b8df22be 2617->2619 2622 7ff7b8df22e6 2617->2622 2623 7ff7b8df22b1 2617->2623 2620 7ff7b8df17e0 21 API calls 2618->2620 2624 7ff7b8df2690 5 API calls 2619->2624 2621 7ff7b8df23b0 2620->2621 2625 7ff7b8df1720 Concurrency::cancel_current_task 4 API calls 2621->2625 2627 7ff7b8df2690 5 API calls 2622->2627 2629 7ff7b8df22cf BuildCatchObjectHelperInternal 2622->2629 2623->2619 2623->2621 2624->2629 2628 7ff7b8df23b6 2625->2628 2626 7ff7b8df2364 _invalid_parameter_noinfo_noreturn 2630 7ff7b8df2357 BuildCatchObjectHelperInternal 2626->2630 2627->2629 2629->2626 2629->2630 2630->2591 2634 7ff7b8df1ce0 2635 7ff7b8df2688 5 API calls 2634->2635 2636 7ff7b8df1cea gethostname 2635->2636 2637 7ff7b8df1da9 WSAGetLastError 2636->2637 2638 7ff7b8df1d08 2636->2638 2639 7ff7b8df1450 6 API calls 2637->2639 2648 7ff7b8df2040 2638->2648 2641 7ff7b8df1d76 2639->2641 2642 7ff7b8df2660 __GSHandlerCheck_EH 8 API calls 2641->2642 2643 7ff7b8df1d87 2642->2643 2644 7ff7b8df18a0 2644->2641 2645 7ff7b8df1dd0 2644->2645 2647 7ff7b8df20c0 21 API calls 2644->2647 2646 7ff7b8df1450 6 API calls 2645->2646 2646->2641 2647->2644 2649 7ff7b8df20a2 2648->2649 2652 7ff7b8df2063 BuildCatchObjectHelperInternal 2648->2652 2650 7ff7b8df2230 22 API calls 2649->2650 2651 7ff7b8df20b5 2650->2651 2651->2644 2652->2644 2653 7ff7b8df5860 2654 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2653->2654 2655 7ff7b8df58ad 2654->2655 2656 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2655->2656 2657 7ff7b8df58bb __except_validate_context_record 2656->2657 2658 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2657->2658 2659 7ff7b8df5914 2658->2659 2660 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2659->2660 2661 7ff7b8df591d 2660->2661 2662 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2661->2662 2663 7ff7b8df5926 2662->2663 2682 7ff7b8df3b18 2663->2682 2666 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2667 7ff7b8df5959 2666->2667 2668 7ff7b8df5aa9 abort 2667->2668 2669 7ff7b8df5991 2667->2669 2689 7ff7b8df3b54 2669->2689 2671 7ff7b8df5a5a __GSHandlerCheck_EH 2672 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2671->2672 2673 7ff7b8df5a6d 2672->2673 2675 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2673->2675 2677 7ff7b8df5a76 2675->2677 2678 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2677->2678 2679 7ff7b8df5a7f 2678->2679 2680 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2679->2680 2681 7ff7b8df5a8e 2680->2681 2683 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2682->2683 2684 7ff7b8df3b29 2683->2684 2685 7ff7b8df3b34 2684->2685 2686 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2684->2686 2687 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2685->2687 2686->2685 2688 7ff7b8df3b45 2687->2688 2688->2666 2688->2667 2690 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2689->2690 2691 7ff7b8df3b66 2690->2691 2692 7ff7b8df3ba1 abort 2691->2692 2693 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2691->2693 2694 7ff7b8df3b71 2693->2694 2694->2692 2695 7ff7b8df3b8d 2694->2695 2696 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2695->2696 2697 7ff7b8df3b92 2696->2697 2697->2671 2698 7ff7b8df4104 2697->2698 2699 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2698->2699 2700 7ff7b8df4112 2699->2700 2700->2671 2701 7ff7b8df7260 2702 7ff7b8df7273 2701->2702 2703 7ff7b8df7280 2701->2703 2704 7ff7b8df1e80 _invalid_parameter_noinfo_noreturn 2702->2704 2704->2703 2705 7ff7b8df7559 2708 7ff7b8df4158 2705->2708 2709 7ff7b8df4182 2708->2709 2710 7ff7b8df4170 2708->2710 2711 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2709->2711 2710->2709 2712 7ff7b8df4178 2710->2712 2713 7ff7b8df4187 2711->2713 2714 7ff7b8df4180 2712->2714 2715 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2712->2715 2713->2714 2716 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2713->2716 2717 7ff7b8df41a7 2715->2717 2716->2714 2718 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2717->2718 2719 7ff7b8df41b4 terminate 2718->2719 3039 7ff7b8df191a 3040 7ff7b8df194d 3039->3040 3043 7ff7b8df18a0 3039->3043 3041 7ff7b8df20c0 21 API calls 3040->3041 3041->3043 3042 7ff7b8df1d76 3044 7ff7b8df2660 __GSHandlerCheck_EH 8 API calls 3042->3044 3043->3042 3045 7ff7b8df1dd0 3043->3045 3048 7ff7b8df20c0 21 API calls 3043->3048 3046 7ff7b8df1d87 3044->3046 3047 7ff7b8df1450 6 API calls 3045->3047 3047->3042 3048->3043 3049 7ff7b8df291a 3050 7ff7b8df3020 __scrt_is_managed_app GetModuleHandleW 3049->3050 3051 7ff7b8df2921 3050->3051 3052 7ff7b8df2925 3051->3052 3053 7ff7b8df2960 _exit 3051->3053 3054 7ff7b8df1b18 _time64 3055 7ff7b8df1b34 3054->3055 3056 7ff7b8df1bf1 3055->3056 3057 7ff7b8df1ee0 22 API calls 3055->3057 3058 7ff7b8df2230 22 API calls 3056->3058 3059 7ff7b8df1c34 BuildCatchObjectHelperInternal 3056->3059 3057->3056 3058->3059 3060 7ff7b8df1da2 _invalid_parameter_noinfo_noreturn 3059->3060 3061 7ff7b8df18a0 3059->3061 3062 7ff7b8df1da9 WSAGetLastError 3060->3062 3065 7ff7b8df1dd0 3061->3065 3068 7ff7b8df20c0 21 API calls 3061->3068 3069 7ff7b8df1d76 3061->3069 3063 7ff7b8df1450 6 API calls 3062->3063 3063->3069 3064 7ff7b8df2660 __GSHandlerCheck_EH 8 API calls 3066 7ff7b8df1d87 3064->3066 3067 7ff7b8df1450 6 API calls 3065->3067 3067->3069 3068->3061 3069->3064 2720 7ff7b8df5f75 2728 7ff7b8df5e35 __GSHandlerCheck_EH 2720->2728 2721 7ff7b8df5f92 2722 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2721->2722 2723 7ff7b8df5f97 2722->2723 2724 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2723->2724 2726 7ff7b8df5fa2 2723->2726 2724->2726 2725 7ff7b8df2660 __GSHandlerCheck_EH 8 API calls 2727 7ff7b8df5fb5 2725->2727 2726->2725 2728->2721 2730 7ff7b8df3bd0 2728->2730 2731 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2730->2731 2732 7ff7b8df3bde 2731->2732 2732->2728 2733 7ff7b8df7372 2734 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2733->2734 2735 7ff7b8df7389 2734->2735 2736 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2735->2736 2737 7ff7b8df73a4 2736->2737 2738 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2737->2738 2739 7ff7b8df73ad 2738->2739 2744 7ff7b8df5414 2739->2744 2742 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2743 7ff7b8df73f8 2742->2743 2745 7ff7b8df5443 __except_validate_context_record 2744->2745 2746 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2745->2746 2747 7ff7b8df5448 2746->2747 2751 7ff7b8df5498 2747->2751 2753 7ff7b8df55b2 __GSHandlerCheck_EH 2747->2753 2759 7ff7b8df5551 2747->2759 2748 7ff7b8df55f7 2748->2759 2791 7ff7b8df49a4 2748->2791 2749 7ff7b8df559f 2784 7ff7b8df3678 2749->2784 2751->2749 2757 7ff7b8df54f3 __GSHandlerCheck_EH 2751->2757 2751->2759 2753->2748 2753->2759 2788 7ff7b8df3bbc 2753->2788 2754 7ff7b8df56a2 abort 2756 7ff7b8df5543 2760 7ff7b8df5cf0 2756->2760 2757->2754 2757->2756 2759->2742 2844 7ff7b8df3ba8 2760->2844 2762 7ff7b8df5d40 __GSHandlerCheck_EH 2763 7ff7b8df5d72 2762->2763 2764 7ff7b8df5d5b 2762->2764 2766 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2763->2766 2765 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2764->2765 2767 7ff7b8df5d60 2765->2767 2768 7ff7b8df5d77 2766->2768 2769 7ff7b8df5fd0 abort 2767->2769 2774 7ff7b8df5d6a 2767->2774 2771 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2768->2771 2768->2774 2770 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2782 7ff7b8df5d96 __GSHandlerCheck_EH 2770->2782 2772 7ff7b8df5d82 2771->2772 2773 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2772->2773 2773->2774 2774->2770 2775 7ff7b8df5f92 2776 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2775->2776 2777 7ff7b8df5f97 2776->2777 2778 7ff7b8df5fa2 2777->2778 2779 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2777->2779 2780 7ff7b8df2660 __GSHandlerCheck_EH 8 API calls 2778->2780 2779->2778 2781 7ff7b8df5fb5 2780->2781 2781->2759 2782->2775 2783 7ff7b8df3bd0 __GSHandlerCheck_EH 10 API calls 2782->2783 2783->2782 2785 7ff7b8df368a 2784->2785 2786 7ff7b8df5cf0 __GSHandlerCheck_EH 19 API calls 2785->2786 2787 7ff7b8df36a5 2786->2787 2787->2759 2789 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2788->2789 2790 7ff7b8df3bc5 2789->2790 2790->2748 2792 7ff7b8df4a01 __GSHandlerCheck_EH 2791->2792 2793 7ff7b8df4a20 2792->2793 2794 7ff7b8df4a09 2792->2794 2796 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2793->2796 2795 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2794->2795 2804 7ff7b8df4a0e 2795->2804 2797 7ff7b8df4a25 2796->2797 2799 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2797->2799 2797->2804 2798 7ff7b8df4e99 abort 2800 7ff7b8df4a30 2799->2800 2801 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2800->2801 2801->2804 2802 7ff7b8df4b54 __GSHandlerCheck_EH 2803 7ff7b8df4def 2802->2803 2838 7ff7b8df4b90 __GSHandlerCheck_EH 2802->2838 2803->2798 2805 7ff7b8df4ded 2803->2805 2883 7ff7b8df4ea0 2803->2883 2804->2798 2804->2802 2806 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2804->2806 2808 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2805->2808 2807 7ff7b8df4ac0 2806->2807 2810 7ff7b8df4e37 2807->2810 2813 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2807->2813 2812 7ff7b8df4e30 2808->2812 2809 7ff7b8df4dd4 __GSHandlerCheck_EH 2809->2805 2818 7ff7b8df4e81 2809->2818 2814 7ff7b8df2660 __GSHandlerCheck_EH 8 API calls 2810->2814 2812->2798 2812->2810 2815 7ff7b8df4ad0 2813->2815 2816 7ff7b8df4e43 2814->2816 2817 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2815->2817 2816->2759 2819 7ff7b8df4ad9 2817->2819 2820 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2818->2820 2847 7ff7b8df3be8 2819->2847 2822 7ff7b8df4e86 2820->2822 2824 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2822->2824 2825 7ff7b8df4e8f terminate 2824->2825 2825->2798 2826 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2827 7ff7b8df4b16 2826->2827 2827->2802 2828 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2827->2828 2829 7ff7b8df4b22 2828->2829 2831 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2829->2831 2830 7ff7b8df3bbc 10 API calls BuildCatchObjectHelperInternal 2830->2838 2832 7ff7b8df4b2b 2831->2832 2850 7ff7b8df5fd8 2832->2850 2836 7ff7b8df4b3f 2857 7ff7b8df60c8 2836->2857 2838->2809 2838->2830 2861 7ff7b8df52d0 2838->2861 2875 7ff7b8df48d0 2838->2875 2839 7ff7b8df4e7b terminate 2839->2818 2841 7ff7b8df4b47 std::bad_alloc::bad_alloc __GSHandlerCheck_EH 2841->2839 2842 7ff7b8df3f84 std::_Xinvalid_argument 2 API calls 2841->2842 2843 7ff7b8df4e7a 2842->2843 2843->2839 2845 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2844->2845 2846 7ff7b8df3bb1 2845->2846 2846->2762 2848 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2847->2848 2849 7ff7b8df3bf6 2848->2849 2849->2798 2849->2826 2851 7ff7b8df60bf abort 2850->2851 2856 7ff7b8df6003 2850->2856 2852 7ff7b8df4b3b 2852->2802 2852->2836 2853 7ff7b8df3bbc 10 API calls BuildCatchObjectHelperInternal 2853->2856 2854 7ff7b8df3ba8 Is_bad_exception_allowed 10 API calls 2854->2856 2856->2852 2856->2853 2856->2854 2899 7ff7b8df5190 2856->2899 2858 7ff7b8df6135 2857->2858 2859 7ff7b8df60e5 Is_bad_exception_allowed 2857->2859 2858->2841 2859->2858 2860 7ff7b8df3ba8 10 API calls Is_bad_exception_allowed 2859->2860 2860->2859 2862 7ff7b8df52fd 2861->2862 2874 7ff7b8df538d 2861->2874 2863 7ff7b8df3ba8 Is_bad_exception_allowed 10 API calls 2862->2863 2864 7ff7b8df5306 2863->2864 2865 7ff7b8df3ba8 Is_bad_exception_allowed 10 API calls 2864->2865 2866 7ff7b8df531f 2864->2866 2864->2874 2865->2866 2867 7ff7b8df534c 2866->2867 2868 7ff7b8df3ba8 Is_bad_exception_allowed 10 API calls 2866->2868 2866->2874 2869 7ff7b8df3bbc BuildCatchObjectHelperInternal 10 API calls 2867->2869 2868->2867 2870 7ff7b8df5360 2869->2870 2871 7ff7b8df5379 2870->2871 2872 7ff7b8df3ba8 Is_bad_exception_allowed 10 API calls 2870->2872 2870->2874 2873 7ff7b8df3bbc BuildCatchObjectHelperInternal 10 API calls 2871->2873 2872->2871 2873->2874 2874->2838 2876 7ff7b8df490d __GSHandlerCheck_EH 2875->2876 2877 7ff7b8df4933 2876->2877 2913 7ff7b8df480c 2876->2913 2879 7ff7b8df3ba8 Is_bad_exception_allowed 10 API calls 2877->2879 2880 7ff7b8df4945 2879->2880 2922 7ff7b8df3838 RtlUnwindEx 2880->2922 2884 7ff7b8df4ef4 2883->2884 2885 7ff7b8df5169 2883->2885 2887 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2884->2887 2886 7ff7b8df2660 __GSHandlerCheck_EH 8 API calls 2885->2886 2888 7ff7b8df5175 2886->2888 2889 7ff7b8df4ef9 2887->2889 2888->2805 2890 7ff7b8df4f0e EncodePointer 2889->2890 2891 7ff7b8df4f60 __GSHandlerCheck_EH 2889->2891 2892 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2890->2892 2891->2885 2893 7ff7b8df5189 abort 2891->2893 2896 7ff7b8df4f82 __GSHandlerCheck_EH 2891->2896 2894 7ff7b8df4f1e 2892->2894 2894->2891 2946 7ff7b8df34f8 2894->2946 2896->2885 2897 7ff7b8df3ba8 10 API calls Is_bad_exception_allowed 2896->2897 2898 7ff7b8df48d0 __GSHandlerCheck_EH 21 API calls 2896->2898 2897->2896 2898->2896 2900 7ff7b8df51bd 2899->2900 2909 7ff7b8df524c 2899->2909 2901 7ff7b8df3ba8 Is_bad_exception_allowed 10 API calls 2900->2901 2902 7ff7b8df51c6 2901->2902 2903 7ff7b8df3ba8 Is_bad_exception_allowed 10 API calls 2902->2903 2904 7ff7b8df51df 2902->2904 2902->2909 2903->2904 2905 7ff7b8df520b 2904->2905 2906 7ff7b8df3ba8 Is_bad_exception_allowed 10 API calls 2904->2906 2904->2909 2907 7ff7b8df3bbc BuildCatchObjectHelperInternal 10 API calls 2905->2907 2906->2905 2908 7ff7b8df521f 2907->2908 2908->2909 2910 7ff7b8df5238 2908->2910 2911 7ff7b8df3ba8 Is_bad_exception_allowed 10 API calls 2908->2911 2909->2856 2912 7ff7b8df3bbc BuildCatchObjectHelperInternal 10 API calls 2910->2912 2911->2910 2912->2909 2914 7ff7b8df482f 2913->2914 2925 7ff7b8df4608 2914->2925 2916 7ff7b8df4840 2917 7ff7b8df4845 __AdjustPointer 2916->2917 2918 7ff7b8df4881 __AdjustPointer 2916->2918 2920 7ff7b8df3bbc BuildCatchObjectHelperInternal 10 API calls 2917->2920 2921 7ff7b8df4864 BuildCatchObjectHelperInternal 2917->2921 2919 7ff7b8df3bbc BuildCatchObjectHelperInternal 10 API calls 2918->2919 2918->2921 2919->2921 2920->2921 2921->2877 2923 7ff7b8df2660 __GSHandlerCheck_EH 8 API calls 2922->2923 2924 7ff7b8df394e 2923->2924 2924->2838 2926 7ff7b8df4635 2925->2926 2928 7ff7b8df463e 2925->2928 2927 7ff7b8df3ba8 Is_bad_exception_allowed 10 API calls 2926->2927 2927->2928 2929 7ff7b8df3ba8 Is_bad_exception_allowed 10 API calls 2928->2929 2930 7ff7b8df465d 2928->2930 2937 7ff7b8df46c2 __AdjustPointer BuildCatchObjectHelperInternal 2928->2937 2929->2930 2931 7ff7b8df46aa 2930->2931 2932 7ff7b8df46ca 2930->2932 2930->2937 2934 7ff7b8df47e9 abort abort 2931->2934 2931->2937 2933 7ff7b8df3bbc BuildCatchObjectHelperInternal 10 API calls 2932->2933 2936 7ff7b8df474a 2932->2936 2932->2937 2933->2936 2935 7ff7b8df480c 2934->2935 2938 7ff7b8df4608 BuildCatchObjectHelperInternal 10 API calls 2935->2938 2936->2937 2939 7ff7b8df3bbc BuildCatchObjectHelperInternal 10 API calls 2936->2939 2937->2916 2940 7ff7b8df4840 2938->2940 2939->2937 2941 7ff7b8df4845 __AdjustPointer 2940->2941 2942 7ff7b8df4881 __AdjustPointer 2940->2942 2944 7ff7b8df3bbc BuildCatchObjectHelperInternal 10 API calls 2941->2944 2945 7ff7b8df4864 BuildCatchObjectHelperInternal 2941->2945 2943 7ff7b8df3bbc BuildCatchObjectHelperInternal 10 API calls 2942->2943 2942->2945 2943->2945 2944->2945 2945->2916 2947 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2946->2947 2948 7ff7b8df3524 2947->2948 2948->2891 2949 7ff7b8df756f 2950 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2949->2950 2951 7ff7b8df757d 2950->2951 2952 7ff7b8df7588 2951->2952 2953 7ff7b8df43d0 _CreateFrameInfo 10 API calls 2951->2953 2953->2952 2954 7ff7b8df2970 2957 7ff7b8df2da0 2954->2957 2958 7ff7b8df2dc3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 2957->2958 2959 7ff7b8df2979 2957->2959 2958->2959 3070 7ff7b8df43b0 3071 7ff7b8df43b9 3070->3071 3072 7ff7b8df43ca 3070->3072 3071->3072 3073 7ff7b8df43c5 free 3071->3073 3073->3072 3074 7ff7b8df7130 3075 7ff7b8df7168 __GSHandlerCheckCommon 3074->3075 3076 7ff7b8df7194 3075->3076 3078 7ff7b8df3c00 3075->3078 3079 7ff7b8df43d0 _CreateFrameInfo 10 API calls 3078->3079 3080 7ff7b8df3c42 3079->3080 3081 7ff7b8df43d0 _CreateFrameInfo 10 API calls 3080->3081 3082 7ff7b8df3c4f 3081->3082 3083 7ff7b8df43d0 _CreateFrameInfo 10 API calls 3082->3083 3084 7ff7b8df3c58 __GSHandlerCheck_EH 3083->3084 3085 7ff7b8df5414 __GSHandlerCheck_EH 31 API calls 3084->3085 3086 7ff7b8df3ca9 3085->3086 3086->3076 3090 7ff7b8df59ad 3091 7ff7b8df43d0 _CreateFrameInfo 10 API calls 3090->3091 3092 7ff7b8df59ba 3091->3092 3093 7ff7b8df43d0 _CreateFrameInfo 10 API calls 3092->3093 3095 7ff7b8df59c3 __GSHandlerCheck_EH 3093->3095 3094 7ff7b8df5a0a RaiseException 3096 7ff7b8df5a29 3094->3096 3095->3094 3097 7ff7b8df3b54 11 API calls 3096->3097 3101 7ff7b8df5a31 3097->3101 3098 7ff7b8df5a5a __GSHandlerCheck_EH 3099 7ff7b8df43d0 _CreateFrameInfo 10 API calls 3098->3099 3100 7ff7b8df5a6d 3099->3100 3102 7ff7b8df43d0 _CreateFrameInfo 10 API calls 3100->3102 3101->3098 3103 7ff7b8df4104 10 API calls 3101->3103 3104 7ff7b8df5a76 3102->3104 3103->3098 3105 7ff7b8df43d0 _CreateFrameInfo 10 API calls 3104->3105 3106 7ff7b8df5a7f 3105->3106 3107 7ff7b8df43d0 _CreateFrameInfo 10 API calls 3106->3107 3108 7ff7b8df5a8e 3107->3108 2243 7ff7b8df27ec 2266 7ff7b8df2b8c 2243->2266 2246 7ff7b8df2943 2306 7ff7b8df2ecc IsProcessorFeaturePresent 2246->2306 2247 7ff7b8df280d 2249 7ff7b8df294d 2247->2249 2255 7ff7b8df282b __scrt_release_startup_lock 2247->2255 2250 7ff7b8df2ecc 7 API calls 2249->2250 2251 7ff7b8df2958 2250->2251 2253 7ff7b8df2960 _exit 2251->2253 2252 7ff7b8df2850 2254 7ff7b8df28d6 _get_initial_narrow_environment __p___argv __p___argc 2272 7ff7b8df1060 2254->2272 2255->2252 2255->2254 2258 7ff7b8df28ce _register_thread_local_exe_atexit_callback 2255->2258 2258->2254 2261 7ff7b8df2903 2262 7ff7b8df290d 2261->2262 2263 7ff7b8df2908 _cexit 2261->2263 2302 7ff7b8df2d20 2262->2302 2263->2262 2313 7ff7b8df316c 2266->2313 2269 7ff7b8df2805 2269->2246 2269->2247 2270 7ff7b8df2bbb __scrt_initialize_crt 2270->2269 2315 7ff7b8df404c 2270->2315 2273 7ff7b8df1386 2272->2273 2297 7ff7b8df10b4 2272->2297 2342 7ff7b8df1450 __acrt_iob_func 2273->2342 2275 7ff7b8df1399 2300 7ff7b8df3020 GetModuleHandleW 2275->2300 2276 7ff7b8df1289 2276->2273 2277 7ff7b8df129f 2276->2277 2347 7ff7b8df2688 2277->2347 2279 7ff7b8df1125 strcmp 2279->2297 2280 7ff7b8df12a9 2281 7ff7b8df12b9 GetTempPathA 2280->2281 2282 7ff7b8df1325 2280->2282 2285 7ff7b8df12cb GetLastError 2281->2285 2286 7ff7b8df12e9 strcat_s 2281->2286 2356 7ff7b8df23c0 2282->2356 2283 7ff7b8df1151 strcmp 2283->2297 2289 7ff7b8df1450 6 API calls 2285->2289 2286->2282 2287 7ff7b8df1304 2286->2287 2290 7ff7b8df1450 6 API calls 2287->2290 2293 7ff7b8df12df GetLastError 2289->2293 2294 7ff7b8df1312 2290->2294 2291 7ff7b8df1344 __acrt_iob_func fflush __acrt_iob_func fflush 2291->2294 2292 7ff7b8df117d strcmp 2292->2297 2293->2294 2294->2275 2297->2276 2297->2279 2297->2283 2297->2292 2298 7ff7b8df1226 strcmp 2297->2298 2298->2297 2299 7ff7b8df1239 atoi 2298->2299 2299->2297 2301 7ff7b8df28ff 2300->2301 2301->2251 2301->2261 2303 7ff7b8df2d31 __scrt_initialize_crt 2302->2303 2304 7ff7b8df2916 2303->2304 2305 7ff7b8df404c __scrt_initialize_crt 7 API calls 2303->2305 2304->2252 2305->2304 2307 7ff7b8df2ef2 2306->2307 2308 7ff7b8df2f11 RtlCaptureContext RtlLookupFunctionEntry 2307->2308 2309 7ff7b8df2f76 2308->2309 2310 7ff7b8df2f3a RtlVirtualUnwind 2308->2310 2311 7ff7b8df2fa8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2309->2311 2310->2309 2312 7ff7b8df2ffa 2311->2312 2312->2249 2314 7ff7b8df2bae __scrt_dllmain_crt_thread_attach 2313->2314 2314->2269 2314->2270 2316 7ff7b8df4054 2315->2316 2317 7ff7b8df405e 2315->2317 2321 7ff7b8df44f4 2316->2321 2317->2269 2322 7ff7b8df4503 2321->2322 2323 7ff7b8df4059 2321->2323 2329 7ff7b8df6630 2322->2329 2325 7ff7b8df6460 2323->2325 2326 7ff7b8df648b 2325->2326 2327 7ff7b8df648f 2326->2327 2328 7ff7b8df646e DeleteCriticalSection 2326->2328 2327->2317 2328->2326 2333 7ff7b8df6498 2329->2333 2334 7ff7b8df65b2 TlsFree 2333->2334 2340 7ff7b8df64dc 2333->2340 2335 7ff7b8df650a LoadLibraryExW 2337 7ff7b8df6581 2335->2337 2338 7ff7b8df652b GetLastError 2335->2338 2336 7ff7b8df65a1 GetProcAddress 2336->2334 2337->2336 2339 7ff7b8df6598 FreeLibrary 2337->2339 2338->2340 2339->2336 2340->2334 2340->2335 2340->2336 2341 7ff7b8df654d LoadLibraryExW 2340->2341 2341->2337 2341->2340 2392 7ff7b8df1010 2342->2392 2344 7ff7b8df148a __acrt_iob_func 2395 7ff7b8df1000 2344->2395 2346 7ff7b8df14a2 __stdio_common_vfprintf __acrt_iob_func fflush 2346->2275 2350 7ff7b8df2690 2347->2350 2348 7ff7b8df26aa malloc 2349 7ff7b8df26b4 2348->2349 2348->2350 2349->2280 2350->2348 2351 7ff7b8df26ba 2350->2351 2352 7ff7b8df26c5 2351->2352 2397 7ff7b8df2b30 2351->2397 2401 7ff7b8df1720 2352->2401 2355 7ff7b8df26cb 2355->2280 2357 7ff7b8df2688 5 API calls 2356->2357 2358 7ff7b8df23f5 OpenProcess 2357->2358 2359 7ff7b8df243b GetLastError 2358->2359 2360 7ff7b8df2458 K32GetModuleBaseNameA 2358->2360 2361 7ff7b8df1450 6 API calls 2359->2361 2362 7ff7b8df2492 2360->2362 2363 7ff7b8df2470 GetLastError 2360->2363 2371 7ff7b8df2453 2361->2371 2418 7ff7b8df1800 2362->2418 2365 7ff7b8df1450 6 API calls 2363->2365 2366 7ff7b8df2484 CloseHandle 2365->2366 2366->2371 2368 7ff7b8df25b3 CloseHandle 2368->2371 2369 7ff7b8df24ae 2372 7ff7b8df13c0 6 API calls 2369->2372 2370 7ff7b8df25fa 2429 7ff7b8df2660 2370->2429 2371->2370 2374 7ff7b8df25f3 _invalid_parameter_noinfo_noreturn 2371->2374 2373 7ff7b8df24cf CreateFileA 2372->2373 2375 7ff7b8df2543 2373->2375 2376 7ff7b8df250f GetLastError 2373->2376 2374->2370 2379 7ff7b8df2550 MiniDumpWriteDump 2375->2379 2383 7ff7b8df258a CloseHandle CloseHandle 2375->2383 2378 7ff7b8df1450 6 API calls 2376->2378 2381 7ff7b8df2538 CloseHandle 2378->2381 2382 7ff7b8df2576 GetLastError 2379->2382 2379->2383 2381->2371 2382->2375 2385 7ff7b8df258c 2382->2385 2383->2371 2386 7ff7b8df1450 6 API calls 2385->2386 2386->2383 2387 7ff7b8df13c0 __acrt_iob_func 2388 7ff7b8df1010 fprintf __stdio_common_vfprintf 2387->2388 2389 7ff7b8df13fa __acrt_iob_func 2388->2389 2488 7ff7b8df1000 2389->2488 2391 7ff7b8df1412 __stdio_common_vfprintf __acrt_iob_func fflush 2391->2291 2396 7ff7b8df1000 2392->2396 2394 7ff7b8df1036 __stdio_common_vfprintf 2394->2344 2395->2346 2396->2394 2398 7ff7b8df2b3e std::bad_alloc::bad_alloc 2397->2398 2407 7ff7b8df3f84 2398->2407 2400 7ff7b8df2b4f 2402 7ff7b8df172e Concurrency::cancel_current_task 2401->2402 2403 7ff7b8df3f84 std::_Xinvalid_argument 2 API calls 2402->2403 2404 7ff7b8df173f 2403->2404 2412 7ff7b8df3cc0 2404->2412 2408 7ff7b8df3fc0 RtlPcToFileHeader 2407->2408 2409 7ff7b8df3fa3 2407->2409 2410 7ff7b8df3fe7 RaiseException 2408->2410 2411 7ff7b8df3fd8 2408->2411 2409->2408 2410->2400 2411->2410 2413 7ff7b8df176d 2412->2413 2414 7ff7b8df3ce1 2412->2414 2413->2355 2414->2413 2414->2414 2415 7ff7b8df3cf6 malloc 2414->2415 2416 7ff7b8df3d23 free 2415->2416 2417 7ff7b8df3d07 2415->2417 2416->2413 2417->2416 2419 7ff7b8df1863 WSAStartup 2418->2419 2420 7ff7b8df1850 2418->2420 2422 7ff7b8df185c 2419->2422 2427 7ff7b8df187f 2419->2427 2421 7ff7b8df1450 6 API calls 2420->2421 2421->2422 2423 7ff7b8df2660 __GSHandlerCheck_EH 8 API calls 2422->2423 2424 7ff7b8df1d87 2423->2424 2424->2368 2424->2369 2425 7ff7b8df1dd0 2426 7ff7b8df1450 6 API calls 2425->2426 2426->2422 2427->2422 2427->2425 2438 7ff7b8df20c0 2427->2438 2430 7ff7b8df2669 2429->2430 2431 7ff7b8df1334 2430->2431 2432 7ff7b8df29c0 IsProcessorFeaturePresent 2430->2432 2431->2291 2431->2387 2433 7ff7b8df29d8 2432->2433 2483 7ff7b8df2a94 RtlCaptureContext 2433->2483 2439 7ff7b8df20e9 2438->2439 2440 7ff7b8df2218 2438->2440 2442 7ff7b8df216c 2439->2442 2443 7ff7b8df2137 2439->2443 2446 7ff7b8df2144 2439->2446 2462 7ff7b8df17e0 2440->2462 2449 7ff7b8df2690 5 API calls 2442->2449 2451 7ff7b8df2155 BuildCatchObjectHelperInternal 2442->2451 2445 7ff7b8df221d 2443->2445 2443->2446 2447 7ff7b8df1720 Concurrency::cancel_current_task 4 API calls 2445->2447 2453 7ff7b8df2690 2446->2453 2450 7ff7b8df2223 2447->2450 2448 7ff7b8df21e0 _invalid_parameter_noinfo_noreturn 2452 7ff7b8df21d3 BuildCatchObjectHelperInternal 2448->2452 2449->2451 2451->2448 2451->2452 2452->2427 2454 7ff7b8df26aa malloc 2453->2454 2455 7ff7b8df26b4 2454->2455 2456 7ff7b8df269b 2454->2456 2455->2451 2456->2454 2457 7ff7b8df26ba 2456->2457 2458 7ff7b8df26c5 2457->2458 2460 7ff7b8df2b30 Concurrency::cancel_current_task 2 API calls 2457->2460 2459 7ff7b8df1720 Concurrency::cancel_current_task 4 API calls 2458->2459 2461 7ff7b8df26cb 2459->2461 2460->2458 2461->2451 2475 7ff7b8df34d4 2462->2475 2480 7ff7b8df33f8 2475->2480 2478 7ff7b8df3f84 std::_Xinvalid_argument 2 API calls 2479 7ff7b8df34f6 2478->2479 2481 7ff7b8df3cc0 __std_exception_copy 2 API calls 2480->2481 2482 7ff7b8df342c 2481->2482 2482->2478 2484 7ff7b8df2aae RtlLookupFunctionEntry 2483->2484 2485 7ff7b8df2ac4 RtlVirtualUnwind 2484->2485 2486 7ff7b8df29eb 2484->2486 2485->2484 2485->2486 2487 7ff7b8df2984 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2486->2487 2488->2391 3109 7ff7b8df74a7 3112 7ff7b8df5cc0 3109->3112 3117 7ff7b8df5c38 3112->3117 3115 7ff7b8df43d0 _CreateFrameInfo 10 API calls 3116 7ff7b8df5ce0 3115->3116 3118 7ff7b8df5ca3 3117->3118 3119 7ff7b8df5c5a 3117->3119 3118->3115 3118->3116 3119->3118 3120 7ff7b8df43d0 _CreateFrameInfo 10 API calls 3119->3120 3120->3118

                                                Executed Functions

                                                Function 00007FF7B8DF1060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 7ff7b8df1060-7ff7b8df10ae 1 7ff7b8df1386-7ff7b8df1394 call 7ff7b8df1450 0->1 2 7ff7b8df10b4-7ff7b8df10c6 0->2 5 7ff7b8df1399 1->5 4 7ff7b8df10d0-7ff7b8df10d6 2->4 6 7ff7b8df127f-7ff7b8df1283 4->6 7 7ff7b8df10dc-7ff7b8df10df 4->7 8 7ff7b8df139e-7ff7b8df13b7 5->8 6->4 9 7ff7b8df1289-7ff7b8df1299 6->9 10 7ff7b8df10e1-7ff7b8df10e5 7->10 11 7ff7b8df10ed 7->11 9->1 13 7ff7b8df129f-7ff7b8df12b7 call 7ff7b8df2688 9->13 10->11 14 7ff7b8df10e7-7ff7b8df10eb 10->14 12 7ff7b8df10f0-7ff7b8df10fc 11->12 15 7ff7b8df1110-7ff7b8df1113 12->15 16 7ff7b8df10fe-7ff7b8df1102 12->16 26 7ff7b8df12b9-7ff7b8df12c9 GetTempPathA 13->26 27 7ff7b8df132a-7ff7b8df1336 call 7ff7b8df23c0 13->27 14->11 18 7ff7b8df1104-7ff7b8df110b 14->18 20 7ff7b8df1125-7ff7b8df1136 strcmp 15->20 21 7ff7b8df1115-7ff7b8df1119 15->21 16->12 16->18 19 7ff7b8df127b 18->19 19->6 24 7ff7b8df113c-7ff7b8df113f 20->24 25 7ff7b8df1267-7ff7b8df126e 20->25 21->20 23 7ff7b8df111b-7ff7b8df111f 21->23 23->20 23->25 29 7ff7b8df1151-7ff7b8df1162 strcmp 24->29 30 7ff7b8df1141-7ff7b8df1145 24->30 28 7ff7b8df1276 25->28 32 7ff7b8df12cb-7ff7b8df12e7 GetLastError call 7ff7b8df1450 GetLastError 26->32 33 7ff7b8df12e9-7ff7b8df1302 strcat_s 26->33 42 7ff7b8df1346 27->42 43 7ff7b8df1338-7ff7b8df1344 call 7ff7b8df13c0 27->43 28->19 38 7ff7b8df1258-7ff7b8df1265 29->38 39 7ff7b8df1168-7ff7b8df116b 29->39 30->29 36 7ff7b8df1147-7ff7b8df114b 30->36 47 7ff7b8df1313-7ff7b8df1323 call 7ff7b8df2680 32->47 34 7ff7b8df1325 33->34 35 7ff7b8df1304-7ff7b8df1312 call 7ff7b8df1450 33->35 34->27 35->47 36->29 36->38 38->19 44 7ff7b8df117d-7ff7b8df118e strcmp 39->44 45 7ff7b8df116d-7ff7b8df1171 39->45 51 7ff7b8df134b-7ff7b8df1384 __acrt_iob_func fflush __acrt_iob_func fflush call 7ff7b8df2680 42->51 43->51 52 7ff7b8df1194-7ff7b8df1197 44->52 53 7ff7b8df1247-7ff7b8df1256 44->53 45->44 50 7ff7b8df1173-7ff7b8df1177 45->50 47->8 50->44 50->53 51->8 55 7ff7b8df11a5-7ff7b8df11af 52->55 56 7ff7b8df1199-7ff7b8df119d 52->56 53->28 61 7ff7b8df11b0-7ff7b8df11bb 55->61 56->55 60 7ff7b8df119f-7ff7b8df11a3 56->60 60->55 63 7ff7b8df11c3-7ff7b8df11d2 60->63 64 7ff7b8df11bd-7ff7b8df11c1 61->64 65 7ff7b8df11d7-7ff7b8df11da 61->65 63->28 64->61 64->63 66 7ff7b8df11ec-7ff7b8df11f6 65->66 67 7ff7b8df11dc-7ff7b8df11e0 65->67 69 7ff7b8df1200-7ff7b8df120b 66->69 67->66 68 7ff7b8df11e2-7ff7b8df11e6 67->68 68->19 68->66 70 7ff7b8df1215-7ff7b8df1218 69->70 71 7ff7b8df120d-7ff7b8df1211 69->71 73 7ff7b8df1226-7ff7b8df1237 strcmp 70->73 74 7ff7b8df121a-7ff7b8df121e 70->74 71->69 72 7ff7b8df1213 71->72 72->19 73->19 75 7ff7b8df1239-7ff7b8df1245 atoi 73->75 74->73 76 7ff7b8df1220-7ff7b8df1224 74->76 75->19 76->19 76->73
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
                                                • String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
                                                • API String ID: 2647627392-2367407095
                                                • Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                • Instruction ID: 152c2911ad70422fbb065c63c992f6a5e43745eb000d861fcf71e051975462d6
                                                • Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                • Instruction Fuzzy Hash: 77A19461D4C78251FF62AB28A4002B9E6A4AF6F754F884133DB4D0619DDE3CE44FE329
                                                Function 00007FF7B8DF27EC Relevance: 13.6, APIs: 9, Instructions: 102COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                • String ID:
                                                • API String ID: 2308368977-0
                                                • Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                • Instruction ID: 96d4a8edd4d545d57fb73a423016f0a491bfd9a1139dd0ffe72f898210bae7e3
                                                • Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                • Instruction Fuzzy Hash: 6D311F21E4C24342EA14BB6894113BDD291AF6F744FC4503BD74D472AFDE2CA84EE279
                                                Function 00007FF7B8DF1450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                • String ID: [createdump]
                                                • API String ID: 3735572767-2657508301
                                                • Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                • Instruction ID: 8b3e0c1db8fb5a574800b66ea8f892e722fd9024c0ee654466fef081f280709a
                                                • Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                • Instruction Fuzzy Hash: 09014F21B08B4182EA00AB54F81556AE364FF9ABD1F804536DB8E0376DCF3CE55AD715

                                                Non-executed Functions

                                                Function 00007FF7B8DF2ECC Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                • String ID:
                                                • API String ID: 3140674995-0
                                                • Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                • Instruction ID: 69740dc2e139c021b7637e5dfcc0fb09d9c539878b4ca9ec113f1638a7a0af20
                                                • Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                • Instruction Fuzzy Hash: 3B315E72708A8186EB609F64E8407E9A365FB59744F84403ADB4E47B9CDF38C54DC728
                                                Function 00007FF7B8DF3074 Relevance: .0, Instructions: 2COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                • Instruction ID: aad50405bafb4ac776eb72de950fabf888a88cbfa602819becb84a3ad227709e
                                                • Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                • Instruction Fuzzy Hash: 59A00122A0D802D0E648AB58A854961E220EF6A304BC10433E20D412AC9E3CA44AA229
                                                Function 00007FF7B8DF23C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7B8DF242D
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7B8DF243B
                                                  • Part of subcall function 00007FF7B8DF1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B8DF1475
                                                  • Part of subcall function 00007FF7B8DF1450: fprintf.MSPDB140-MSVCRT ref: 00007FF7B8DF1485
                                                  • Part of subcall function 00007FF7B8DF1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B8DF1494
                                                  • Part of subcall function 00007FF7B8DF1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B8DF14B3
                                                  • Part of subcall function 00007FF7B8DF1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B8DF14BE
                                                  • Part of subcall function 00007FF7B8DF1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B8DF14C7
                                                • K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7B8DF2466
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7B8DF2470
                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7B8DF2487
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7B8DF25F3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
                                                • String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
                                                • API String ID: 3971781330-1292085346
                                                • Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                • Instruction ID: 0fa067fb22f59bf931127c6549ec0b200f4a6d2ea5014b49cd4a1f7702dac8c6
                                                • Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                • Instruction Fuzzy Hash: 6861583160864281EA10AB19E45067AF761FF9E794F904136DF9D037ADCF3DE44AE714
                                                Function 00007FF7B8DF49A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 177 7ff7b8df49a4-7ff7b8df4a07 call 7ff7b8df4518 180 7ff7b8df4a20-7ff7b8df4a29 call 7ff7b8df43d0 177->180 181 7ff7b8df4a09-7ff7b8df4a12 call 7ff7b8df43d0 177->181 186 7ff7b8df4a3f-7ff7b8df4a42 180->186 187 7ff7b8df4a2b-7ff7b8df4a38 call 7ff7b8df43d0 * 2 180->187 188 7ff7b8df4e99-7ff7b8df4e9f abort 181->188 189 7ff7b8df4a18-7ff7b8df4a1e 181->189 186->188 191 7ff7b8df4a48-7ff7b8df4a54 186->191 187->186 189->186 193 7ff7b8df4a56-7ff7b8df4a7d 191->193 194 7ff7b8df4a7f 191->194 196 7ff7b8df4a81-7ff7b8df4a83 193->196 194->196 196->188 198 7ff7b8df4a89-7ff7b8df4a8f 196->198 199 7ff7b8df4a95-7ff7b8df4a99 198->199 200 7ff7b8df4b59-7ff7b8df4b6f call 7ff7b8df5724 198->200 199->200 202 7ff7b8df4a9f-7ff7b8df4aaa 199->202 205 7ff7b8df4b75-7ff7b8df4b79 200->205 206 7ff7b8df4def-7ff7b8df4df3 200->206 202->200 204 7ff7b8df4ab0-7ff7b8df4ab5 202->204 204->200 207 7ff7b8df4abb-7ff7b8df4ac5 call 7ff7b8df43d0 204->207 205->206 210 7ff7b8df4b7f-7ff7b8df4b8a 205->210 208 7ff7b8df4df5-7ff7b8df4dfc 206->208 209 7ff7b8df4e2b-7ff7b8df4e35 call 7ff7b8df43d0 206->209 218 7ff7b8df4acb-7ff7b8df4af1 call 7ff7b8df43d0 * 2 call 7ff7b8df3be8 207->218 219 7ff7b8df4e37-7ff7b8df4e56 call 7ff7b8df2660 207->219 208->188 213 7ff7b8df4e02-7ff7b8df4e26 call 7ff7b8df4ea0 208->213 209->188 209->219 210->206 215 7ff7b8df4b90-7ff7b8df4b94 210->215 213->209 216 7ff7b8df4dd4-7ff7b8df4dd8 215->216 217 7ff7b8df4b9a-7ff7b8df4bd1 call 7ff7b8df36d0 215->217 216->209 225 7ff7b8df4dda-7ff7b8df4de7 call 7ff7b8df3670 216->225 217->216 231 7ff7b8df4bd7-7ff7b8df4be2 217->231 246 7ff7b8df4af3-7ff7b8df4af7 218->246 247 7ff7b8df4b11-7ff7b8df4b1b call 7ff7b8df43d0 218->247 233 7ff7b8df4e81-7ff7b8df4e98 call 7ff7b8df43d0 * 2 terminate 225->233 234 7ff7b8df4ded 225->234 235 7ff7b8df4be6-7ff7b8df4bf6 231->235 233->188 234->209 238 7ff7b8df4d2f-7ff7b8df4dce 235->238 239 7ff7b8df4bfc-7ff7b8df4c02 235->239 238->216 238->235 239->238 242 7ff7b8df4c08-7ff7b8df4c31 call 7ff7b8df56a8 239->242 242->238 252 7ff7b8df4c37-7ff7b8df4c7e call 7ff7b8df3bbc * 2 242->252 246->247 250 7ff7b8df4af9-7ff7b8df4b04 246->250 247->200 256 7ff7b8df4b1d-7ff7b8df4b3d call 7ff7b8df43d0 * 2 call 7ff7b8df5fd8 247->256 250->247 253 7ff7b8df4b06-7ff7b8df4b0b 250->253 264 7ff7b8df4c80-7ff7b8df4ca5 call 7ff7b8df3bbc call 7ff7b8df52d0 252->264 265 7ff7b8df4cba-7ff7b8df4cd0 call 7ff7b8df5ab0 252->265 253->188 253->247 273 7ff7b8df4b54 256->273 274 7ff7b8df4b3f-7ff7b8df4b49 call 7ff7b8df60c8 256->274 279 7ff7b8df4cd7-7ff7b8df4d26 call 7ff7b8df48d0 264->279 280 7ff7b8df4ca7-7ff7b8df4cb3 264->280 275 7ff7b8df4cd2 265->275 276 7ff7b8df4d2b 265->276 273->200 283 7ff7b8df4b4f-7ff7b8df4e7a call 7ff7b8df4090 call 7ff7b8df5838 call 7ff7b8df3f84 274->283 284 7ff7b8df4e7b-7ff7b8df4e80 terminate 274->284 275->252 276->238 279->276 280->264 282 7ff7b8df4cb5 280->282 282->265 283->284 284->233
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                • String ID: csm$csm$csm
                                                • API String ID: 695522112-393685449
                                                • Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                • Instruction ID: 6219adbae4a1ec2dc905901c24cb04c422aaf58660ef6c099acf58d86b5b8d1c
                                                • Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                • Instruction Fuzzy Hash: 6FE1C3329086828AE710AF28D4803ADF7B1FB6A748F544136DB8D4775EDF38E48AD714
                                                Function 00007FF7B8DF13C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                • String ID: [createdump]
                                                • API String ID: 3735572767-2657508301
                                                • Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                • Instruction ID: 90171087bc6eeed9e3b7d98789ec81dbc08631196e4b37bbf7b771ea1301b31e
                                                • Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                • Instruction Fuzzy Hash: FF012C31B08B4182EA00AB54F8145AAE360FF9ABD1F804136DB8D0376D8F7CE59AD755
                                                Function 00007FF7B8DF1800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • WSAStartup.WS2_32 ref: 00007FF7B8DF186C
                                                  • Part of subcall function 00007FF7B8DF1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B8DF1475
                                                  • Part of subcall function 00007FF7B8DF1450: fprintf.MSPDB140-MSVCRT ref: 00007FF7B8DF1485
                                                  • Part of subcall function 00007FF7B8DF1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B8DF1494
                                                  • Part of subcall function 00007FF7B8DF1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B8DF14B3
                                                  • Part of subcall function 00007FF7B8DF1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B8DF14BE
                                                  • Part of subcall function 00007FF7B8DF1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B8DF14C7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
                                                • String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
                                                • API String ID: 3378602911-3973674938
                                                • Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                • Instruction ID: 7fa994456e2087615192d393db1ec5dca1e9625fddd1c4091fecb1bfb5d2d21d
                                                • Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                • Instruction Fuzzy Hash: DB31E662E0868156EB56AF1998547F9E761BB6A384FC40033DF4D0729DCE3CD44AD718
                                                Function 00007FF7B8DF6498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF7B8DF669F,?,?,?,00007FF7B8DF441E,?,?,?,00007FF7B8DF43D9), ref: 00007FF7B8DF651D
                                                • GetLastError.KERNEL32(?,00000000,00007FF7B8DF669F,?,?,?,00007FF7B8DF441E,?,?,?,00007FF7B8DF43D9,?,?,?,?,00007FF7B8DF3524), ref: 00007FF7B8DF652B
                                                • LoadLibraryExW.KERNEL32(?,00000000,00007FF7B8DF669F,?,?,?,00007FF7B8DF441E,?,?,?,00007FF7B8DF43D9,?,?,?,?,00007FF7B8DF3524), ref: 00007FF7B8DF6555
                                                • FreeLibrary.KERNEL32(?,00000000,00007FF7B8DF669F,?,?,?,00007FF7B8DF441E,?,?,?,00007FF7B8DF43D9,?,?,?,?,00007FF7B8DF3524), ref: 00007FF7B8DF659B
                                                • GetProcAddress.KERNEL32(?,00000000,00007FF7B8DF669F,?,?,?,00007FF7B8DF441E,?,?,?,00007FF7B8DF43D9,?,?,?,?,00007FF7B8DF3524), ref: 00007FF7B8DF65A7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                • String ID: api-ms-
                                                • API String ID: 2559590344-2084034818
                                                • Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                • Instruction ID: c2d76ecae8df26da7d207f41f817d8c467fb0ee5dacd398aae3f057958885327
                                                • Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                • Instruction Fuzzy Hash: 2931B621B1964291EE11BB19E800575E2D4FF2EB60F994636DF1D1778CDF3CE44A9328
                                                Function 00007FF7B8DF1B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 360 7ff7b8df1b18-7ff7b8df1b32 _time64 361 7ff7b8df1b34-7ff7b8df1b37 360->361 362 7ff7b8df1b80-7ff7b8df1ba8 360->362 363 7ff7b8df1b40-7ff7b8df1b68 361->363 362->362 364 7ff7b8df1baa-7ff7b8df1bd8 362->364 363->363 365 7ff7b8df1b6a-7ff7b8df1b71 363->365 366 7ff7b8df1bfa-7ff7b8df1c32 364->366 367 7ff7b8df1bda-7ff7b8df1bf5 call 7ff7b8df1ee0 364->367 365->364 368 7ff7b8df1c64-7ff7b8df1c78 call 7ff7b8df2230 366->368 369 7ff7b8df1c34-7ff7b8df1c43 366->369 367->366 378 7ff7b8df1c7d-7ff7b8df1c88 368->378 371 7ff7b8df1c45 369->371 372 7ff7b8df1c48-7ff7b8df1c62 call 7ff7b8df68c0 369->372 371->372 372->378 379 7ff7b8df1cbb-7ff7b8df1cde 378->379 380 7ff7b8df1c8a-7ff7b8df1c98 378->380 383 7ff7b8df1d55-7ff7b8df1d70 379->383 381 7ff7b8df1cb3-7ff7b8df1cb6 call 7ff7b8df2680 380->381 382 7ff7b8df1c9a-7ff7b8df1cad 380->382 381->379 382->381 385 7ff7b8df1da2-7ff7b8df1dce _invalid_parameter_noinfo_noreturn WSAGetLastError call 7ff7b8df1450 call 7ff7b8df2680 382->385 387 7ff7b8df1d76 383->387 388 7ff7b8df18a0-7ff7b8df18a3 383->388 390 7ff7b8df1d78-7ff7b8df1da1 call 7ff7b8df2660 385->390 387->390 391 7ff7b8df18a5-7ff7b8df18b7 388->391 392 7ff7b8df18f3-7ff7b8df18fe 388->392 395 7ff7b8df18e2-7ff7b8df18ee call 7ff7b8df20c0 391->395 396 7ff7b8df18b9-7ff7b8df18c8 391->396 397 7ff7b8df1904-7ff7b8df1915 392->397 398 7ff7b8df1dd0-7ff7b8df1dde call 7ff7b8df1450 392->398 395->383 403 7ff7b8df18cd-7ff7b8df18dd 396->403 404 7ff7b8df18ca 396->404 397->383 398->390 403->383 404->403
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID: _time64
                                                • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                • API String ID: 1670930206-4114407318
                                                • Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                • Instruction ID: 2eb0250b5c2f92d4abd8aa80ca083f0aa84ecf602fc1ab93402cd1e3fa51355f
                                                • Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                • Instruction Fuzzy Hash: 4C51D362A18B8186EB01DB2CE4403A9E764EB6A7D0F800136DB5D177ADDF3CD04AE714
                                                Function 00007FF7B8DF4EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID: EncodePointerabort
                                                • String ID: MOC$RCC
                                                • API String ID: 1188231555-2084237596
                                                • Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                • Instruction ID: dff7b3926fa01dac308e64a5a091cdf57680ef3299fdc0713ae0253a5e05b95b
                                                • Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                • Instruction Fuzzy Hash: E291B373A04B828AE7109B69E4802ADF7B0FB5A788F54413AEB4D1775CDF38D15AD704
                                                Function 00007FF7B8DF5414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 459 7ff7b8df5414-7ff7b8df5461 call 7ff7b8df63f4 call 7ff7b8df43d0 464 7ff7b8df5463-7ff7b8df5469 459->464 465 7ff7b8df548e-7ff7b8df5492 459->465 464->465 466 7ff7b8df546b-7ff7b8df546e 464->466 467 7ff7b8df55b2-7ff7b8df55c7 call 7ff7b8df5724 465->467 468 7ff7b8df5498-7ff7b8df549b 465->468 470 7ff7b8df5480-7ff7b8df5483 466->470 471 7ff7b8df5470-7ff7b8df5474 466->471 479 7ff7b8df55d2-7ff7b8df55d8 467->479 480 7ff7b8df55c9-7ff7b8df55cc 467->480 472 7ff7b8df54a1-7ff7b8df54d1 468->472 473 7ff7b8df5680 468->473 470->465 476 7ff7b8df5485-7ff7b8df5488 470->476 471->476 477 7ff7b8df5476-7ff7b8df547e 471->477 472->473 478 7ff7b8df54d7-7ff7b8df54de 472->478 474 7ff7b8df5685-7ff7b8df56a1 473->474 476->465 476->473 477->465 477->470 478->473 481 7ff7b8df54e4-7ff7b8df54e8 478->481 482 7ff7b8df55da-7ff7b8df55de 479->482 483 7ff7b8df5647-7ff7b8df567b call 7ff7b8df49a4 479->483 480->473 480->479 484 7ff7b8df559f-7ff7b8df55ad call 7ff7b8df3678 481->484 485 7ff7b8df54ee-7ff7b8df54f1 481->485 482->483 489 7ff7b8df55e0-7ff7b8df55e7 482->489 483->473 484->473 487 7ff7b8df5556-7ff7b8df5559 485->487 488 7ff7b8df54f3-7ff7b8df5508 call 7ff7b8df4520 485->488 487->484 494 7ff7b8df555b-7ff7b8df5563 487->494 497 7ff7b8df56a2-7ff7b8df56a7 abort 488->497 499 7ff7b8df550e-7ff7b8df5511 488->499 489->483 493 7ff7b8df55e9-7ff7b8df55f0 489->493 493->483 496 7ff7b8df55f2-7ff7b8df5605 call 7ff7b8df3bbc 493->496 494->497 498 7ff7b8df5569-7ff7b8df5593 494->498 496->483 508 7ff7b8df5607-7ff7b8df5645 496->508 498->497 501 7ff7b8df5599-7ff7b8df559d 498->501 502 7ff7b8df5513-7ff7b8df5538 499->502 503 7ff7b8df553a-7ff7b8df553d 499->503 505 7ff7b8df5546-7ff7b8df5551 call 7ff7b8df5cf0 501->505 502->503 503->497 506 7ff7b8df5543 503->506 505->473 506->505 508->474
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID: __except_validate_context_recordabort
                                                • String ID: csm$csm
                                                • API String ID: 746414643-3733052814
                                                • Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                • Instruction ID: 77c65ce244fbc71bf4809c15c6311f7601508aa8442845b8f036875fdde614d5
                                                • Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                • Instruction Fuzzy Hash: F371B2325086818AD720AF29D050779FBA1FB5AB89F848136DB9D07B8DCF3CD45AD714
                                                Function 00007FF7B8DF195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                • API String ID: 0-4114407318
                                                • Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                • Instruction ID: 4ab240e685bc358b19458720dbbab4e775770e2a1c2dd57f4ae08d2a54f267c4
                                                • Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                • Instruction Fuzzy Hash: 6151D422A18B8546DB01DB2DE4407AAF761EBAA7D0F800136EB9D07B9DCF3DD046E754
                                                Function 00007FF7B8DF5860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID: CreateFrameInfo__except_validate_context_record
                                                • String ID: csm
                                                • API String ID: 2558813199-1018135373
                                                • Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                • Instruction ID: 99ea18d1e9093a5d48e0befe239fcea179d5c05d6477abdfe18cef5716942301
                                                • Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                • Instruction Fuzzy Hash: 4D51803261874686D620AB1AE08026EF7F4F79EB94F440136DB8D07B5DCF78E066DB14
                                                Function 00007FF7B8DF17E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Xinvalid_argument.LIBCPMT ref: 00007FF7B8DF17EB
                                                • WSAStartup.WS2_32 ref: 00007FF7B8DF186C
                                                  • Part of subcall function 00007FF7B8DF1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B8DF1475
                                                  • Part of subcall function 00007FF7B8DF1450: fprintf.MSPDB140-MSVCRT ref: 00007FF7B8DF1485
                                                  • Part of subcall function 00007FF7B8DF1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B8DF1494
                                                  • Part of subcall function 00007FF7B8DF1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B8DF14B3
                                                  • Part of subcall function 00007FF7B8DF1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B8DF14BE
                                                  • Part of subcall function 00007FF7B8DF1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B8DF14C7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
                                                • String ID: --name$Pipe syntax in dump name not supported$string too long
                                                • API String ID: 1412700758-3183687674
                                                • Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                • Instruction ID: 3abb3ce82232200197514db259bd247a26218c7b277c6e7b703f53d421ab664e
                                                • Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                • Instruction Fuzzy Hash: AF01B522A18981A5FB61AF16EC517EAE750BB9E7A4F800037EF0C0665DCE3CD49BD714
                                                Function 00007FF7B8DF1CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID: ErrorLastgethostname
                                                • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                • API String ID: 3782448640-4114407318
                                                • Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                • Instruction ID: 6ea391a7c9d596798c604a552367299029371c4f87c3bda581143093373547f3
                                                • Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                • Instruction Fuzzy Hash: 3211EB11A0814346EA45BB25A8507FAE2509F9F7B4F801237DB5F172DECD3CD04BA368
                                                Function 00007FF7B8DF4158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID: terminate
                                                • String ID: MOC$RCC$csm
                                                • API String ID: 1821763600-2671469338
                                                • Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                • Instruction ID: 0020775ae85af94d13e0a81510a9f72b92d7fc7986a7dbeb3ee58dbcc19cf4a9
                                                • Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                • Instruction Fuzzy Hash: C0F0A43690824AC1E3647F59A1C106CF3B6FF6DB48F895032E7080625ECF7CE4A6E655
                                                Function 00007FF7B8DF20C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                Download Yara Rule
                                                APIs
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF7B8DF18EE), ref: 00007FF7B8DF21E0
                                                • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B8DF221E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                • String ID: Invalid process id '%d' error %d
                                                • API String ID: 73155330-4244389950
                                                • Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                • Instruction ID: 2899f4b804fbaec72b1c3803a844f1ff00f965d8701b912d800bdc0a186ade27
                                                • Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                • Instruction Fuzzy Hash: 2F31182270978295EE10AF19D5442A9E361AB1ABD0F840633EF5D077DDDE7CE05A9328
                                                Function 00007FF7B8DF3F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7B8DF173F), ref: 00007FF7B8DF3FC8
                                                • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7B8DF173F), ref: 00007FF7B8DF400E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1898091394.00007FF7B8DF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B8DF0000, based on PE: true
                                                • Associated: 00000007.00000002.1898051770.00007FF7B8DF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898126945.00007FF7B8DF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898185801.00007FF7B8DFC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000007.00000002.1898349045.00007FF7B8DFD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ff7b8df0000_createdump.jbxd
                                                Similarity
                                                • API ID: ExceptionFileHeaderRaise
                                                • String ID: csm
                                                • API String ID: 2573137834-1018135373
                                                • Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                • Instruction ID: 13ae53875616d7f9839f74df9ddf4908be7f41bb63e18a7543d60b76634a5e18
                                                • Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                • Instruction Fuzzy Hash: 2F113D32618B4182EB149B19F440669F7A0FB99B84F994231EF8D07B5CDF3DD55AC704

                                                Non-executed Functions

                                                Function 00007FFE0EC1C0C0 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: AddressProc$HandleModule
                                                • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                • API String ID: 667068680-295688737
                                                • Opcode ID: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                • Instruction ID: 62b0500c91cef9523f7e102630275d3c99b0958e5ec6421ca41b1519452e4013
                                                • Opcode Fuzzy Hash: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                • Instruction Fuzzy Hash: EFA1A064A09F87B1EA04DB21BDE417533A4BF49B85B948035C8DE43330EF7EA169C392
                                                Function 0000000140008390 Relevance: 19.7, APIs: 13, Instructions: 152fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00000001400078C0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                  • Part of subcall function 00000001400078C0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                  • Part of subcall function 00000001400078C0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                  • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                  • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                  • Part of subcall function 00000001400078C0: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                  • Part of subcall function 00000001400078C0: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                • OpenEventA.KERNEL32 ref: 00000001400083D0
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008411
                                                • OpenEventA.KERNEL32 ref: 0000000140008454
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008495
                                                • CloseHandle.KERNEL32 ref: 00000001400084B4
                                                  • Part of subcall function 0000000140007A80: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                  • Part of subcall function 0000000140007A80: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                  • Part of subcall function 0000000140007A80: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                  • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                  • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                  • Part of subcall function 0000000140007A80: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                  • Part of subcall function 0000000140007A80: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                • OpenFileMappingA.KERNEL32 ref: 00000001400084F4
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008535
                                                • CloseHandle.KERNEL32 ref: 0000000140008554
                                                • CloseHandle.KERNEL32 ref: 0000000140008561
                                                • MapViewOfFile.KERNEL32 ref: 0000000140008592
                                                • CloseHandle.KERNEL32 ref: 00000001400085AB
                                                • CloseHandle.KERNEL32 ref: 00000001400085B8
                                                • CloseHandle.KERNEL32 ref: 00000001400085C5
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: U?$char_traits@$D@std@@@std@@$CloseHandle$??6?$basic_ostream@V01@$Open_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@D@std@@@1@_EventFileV?$basic_streambuf@$MappingView
                                                • String ID:
                                                • API String ID: 1089015687-0
                                                • Opcode ID: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                • Instruction ID: fd742db5588232a2ef73a73be7c7ffe6f8b637fdc8693f60d02eba1a373aa13c
                                                • Opcode Fuzzy Hash: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                • Instruction Fuzzy Hash: 93613DB1210A4482FB17DB27F85539963A2BB8EBE4F404215FB9E4B7B6DE3DC1818700
                                                Function 0000000140007FC0 Relevance: 18.2, APIs: 12, Instructions: 159fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: File$CloseCreateHandleMappingView_invalid_parameter_noinfo_noreturnmemcpymemset$Unmap
                                                • String ID:
                                                • API String ID: 2074253140-0
                                                • Opcode ID: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                • Instruction ID: c383ff2e5a2ae1bd4c41fba5bb50c967b221784ccd91ddafc61d096c64d59825
                                                • Opcode Fuzzy Hash: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                • Instruction Fuzzy Hash: F471AA71305A4185FB22CB56F8907E973A2FB8DBD4F404225ABAD4B7B9DE3DC0818704
                                                Function 00007FFE0EC1B698 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 225COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: iswdigit$btowclocaleconv
                                                • String ID: 0$0
                                                • API String ID: 240710166-203156872
                                                • Opcode ID: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                • Instruction ID: 0cf34c49b4ff4ef1ace22fbb64950a036aef525a663be84b61e71c431e3f401b
                                                • Opcode Fuzzy Hash: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                • Instruction Fuzzy Hash: 82813772A186C2D6E7218F25D89027A73A1FF91B48F084135DBCA462A0EF3DED45CB41
                                                Function 00007FFE0EC1A27C Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 247COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: memchr$isdigit$localeconv
                                                • String ID: 0$0123456789abcdefABCDEF
                                                • API String ID: 1981154758-1185640306
                                                • Opcode ID: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                • Instruction ID: ec5a6114cd85f67ba6311bd3ef53c4848000ef0419e0a41a0cf966c5a88a22c0
                                                • Opcode Fuzzy Hash: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                • Instruction Fuzzy Hash: 14917A22A0D5D666F725CB24E49037E3B90FB46B48F48A075CECE47761DA3EE806C742
                                                Function 00007FFE0EC1BDA0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 239COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: iswdigit$localeconv
                                                • String ID: 0$0$0123456789abcdefABCDEF
                                                • API String ID: 2634821343-613610638
                                                • Opcode ID: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                • Instruction ID: a9d5266705fa8499155b36466b77e992c510d045ec3dbf71cb64fd6e6b551ab2
                                                • Opcode Fuzzy Hash: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                • Instruction Fuzzy Hash: 6B814A62E085D6A7EB248F24D89067976A0FF55B44F088035DFCA477A0DB3DEC55CB82
                                                Function 00007FFE0EBEA330 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Findmemmove$CloseFileFirst_invalid_parameter_noinfo_noreturnwcscpy_s
                                                • String ID: .$.
                                                • API String ID: 479945582-3769392785
                                                • Opcode ID: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                • Instruction ID: bde6e903b567d659c7babf47ba3993df4f84ec54ac83d66f680ef495daec1e09
                                                • Opcode Fuzzy Hash: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                • Instruction Fuzzy Hash: 2C418462A1878195EA20DF65E4842B963B5FB857A4F404235EBED037F8DF7CD485CB01
                                                Function 0000000140012220 Relevance: 8.9, APIs: 7, Instructions: 138COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ExceptionThrow$MemoryRecycle@Recycler@allocator@dvacore@@$_invalid_parameter_noinfo_noreturn
                                                • String ID:
                                                • API String ID: 1799700165-0
                                                • Opcode ID: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                • Instruction ID: 3a6b280c2881091f38a62e61b74d670a019ca3ad59059a788fa850ef2ffa55ac
                                                • Opcode Fuzzy Hash: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                • Instruction Fuzzy Hash: D52112B5611A80CAE71DEE37A8523EA1362E79C7C4F149536BF594FAAEDE31C4218340
                                                Function 00007FFE0EBF8FB0 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                • String ID:
                                                • API String ID: 1326169664-0
                                                • Opcode ID: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                • Instruction ID: 478ed9857509161e29e84452208940da86f70842e14ad09ae97ee72bf3a36d90
                                                • Opcode Fuzzy Hash: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                • Instruction Fuzzy Hash: B6E15B22B09B8695FB14CFB9D5402AC7371FB88B88B514136DE8D27BA8DF38D55AC700
                                                Function 00007FFE0EBF9460 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                • String ID:
                                                • API String ID: 1326169664-0
                                                • Opcode ID: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                • Instruction ID: acf3f9aee38aade5f3de44d869de8380a37bb49e73983a37ce676cd2645897e9
                                                • Opcode Fuzzy Hash: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                • Instruction Fuzzy Hash: EAE15B22F09B8695EB14DFB5D4402AC7371FB88B98B514136DE9D27BA8DF38D45AC700
                                                Function 0000000140010BE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ErrorFormatLastMessage
                                                • String ID: GetLastError() = 0x%X
                                                • API String ID: 3479602957-3384952017
                                                • Opcode ID: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                • Instruction ID: 03957f339625c86e619908699dc07c15f857aa178ffe48bb474e222578fe156c
                                                • Opcode Fuzzy Hash: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                • Instruction Fuzzy Hash: 63219032A18BC083E7118B2AE400399B7A4F7D97A4F159315EBE8036E9EB78C545CB40
                                                Function 00007FFE0EBEA7B0 Relevance: 3.1, APIs: 2, Instructions: 98COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: memmove$DiskFreeSpace_invalid_parameter_noinfo_noreturn
                                                • String ID:
                                                • API String ID: 1915456417-0
                                                • Opcode ID: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                • Instruction ID: 2ce9fb2a35cb9ed0eac389fee9519137673b7d4ce69dfae1f6cf412d53537fbd
                                                • Opcode Fuzzy Hash: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                • Instruction Fuzzy Hash: CC414B32B14B8598FB10CFA5D8902AC37B5BB48BA8F545635DE9D63BA8DF38D085C740
                                                Function 00007FFE0EC0EFC0 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: InfoLocale___lc_locale_name_func
                                                • String ID:
                                                • API String ID: 3366915261-0
                                                • Opcode ID: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                • Instruction ID: 6483e57b55896440fbf84679f4833b5189c829954eb3b4eca1008afe356cb637
                                                • Opcode Fuzzy Hash: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                • Instruction Fuzzy Hash: 73F01C72E2C1C2A2E3B85B69D4D97392260FB44709F40053AE59F426B4CF6EE6849742
                                                Function 0000000140004730 Relevance: 67.0, APIs: 5, Strings: 33, Instructions: 470COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.VCRUNTIME140 ref: 000000014000475B
                                                  • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                  • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                  • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                • ?RationalApproximation@utility@dvacore@@YA?AV?$rational@H@boost@@N@Z.DVACORE ref: 0000000140004866
                                                  • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140004A15
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo_noreturn$memcmp$Approximation@utility@dvacore@@H@boost@@RationalV?$rational@memset
                                                • String ID: brightness$camera_firmware_version$camera_id$channel_mask$clip_id$contrast$digital_gain_blue$digital_gain_green$digital_gain_red$exposure_compensation$exposure_time$framerate_denominator$framerate_numerator$genlock_setting$gmt_date$gmt_time$iso$jamsync_setting$local_date$local_time$pixel_aspect_ratio$reel_id_full$sample_size$samplerate$saturation$sensor_id$sensor_name$shutter_degrees$shutter_fractions$shutter_phase_offset$user_timecode_preference$white_balance_kelvin$white_balance_tint
                                                • API String ID: 2423274481-1946953090
                                                • Opcode ID: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                • Instruction ID: 3df9d643723a61ec3293b9608ef6f05312d7ec0c5a500361e19cd6c4bd00b042
                                                • Opcode Fuzzy Hash: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                • Instruction Fuzzy Hash: 2C32FAB1204A4091EB07EF27E5913EA2762AB8EBD8F444522FB5D4F7B7EE39C5458340
                                                Function 00007FFE1A458C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
                                                • API String ID: 2943138195-1388207849
                                                • Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                • Instruction ID: 1f676d6e16aa6a2699a040e0f9f6b17905a11fcb78648cf4b936e6efe7ab4705
                                                • Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                • Instruction Fuzzy Hash: 3EF19DB2F08E1294F755AB66C8442BC26B0BB01F64F4449F7CA1D97AB9DF3DA664C340
                                                Function 00007FFE1A45C3C8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID: `anonymous namespace'
                                                • API String ID: 2943138195-3062148218
                                                • Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                • Instruction ID: aa17e701eec8a89f978f16ee0dc0f4f9a748a799287ea09d2532b3a749971802
                                                • Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                • Instruction Fuzzy Hash: 90E17AB2B08B8295EB10EF66E8801BD77B0FB44B68F4481B6EA4D57B65DF38D564C700
                                                Function 0000000140002630 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 290COMMON
                                                Download Yara Rule
                                                APIs
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400026F4
                                                • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002732
                                                • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 000000014000274E
                                                • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002782
                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00000001400027D4
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400028A8
                                                • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00000001400028DE
                                                • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 00000001400028FA
                                                • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 000000014000292E
                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z.MSVCP140 ref: 000000014000295A
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002A28
                                                • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A68
                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A72
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: U?$char_traits@$D@std@@@std@@$_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??6?$basic_ostream@D@std@@@1@@V01@V?$basic_streambuf@$??1?$basic_ios@??1?$basic_iostream@
                                                • String ID: (
                                                • API String ID: 703713002-3887548279
                                                • Opcode ID: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                • Instruction ID: baf078011914228b1285121be46ed74d2e86fc5146668a69ad3868f5cbe279a1
                                                • Opcode Fuzzy Hash: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                • Instruction Fuzzy Hash: 38D18DB2214B8495EB11CF6AE4903EE7761F789BD4F509206EB8E57BA9DF39C085C700
                                                Function 00000001400107F0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 268libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo_noreturn$Library$ByteCharErrorLastLoadMultiWide$AddressFreeProc
                                                • String ID: [NOT FOUND ] %s
                                                • API String ID: 2350601386-3340296899
                                                • Opcode ID: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                • Instruction ID: 89755aee4be5230680617513bdac96f2938001ccf8c1f4c7198f5862e1eb9078
                                                • Opcode Fuzzy Hash: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                • Instruction Fuzzy Hash: 84B1BE32605B9481FB169B26E54039D6761F788BE4F048615FBE90BBE6DFBAC5D0C340
                                                Function 00007FFE1A45A83C Relevance: 22.9, APIs: 15, Instructions: 358COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID:
                                                • API String ID: 2943138195-0
                                                • Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                • Instruction ID: e92beea8d233fa579ddbbb0a83636ca7f0e9fab178687b9a742e8b7c7f0520f8
                                                • Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                • Instruction Fuzzy Hash: 54F18AB2F08B829AE701EF66D4901FC37B1EB04B58F4480F2EA4D57AA5DE38D569C340
                                                Function 000000014001189C Relevance: 22.6, APIs: 15, Instructions: 94COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__p___argc__p___argv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                • String ID:
                                                • API String ID: 1818695170-0
                                                • Opcode ID: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                • Instruction ID: 023b0e87761b9852ca56ff973ea6cc8ec164607202ff5c8f9f76f90c0a7f0558
                                                • Opcode Fuzzy Hash: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                • Instruction Fuzzy Hash: BA315E3120520192FA5BEB67E5223E927A1AB9D7C4F444025BB994F2F7DE7FC805C351
                                                Function 00007FFE1A45D20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
                                                • API String ID: 2943138195-2309034085
                                                • Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                • Instruction ID: ecb21210ebae98f05e1b43257bdc6b7954e0f60bbfdf2b840741a93ab9fa900a
                                                • Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                • Instruction Fuzzy Hash: 8FE19EA2F08E0295FB15FB66C9541BC27A0AF05F64F5401F7CA8D17AB9DE3CA56AC340
                                                Function 0000000140003320 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 422COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: memcmp$_invalid_parameter_noinfo_noreturn$clockmemcpymemset
                                                • String ID: B8RB$MRDH$SideCarLut$flip_horizontal$flip_vertical
                                                • API String ID: 140832405-680935841
                                                • Opcode ID: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                • Instruction ID: 18037ac5236aebefbc83965bda8a7e26ab6d0ca403e2fb1aff30bf3622b6eda0
                                                • Opcode Fuzzy Hash: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                • Instruction Fuzzy Hash: BD2270B2605BC485EB22DF2AE8413E93364F799798F449215EB9C5B7A6EF35C285C300
                                                Function 00007FFE1A452CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                • String ID: csm$csm$csm
                                                • API String ID: 3436797354-393685449
                                                • Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                • Instruction ID: a6d83e2dcd125bfbc972fd24c4e86497a2278a726ab0540f8e308fdf58788eba
                                                • Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                • Instruction Fuzzy Hash: F2D15FB2B08B4186EB50AF66D4502BD77A4FB45FA8F0401B6EE4D57769CF38E5A4C700
                                                Function 00007FFE0EBE26E0 Relevance: 18.2, APIs: 12, Instructions: 238COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$__strncntfreemalloc$CompareInfoString
                                                • String ID:
                                                • API String ID: 3420081407-0
                                                • Opcode ID: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                • Instruction ID: 35388c6ea3636a7bbe4b06e9e88e9ab2cbafc2beb82ba2c13acce3b6df07f368
                                                • Opcode Fuzzy Hash: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                • Instruction Fuzzy Hash: 58A1D272B0868296FB318F20C4503BA6699EF04BA4F445631CEDD167F8DF7DE8448B81
                                                Function 00007FFE0EBF692C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FFE0EC1B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
                                                  • Part of subcall function 00007FFE0EC1B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
                                                  • Part of subcall function 00007FFE0EC1B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
                                                  • Part of subcall function 00007FFE0EC1B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD
                                                • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EBFA87E), ref: 00007FFE0EBF6971
                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EBFA87E), ref: 00007FFE0EBF698E
                                                • _Maklocstr.LIBCPMT ref: 00007FFE0EBF69AA
                                                • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EBFA87E), ref: 00007FFE0EBF69B3
                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EBFA87E), ref: 00007FFE0EBF69D0
                                                • _Maklocstr.LIBCPMT ref: 00007FFE0EBF69EC
                                                • _Maklocstr.LIBCPMT ref: 00007FFE0EBF6A01
                                                  • Part of subcall function 00007FFE0EBE4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D72
                                                  • Part of subcall function 00007FFE0EBE4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D98
                                                  • Part of subcall function 00007FFE0EBE4D50: memmove.VCRUNTIME140(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4DB0
                                                Strings
                                                • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE0EBF6999
                                                • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE0EBF69DB
                                                • :AM:am:PM:pm, xrefs: 00007FFE0EBF69FA
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Maklocstrfree$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
                                                • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                • API String ID: 269533641-35662545
                                                • Opcode ID: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                • Instruction ID: 2bf2c6fbc2b0f9f9efbbdd7e6417a6dd30ccfc433c49134a97159782c60506f6
                                                • Opcode Fuzzy Hash: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                • Instruction Fuzzy Hash: D2215E32A04B8582EB14DF31E4912A973A1FB98F84F448235DB9D5776AEF3CE581C780
                                                Function 00007FFE0EBE2B20 Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiStringWide$freemalloc$__strncnt
                                                • String ID:
                                                • API String ID: 1733283546-0
                                                • Opcode ID: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                • Instruction ID: 7bf78e85c8d7089e48d4619f76f5e47bb65a781932286337c4d8efef357b3882
                                                • Opcode Fuzzy Hash: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                • Instruction Fuzzy Hash: 71917F32A08B8286EB608F21D48037967E5FB44BA8F544235EE9D57BF8DF7DE4458B40
                                                Function 00007FFE0EC19350 Relevance: 16.7, APIs: 11, Instructions: 168COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Xp_setw$Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                • String ID:
                                                • API String ID: 3166507417-0
                                                • Opcode ID: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                • Instruction ID: d156dc7d99c01971b7caad8780bbced8cef34f3137ff5eae638d5a2073725a14
                                                • Opcode Fuzzy Hash: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                • Instruction Fuzzy Hash: F961F622F086C2AAFB10DFA2C4D12FD3721AB85748F504235DE8D677A5DE3AE54AC701
                                                Function 00000001400071E0 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetDllDirectoryW.KERNEL32 ref: 000000014000721A
                                                • ?AppDir@Dir@filesupport@dvacore@@SA?AV123@XZ.DVACORE ref: 0000000140007225
                                                • ?FullPath@Dir@filesupport@dvacore@@QEBA?AV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@std@@XZ.DVACORE ref: 0000000140007236
                                                • ?UTF16to8@string@dvacore@@YA?AV?$basic_string@EU?$char_traits@E@std@@U?$SBAAllocator@E@allocator@dvacore@@@std@@AEBV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@4@@Z.DVACORE ref: 0000000140007245
                                                • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140007275
                                                • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 00000001400072A6
                                                • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400072B6
                                                • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007362
                                                • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007372
                                                • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 000000014000738A
                                                  • Part of subcall function 0000000140008300: WaitForMultipleObjects.KERNEL32 ref: 0000000140008346
                                                  • Part of subcall function 0000000140008300: ResetEvent.KERNEL32 ref: 0000000140008355
                                                  • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007859
                                                  • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007866
                                                  • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007873
                                                  • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007880
                                                  • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000788D
                                                  • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000789A
                                                • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400073F6
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Dir@filesupport@dvacore@@$CloseHandle$Allocator@_Allocator@allocator@dvacore@@BlockDispose@FileSmallU?$char_traits@_UnmapV?$basic_string@_ViewW@std@@atoi$Allocator@Dir@DirectoryE@allocator@dvacore@@@std@@E@std@@EventF16to8@string@dvacore@@FullMultipleObjectsPath@ResetU?$char_traits@V123@V?$basic_string@W@allocator@dvacore@@@4@@W@allocator@dvacore@@@std@@Wait
                                                • String ID:
                                                • API String ID: 2702579277-0
                                                • Opcode ID: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                • Instruction ID: 4e02132fa2518a481f17a5c3ad5963577c23686a774b89ce01035fe16d76d46e
                                                • Opcode Fuzzy Hash: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                • Instruction Fuzzy Hash: 09618EB2608A4082FB12CB26F8947EA67A2F78EBD0F505121FB9D476B5DF3DC5498700
                                                Function 00007FFE0EC29BC0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 229COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                • API String ID: 2003779279-1866435925
                                                • Opcode ID: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                • Instruction ID: 6eb2ac9998ec2de09c989ac003f35a592c68ac813fea8bb4f31e1f712a89cbe5
                                                • Opcode Fuzzy Hash: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                • Instruction Fuzzy Hash: 0F919062A18A85A2EF64CF19E4D13B96760FBD4B84F548036CA8E477B5DF3ED846C301
                                                Function 00007FFE1A45E350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                • API String ID: 0-3207858774
                                                • Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                • Instruction ID: 39fa4b15e6ae35a8a47f191e89300ea927501442fc37c2752eba87970adc2b12
                                                • Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                • Instruction Fuzzy Hash: 64919EA2B08E8699EB20EB62D4411B877B1AB45FA4F5881F3DA5D033B5DF3CE565C340
                                                Function 00007FFE1A45A13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Name::operator+$Name::operator+=
                                                • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                • API String ID: 179159573-1464470183
                                                • Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                • Instruction ID: 723a31083c13f433bf19b98db3c0aab2968863a39aaade657d1a71d5e50b633f
                                                • Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                • Instruction Fuzzy Hash: 91517BB1F08B5299FB14EB66E8451BC37B0BB04BA8F5401B6EA0D53A68DF39E561C300
                                                Function 00007FFE0EC1B440 Relevance: 15.2, APIs: 10, Instructions: 167COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Xp_setw$Xp_setn$Xp_addx$iswspaceiswxdigit
                                                • String ID:
                                                • API String ID: 3781602613-0
                                                • Opcode ID: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                • Instruction ID: 79f8f67ea540ed6dc4285734d8620b2f7be76c505e0c9d5eb29439bf9658b6c9
                                                • Opcode Fuzzy Hash: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                • Instruction Fuzzy Hash: DF61C522F08A82EAF710DFA2C4C11FD2721AB55748F504536DE4D67BA5DE3EE94ACB01
                                                Function 00007FFE1A4588E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID:
                                                • API String ID: 2943138195-0
                                                • Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                • Instruction ID: 439b831f61ccae05f7a44ed936508f326a15a1e937358132dc6aa78a7b56779b
                                                • Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                • Instruction Fuzzy Hash: F36162A2F04B5698FB01EBA2D8801FC37B1BB44B68F4044B6DE4D6BA69EF78D555C340
                                                Function 00007FFE148E12D0 Relevance: 15.1, APIs: 10, Instructions: 148COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900730446.00007FFE148E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE148E0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900715248.00007FFE148E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900746407.00007FFE148E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900765601.00007FFE148E8000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900781523.00007FFE148E9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe148e0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: abort$AdjustPointermemmove
                                                • String ID:
                                                • API String ID: 338301193-0
                                                • Opcode ID: 07f6f1c71b1fba12c50c9bfb688491a0a06ff6fb4efb73833bc0a4a245d0f2ba
                                                • Instruction ID: 34757faef8dc2b564c40e667edf0cac379d6083b5b7883dd9d2889c3cbb3ce30
                                                • Opcode Fuzzy Hash: 07f6f1c71b1fba12c50c9bfb688491a0a06ff6fb4efb73833bc0a4a245d0f2ba
                                                • Instruction Fuzzy Hash: 1A51C421A0DE4281EA65DF47D4C45BCE395AF46FA8F0984B5FE8D26BB4DF2CE4498310
                                                Function 00007FFE148E1650 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900730446.00007FFE148E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE148E0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900715248.00007FFE148E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900746407.00007FFE148E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900765601.00007FFE148E8000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900781523.00007FFE148E9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe148e0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                • String ID: csm$csm$csm
                                                • API String ID: 211107550-393685449
                                                • Opcode ID: cb3bf927df27b60c74c765ddc221b28a06d569304d98737ce8ec765a202f2bbd
                                                • Instruction ID: 4f9156487d4245eb03abd4f7b84e72bb28e90ae3b564e3681de7ff4cca343824
                                                • Opcode Fuzzy Hash: cb3bf927df27b60c74c765ddc221b28a06d569304d98737ce8ec765a202f2bbd
                                                • Instruction Fuzzy Hash: DCE1B272908A828AE7109F66D4C03FDB7A0FB46768F144275EE8D67766DF38E589C700
                                                Function 00007FFE1A4531A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                • String ID: csm$csm$csm
                                                • API String ID: 211107550-393685449
                                                • Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                • Instruction ID: d4ff39ab3bb3689019bd4ef037047d19d5f0395cf0da8221d9ec773b6a6d2b04
                                                • Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                • Instruction Fuzzy Hash: F9E1A3B2B08A818AE720AF36D4902BD7BA1FB44F68F1441B6DA9D47765DF38E495C700
                                                Function 00007FFE0EC1A080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 148COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: memchrtolower$_errnoisspace
                                                • String ID: 0$0123456789abcdefghijklmnopqrstuvwxyz
                                                • API String ID: 3508154992-2692187688
                                                • Opcode ID: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                • Instruction ID: eb1b0522a399a9f283ccbd7b5a4b2a22402c1d2c491de4e6cf3ff18c405bdd5c
                                                • Opcode Fuzzy Hash: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                • Instruction Fuzzy Hash: 3751F812A0E6C2A9EB618F3498943B966907F46790F584570DDDE063B5DE3EE8468303
                                                Function 00007FFE1A45BE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                • API String ID: 2943138195-2239912363
                                                • Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                • Instruction ID: dba6580a2a57267591f59c3b4abd74c52651be419f6ee4b04271c7b9a41a2285
                                                • Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                • Instruction Fuzzy Hash: 585149A2F08F4598FB51EBA2D8412BC77B0BB08B64F4441F7CA4D526A5EF7C9065CB10
                                                Function 00000001400078C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                  • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                  • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                  • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                  • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                  • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                  • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                  • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                • String ID: ImptRED_CEvent_
                                                • API String ID: 2242036409-942587184
                                                • Opcode ID: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                • Instruction ID: 9b405900c275d478bf9193c59fc3990d56eeb31e22b03c6e117ca8d8066cf312
                                                • Opcode Fuzzy Hash: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                • Instruction Fuzzy Hash: 1D519AB2204B8096EB11CB6AE89079E7B70F389B98F504111EF8D57BA9DF3DC549CB00
                                                Function 0000000140007E00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E41
                                                • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007E60
                                                • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E94
                                                  • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                  • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                  • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                  • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007ECB
                                                  • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                  • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                  • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007EE5
                                                • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F92
                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F9C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                • String ID: ImptRED_SEvent_
                                                • API String ID: 2242036409-1609572862
                                                • Opcode ID: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                • Instruction ID: 8a97eb910a4fcdb6b4de6865597d3f36b8df7ed7ebbeccb018c797ebbaee1b0b
                                                • Opcode Fuzzy Hash: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                • Instruction Fuzzy Hash: 15519A72204B8096EB11CB6AE8907AE7B70F389B98F504111EF8D17BA8DF3DC549CB40
                                                Function 0000000140007A80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                  • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                  • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                  • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                  • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                  • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                  • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                  • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                • String ID: ImptRED_CmdMap_
                                                • API String ID: 2242036409-3276274529
                                                • Opcode ID: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                • Instruction ID: 80f30c22282736ca9dbe0986c54b36137faedd7c3a9fa85d2e807ed86ae44cad
                                                • Opcode Fuzzy Hash: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                • Instruction Fuzzy Hash: BC518972204B8096EB11CB6AE8907DE7B70F389B98F504111EF8D17BA8DF79C449CB00
                                                Function 0000000140007C40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007C81
                                                • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007CA0
                                                • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007CD4
                                                  • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                  • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                  • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                  • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D0B
                                                  • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                  • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                  • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D25
                                                • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DD2
                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DDC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                • String ID: ImptRED_DMap_
                                                • API String ID: 2242036409-2879874026
                                                • Opcode ID: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                • Instruction ID: 0bc148500ed73b7892a49071eae52613f37d732fbc5d9ce32192ec441dd01905
                                                • Opcode Fuzzy Hash: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                • Instruction Fuzzy Hash: F9518BB2204B4096EB11CB56E8807AE7B70F789B98F504116EF8D17BA8DF7DC549CB00
                                                Function 00007FFE0EBE6C20 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                • API String ID: 1099746521-1866435925
                                                • Opcode ID: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                • Instruction ID: 8faaeb758318ed81f72fdd3940cf9df5cebf773db5cd0697e721135aa0132016
                                                • Opcode Fuzzy Hash: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                • Instruction Fuzzy Hash: D121D8A1A1954AA5FE24DF10E8C26FA1321FFA0340F984036D5CE427BEEF2ED545CB41
                                                Function 0000000140004FF0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 275stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                  • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                  • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00000001400050DF
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140005233
                                                  • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                • memcmp.VCRUNTIME140 ref: 00000001400052B4
                                                • memcmp.VCRUNTIME140 ref: 0000000140005325
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400053DA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo_noreturnmemcmp$strcmp
                                                • String ID: MRDH$SideCarLut
                                                • API String ID: 916663099-3852011117
                                                • Opcode ID: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                • Instruction ID: 38950fd8b35224f21f2e144008351fd49fe11793fcade85143d264d05d5c62af
                                                • Opcode Fuzzy Hash: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                • Instruction Fuzzy Hash: 4DD192B2204A8496EB62DF26E8843DE2761F74A7D5F841212FB5D4BAF6EF74C645C300
                                                Function 00007FFE0EC29940 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                • API String ID: 2003779279-1866435925
                                                • Opcode ID: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                • Instruction ID: 77e40d3296f41f798c76409092917bc708989f0f3305adf5f67149eb8c7ce699
                                                • Opcode Fuzzy Hash: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                • Instruction Fuzzy Hash: 57613062A08A86A5EB64CF19D4D13B96760FBD4F84F54803ACA8E477B5DF3ED846C301
                                                Function 00007FFE0EBF43F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ExceptionThrowfputwcfwritestd::ios_base::failure::failure
                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                • API String ID: 1428583292-1866435925
                                                • Opcode ID: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                • Instruction ID: c714b26ba80fb00c46a166b756a9340bfefe1fcbbb14cf421bd683f3ab46b683
                                                • Opcode Fuzzy Hash: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                • Instruction Fuzzy Hash: E9719E72619A86A9EF64CF65E4802BE33A0FB54B88F844032EA8D67B74DF3DD555C700
                                                Function 00007FFE1A455F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
                                                • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                • API String ID: 1852475696-928371585
                                                • Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                • Instruction ID: bf3c5928af7a4f54e96b48b622f0f3e575d0c6bfc1b8b3c3d21e3a7c1f9013cd
                                                • Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                • Instruction Fuzzy Hash: 6351BFA2B09E4692EE20EB66E4902B9A3A0FF44FA4F4444F3DA5D43675DF3CE525C301
                                                Function 00007FFE0EC296E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 160COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::ios_base::failure::failure.LIBCPMT ref: 00007FFE0EC298D3
                                                • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE0EC1C678), ref: 00007FFE0EC298E4
                                                • std::ios_base::failure::failure.LIBCPMT ref: 00007FFE0EC29927
                                                • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE0EC1C678), ref: 00007FFE0EC29938
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                • API String ID: 2003779279-1866435925
                                                • Opcode ID: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                • Instruction ID: 63c39ad9b4c8c5f46fbdca7229f5d110ed462b561525edb83be33b2a9f64b6f2
                                                • Opcode Fuzzy Hash: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                • Instruction Fuzzy Hash: 3E615E62A08A8595EB64CF19D4D13B96760FBD0F94F58803ACA8E477B5DF3ED846C302
                                                Function 00007FFE0EC19E70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: memchrtolower$_errnoisspace
                                                • String ID: 0123456789abcdefghijklmnopqrstuvwxyz
                                                • API String ID: 3508154992-4256519037
                                                • Opcode ID: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                • Instruction ID: 1cbab3bdbb2275eb32b3d0a3aad655d2544c2f89891c474bea03450ae75cca09
                                                • Opcode Fuzzy Hash: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                • Instruction Fuzzy Hash: C551E722A0D6C666E7218E3594A43B976D0BF86B94F484174DDDE437B4DE3EE842C702
                                                Function 00007FFE0EBEB280 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                • API String ID: 2003779279-1866435925
                                                • Opcode ID: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                • Instruction ID: ed9e231ab8a70a85ba7038c2219035a5585218d6dea263a80519a103c27ac526
                                                • Opcode Fuzzy Hash: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                • Instruction Fuzzy Hash: A7519E62A08A4A91EF60CF29D5C12BD6760FF84B84F544532DA9D837B9DF2DD845CB00
                                                Function 00007FFE1A45E148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Name::operator+$Name::operator+=
                                                • String ID: {for
                                                • API String ID: 179159573-864106941
                                                • Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                • Instruction ID: 9842e773e3412af4cf65e0198cabaf7c1106b0f0c0d1e2616a1ce861183a0ec5
                                                • Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                • Instruction Fuzzy Hash: 08515BB2B08A85A9E711AF26C4413FC77A1EB44B68F4480F2EA5C47BA9DF7CD560C340
                                                Function 00007FFE148E3558 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(?,?,?,00007FFE148E3717,?,?,00000000,00007FFE148E3548,?,?,?,?,00007FFE148E32C9), ref: 00007FFE148E35DD
                                                • GetLastError.KERNEL32(?,?,?,00007FFE148E3717,?,?,00000000,00007FFE148E3548,?,?,?,?,00007FFE148E32C9), ref: 00007FFE148E35EB
                                                • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE148E3717,?,?,00000000,00007FFE148E3548,?,?,?,?,00007FFE148E32C9), ref: 00007FFE148E3604
                                                • LoadLibraryExW.KERNEL32(?,?,?,00007FFE148E3717,?,?,00000000,00007FFE148E3548,?,?,?,?,00007FFE148E32C9), ref: 00007FFE148E3616
                                                • FreeLibrary.KERNEL32(?,?,?,00007FFE148E3717,?,?,00000000,00007FFE148E3548,?,?,?,?,00007FFE148E32C9), ref: 00007FFE148E365C
                                                • GetProcAddress.KERNEL32(?,?,?,00007FFE148E3717,?,?,00000000,00007FFE148E3548,?,?,?,?,00007FFE148E32C9), ref: 00007FFE148E3668
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900730446.00007FFE148E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE148E0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900715248.00007FFE148E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900746407.00007FFE148E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900765601.00007FFE148E8000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900781523.00007FFE148E9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe148e0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                • String ID: api-ms-
                                                • API String ID: 916704608-2084034818
                                                • Opcode ID: f3ae6e208fe004567e7f0a3f678c73f8fb6582ef1bf2b3c2b3910a50123c0093
                                                • Instruction ID: f867113406577aa33ae9bd3a8209e0e3e9b1e301a5c35127559e928259c6b782
                                                • Opcode Fuzzy Hash: f3ae6e208fe004567e7f0a3f678c73f8fb6582ef1bf2b3c2b3910a50123c0093
                                                • Instruction Fuzzy Hash: 8B31D221A1AF02D1EE11DB53A880575A394BF4ABB0F594974FD1D263B0EF3CE84D8710
                                                Function 00007FFE1A4568AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A456A6B,?,?,00000000,00007FFE1A45689C,?,?,?,?,00007FFE1A4565E5), ref: 00007FFE1A456931
                                                • GetLastError.KERNEL32(?,?,?,00007FFE1A456A6B,?,?,00000000,00007FFE1A45689C,?,?,?,?,00007FFE1A4565E5), ref: 00007FFE1A45693F
                                                • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A456A6B,?,?,00000000,00007FFE1A45689C,?,?,?,?,00007FFE1A4565E5), ref: 00007FFE1A456958
                                                • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A456A6B,?,?,00000000,00007FFE1A45689C,?,?,?,?,00007FFE1A4565E5), ref: 00007FFE1A45696A
                                                • FreeLibrary.KERNEL32(?,?,?,00007FFE1A456A6B,?,?,00000000,00007FFE1A45689C,?,?,?,?,00007FFE1A4565E5), ref: 00007FFE1A4569B0
                                                • GetProcAddress.KERNEL32(?,?,?,00007FFE1A456A6B,?,?,00000000,00007FFE1A45689C,?,?,?,?,00007FFE1A4565E5), ref: 00007FFE1A4569BC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                • String ID: api-ms-
                                                • API String ID: 916704608-2084034818
                                                • Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                • Instruction ID: 9efc9f075a334c014589cfccaaa18e5d51a6d937fe9a4bc18af7f42151a37550
                                                • Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                • Instruction Fuzzy Hash: 9131AF61B1AF8291EE11AB07A8001B5A2A4BF48FB0F5945B7DD2D4B7A4EF3CE164C700
                                                Function 00007FFE0EC112C4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FFE0EC1B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
                                                  • Part of subcall function 00007FFE0EC1B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
                                                  • Part of subcall function 00007FFE0EC1B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
                                                  • Part of subcall function 00007FFE0EC1B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD
                                                • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EC11309
                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EC11326
                                                • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EC1134B
                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EC11368
                                                  • Part of subcall function 00007FFE0EBE4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D72
                                                  • Part of subcall function 00007FFE0EBE4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D98
                                                  • Part of subcall function 00007FFE0EBE4D50: memmove.VCRUNTIME140(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4DB0
                                                Strings
                                                • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE0EC11331
                                                • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE0EC11373
                                                • :AM:am:PM:pm, xrefs: 00007FFE0EC11392
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
                                                • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                • API String ID: 2607222871-35662545
                                                • Opcode ID: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                • Instruction ID: 9afad98429ebff60d15a7fe96f73f765993c2230ce5c02c0b1a43d69db30781e
                                                • Opcode Fuzzy Hash: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                • Instruction Fuzzy Hash: E6216136A04B8592EB10DF31E4802A973A1FB99F84F458235DB8D4776AEF3CE581C780
                                                Function 00007FFE0EBF6A20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FFE0EC1B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
                                                  • Part of subcall function 00007FFE0EC1B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
                                                  • Part of subcall function 00007FFE0EC1B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
                                                  • Part of subcall function 00007FFE0EC1B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD
                                                • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBF6A5E
                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBF6A7B
                                                • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBF6A9B
                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBF6AB8
                                                  • Part of subcall function 00007FFE0EBE4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBF6AB5,?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBE4DF9
                                                  • Part of subcall function 00007FFE0EBE4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBF6AB5,?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBE4E28
                                                  • Part of subcall function 00007FFE0EBE4DD0: memmove.VCRUNTIME140(?,?,00000000,00007FFE0EBF6AB5,?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBE4E3F
                                                Strings
                                                • :AM:am:PM:pm, xrefs: 00007FFE0EBF6AD4
                                                • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE0EBF6AC3
                                                • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE0EBF6A86
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
                                                • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                • API String ID: 2607222871-3743323925
                                                • Opcode ID: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                • Instruction ID: 4cd3df4714114d82e6760b6bd82cd0d7a80332975adb6f7598c78fa052ede494
                                                • Opcode Fuzzy Hash: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                • Instruction Fuzzy Hash: 92216522E08B8592D720DF21E49427973B0FF99B84F405235DA8E53766DF7DE494C781
                                                Function 00007FFE1A4527CC Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: abort$AdjustPointer
                                                • String ID:
                                                • API String ID: 1501936508-0
                                                • Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                • Instruction ID: 642b842a912d40fdf9c2c957ef8f5295bb4b61aa26bc49168820bcaec06eb6e7
                                                • Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                • Instruction Fuzzy Hash: 4B5190A1F09E4382FA69AB57944427867A4AF44FB4F0985F7EA4E073A4DF3CE4618300
                                                Function 00007FFE1A4525E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: abort$AdjustPointer
                                                • String ID:
                                                • API String ID: 1501936508-0
                                                • Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                • Instruction ID: 6d06171c758477a8a6816760c24ef9a9f669ee0236d58f4a38a19748238d5f76
                                                • Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                • Instruction Fuzzy Hash: 1A518FE2B09F4282EA65EB17954463863A4AF54FA4F0544F7EA4E077B4DF3CE861C300
                                                Function 00007FFE0EC190D0 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                • String ID:
                                                • API String ID: 578106097-0
                                                • Opcode ID: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                • Instruction ID: 245d84d56b4df23139c0016f24dc0422386f1597a507a705dcb3876f1446f6b6
                                                • Opcode Fuzzy Hash: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                • Instruction Fuzzy Hash: 7561F422B1CAC2A2E611DE61E4D05FE6720FBD6744F500136EE8E537A5DE3EE5468B02
                                                Function 00007FFE0EC19950 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                • String ID:
                                                • API String ID: 578106097-0
                                                • Opcode ID: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                • Instruction ID: 8860a8621c83dbc04c79b49f028f71c0b0be12d77038ae91dde9bfa2a155ab7b
                                                • Opcode Fuzzy Hash: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                • Instruction Fuzzy Hash: CD610622B1C6C2A6E711DE61E4D05BE6720FBC6744F500172EECD536A5DE3EE54A8B01
                                                Function 000000014000C2E0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 164COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                  • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                  • Part of subcall function 000000014000C8A0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000014000C98E
                                                • memcpy.VCRUNTIME140 ref: 000000014000C3C8
                                                • memcpy.VCRUNTIME140 ref: 000000014000C427
                                                  • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0B6
                                                  • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0C4
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000C52F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: memcpy$__acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturn
                                                • String ID: REDR3D-x64.dll$[LOAD PATH ] %s$[TEST TEST] IGNORING REDIRECT %s
                                                • API String ID: 1244713665-103080910
                                                • Opcode ID: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                • Instruction ID: cfd617ef930489ab8aca6008b2e9167fc097850ba9bca21f1b358ae0caa8a91c
                                                • Opcode Fuzzy Hash: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                • Instruction Fuzzy Hash: 8E719AB2721A4086EB12CF66E8443DD37B1F749BD8F484622EF195BBA9DB38C181C340
                                                Function 00007FFE1A455520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: FileHeader_local_unwind
                                                • String ID: MOC$RCC$csm$csm
                                                • API String ID: 2627209546-1441736206
                                                • Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                • Instruction ID: 4bff93c56a7fd6fe365e17166ff9465f2d531dbb32de18e5b9e6cae2f04be60b
                                                • Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                • Instruction Fuzzy Hash: 455180B2B09A4186EA60BF36900037966A0FF44FB4F5410F3DA4D833A5DF3CE4618A82
                                                Function 00000001400074F0 Relevance: 10.6, APIs: 7, Instructions: 131COMMON
                                                Download Yara Rule
                                                APIs
                                                • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                                • String ID:
                                                • API String ID: 1492985063-0
                                                • Opcode ID: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                • Instruction ID: c8404d0b7dac135a461826d57f818375c200501a51cfbfcecc82e8383ca51cf8
                                                • Opcode Fuzzy Hash: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                • Instruction Fuzzy Hash: 11515F72600A4082EB62CF1BE5947A9A7A0F789FE5F15C611EF9E477F1CB7AC5468300
                                                Function 00007FFE0EBEBA68 Relevance: 10.6, APIs: 7, Instructions: 110COMMON
                                                Download Yara Rule
                                                APIs
                                                • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBB38
                                                • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBB48
                                                • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBB5D
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBB91
                                                • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBB9B
                                                • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBBAB
                                                • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBBBB
                                                  • Part of subcall function 00007FFE0EC325AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5AF8), ref: 00007FFE0EC325C6
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: memmove$memset$_invalid_parameter_noinfo_noreturnmalloc
                                                • String ID:
                                                • API String ID: 1468981775-0
                                                • Opcode ID: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                • Instruction ID: 552e7374e007507aaf32d696a545a73df43f81e57ff5f8e1cd957fd1923afc4b
                                                • Opcode Fuzzy Hash: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                • Instruction Fuzzy Hash: 7A41B421B08681A1EE24DF66E5842A9A351FB44BD4F544532EF9D0BBBEDE7CD041C740
                                                Function 00007FFE0EBF2FAC Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: CurrentThread$xtime_get
                                                • String ID:
                                                • API String ID: 1104475336-0
                                                • Opcode ID: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                • Instruction ID: 79465ca6b675407478ecc27e2a016d28c5bb8bf691b7348bf8a57c994f1016a7
                                                • Opcode Fuzzy Hash: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                • Instruction Fuzzy Hash: 2B41CB32A0864796EA78CF35E48477973A1EB44B45F504036DBCE926B1DF3EE885CB01
                                                Function 00007FFE0EBF58B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ExceptionThrowsetvbufstd::ios_base::failure::failure
                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                • API String ID: 2924853686-1866435925
                                                • Opcode ID: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                • Instruction ID: 3f3357b9f172789a0f47161016322e7f47f97597d3826bb6f1a7a791764ec3e8
                                                • Opcode Fuzzy Hash: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                • Instruction Fuzzy Hash: 5C41B273A15B8696EB68CF25E4803AD33A0FB14B98F444131DA8C57669DF3DD5A4CB40
                                                Function 00007FFE0EC03B28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON
                                                Download Yara Rule
                                                APIs
                                                • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EC03B56
                                                  • Part of subcall function 00007FFE0EC1B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
                                                  • Part of subcall function 00007FFE0EC1B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
                                                  • Part of subcall function 00007FFE0EC1B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
                                                  • Part of subcall function 00007FFE0EC1B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD
                                                • _Maklocstr.LIBCPMT ref: 00007FFE0EC03BCF
                                                • _Maklocstr.LIBCPMT ref: 00007FFE0EC03BE5
                                                • _Getvals.LIBCPMT ref: 00007FFE0EC03C8A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Maklocstr$Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                • String ID: false$true
                                                • API String ID: 2626534690-2658103896
                                                • Opcode ID: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                • Instruction ID: aca3de2adbe277101c996bd361fedcc0a3276ebbf42599ba96e635e6de0dadea
                                                • Opcode Fuzzy Hash: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                • Instruction Fuzzy Hash: 47414C26B08A81A9F711CF74E4401ED33B1FB98748B405236EE8D67A69EF38D596C780
                                                Function 00007FFE1A45D740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: NameName::atol
                                                • String ID: `template-parameter$void
                                                • API String ID: 2130343216-4057429177
                                                • Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                • Instruction ID: f85b8549f5f1985b488acaa23aca29926417e0d0263a1e5a1928cf8fb42e78bc
                                                • Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                • Instruction Fuzzy Hash: 18415A62F08F4688FB04EBA6D8512FC2371BF08BA4F5401B6CE5D17A65DF38946AC340
                                                Function 00007FFE1A458624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                • API String ID: 2943138195-2211150622
                                                • Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                • Instruction ID: c22a252683084e3a78dcfab078d5ef6a1db550ae4a7256e82204d7d60a5a2148
                                                • Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                • Instruction Fuzzy Hash: 594136B2F08F8688FB029B26D8402BC77B0BB08B58F5441B2DA5D53364DF3CA5A5C740
                                                Function 00007FFE1A45A31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID: char $int $long $short $unsigned
                                                • API String ID: 2943138195-3894466517
                                                • Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                • Instruction ID: ab7eec8e7cedd0bc971dd47ea2ea2625ab5d47f9e626b2c2f00abce42a1f2c98
                                                • Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                • Instruction Fuzzy Hash: B34168B2F18B5689EB159F6AD8481BC37B1BB09B68F4481B3CA0C57B78DF389564C700
                                                Function 00007FFE0EBEC0A0 Relevance: 9.3, APIs: 6, Instructions: 318stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo_noreturnmemsetstrcspn$localeconvmemmove
                                                • String ID:
                                                • API String ID: 3009415009-0
                                                • Opcode ID: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                • Instruction ID: 4b109ae2f28a530a12141c145e22dae3e426cbfb02934c6a63f998653b5fd528
                                                • Opcode Fuzzy Hash: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                • Instruction Fuzzy Hash: 54E14B22B09B8695EB11CFB9D4406AC6771FB49B88F504136DE9D27BA9DF3CD44AC700
                                                Function 00007FFE0EC186F0 Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Dunscale$_errno
                                                • String ID:
                                                • API String ID: 2900277114-0
                                                • Opcode ID: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                • Instruction ID: 59b1b3afaf6aebcb04d8dd5a17f4a23d7bcc3ab028dee75a38d7bb2218fc8fc2
                                                • Opcode Fuzzy Hash: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                • Instruction Fuzzy Hash: 45A1E617D1CFC6A6E719DE3484C01BD2362FF17794F508275EB8A265A5EF39A0A2C342
                                                Function 00007FFE0EC100EC Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Dunscale$_errno
                                                • String ID:
                                                • API String ID: 2900277114-0
                                                • Opcode ID: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                • Instruction ID: 12d8294eb01d6d92b4071827f797c20b806341b1cdacebf2424ba261adabd400
                                                • Opcode Fuzzy Hash: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                • Instruction Fuzzy Hash: F9A1D532E086C6BAEB10DE2685C20BC7352FF56358F544270EB89125F6DF3AB4D69702
                                                Function 000000014000AF60 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 192COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                                • String ID: R3DAPI 7.3.1-44A14 (20200513 W64S)
                                                • API String ID: 2665656946-1215215629
                                                • Opcode ID: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                • Instruction ID: 1f94f83d43c849715069b53280c3cf1e8531b19b99bc01c412034d7b6d4e24df
                                                • Opcode Fuzzy Hash: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                • Instruction Fuzzy Hash: B19122B1211A8499EB22DF27F8503DA7361F74ABD4F884222EB490B7B9DB7EC141C701
                                                Function 00007FFE0EBE8F20 Relevance: 9.2, APIs: 6, Instructions: 185COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: fgetc
                                                • String ID:
                                                • API String ID: 2807381905-0
                                                • Opcode ID: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                • Instruction ID: f689f416f7fcdde8a6f0ba1c965c232d136c4f4ba637338478ae5514761810df
                                                • Opcode Fuzzy Hash: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                • Instruction Fuzzy Hash: B6915073605A81D8EB24CF35C4943AC33A1FB84B98F551632EA9D87BA9DF3AD458C740
                                                Function 00007FFE0EC1B1C0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                • String ID:
                                                • API String ID: 3490103321-0
                                                • Opcode ID: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                • Instruction ID: 50a5fa67ed678d2f27098a6ded44614926f85c06d1736a7c39ff513b1bee163f
                                                • Opcode Fuzzy Hash: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                • Instruction Fuzzy Hash: 6B61F722B1C6C2E2E611DE61E4C05FE6720FB96744F500176EE8D537A5DE3ED84A8B01
                                                Function 00007FFE0EC1B960 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                • String ID:
                                                • API String ID: 3490103321-0
                                                • Opcode ID: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                • Instruction ID: d34401fff68750012ee56e62070e06ff3b493ce9a8b90424d8bb37001f6c87c3
                                                • Opcode Fuzzy Hash: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                • Instruction Fuzzy Hash: 23610722B1CAC2E6E711DF61E4C05BE6720FB86344F500172EECD57AA9DE3ED9498B01
                                                Function 00007FFE0EBE9A58 Relevance: 9.1, APIs: 6, Instructions: 112COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                • String ID:
                                                • API String ID: 2016347663-0
                                                • Opcode ID: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                • Instruction ID: 4afbe508269da6d222e440a8358ffe22a5322b69c253a3cd9e93c0a6d310b593
                                                • Opcode Fuzzy Hash: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                • Instruction Fuzzy Hash: 36410465B18685A1EE24DF26E4442A96351EF48FE0F544631DFAD07BFADE3CE045C740
                                                Function 00007FFE0EBEA000 Relevance: 9.1, APIs: 6, Instructions: 93fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: FileHandle$CloseCreateInformation
                                                • String ID:
                                                • API String ID: 1240749428-0
                                                • Opcode ID: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                • Instruction ID: 8a9858ccb10eef3211e9c3877b48a3205bdba7902179ba2707240577b4e57aa7
                                                • Opcode Fuzzy Hash: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                • Instruction Fuzzy Hash: BE41B432F086828AF760CF74E8507BA33A0AB587A8F015735DE9C46BA8DF39D5958740
                                                Function 00007FFE1A4562D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                • String ID:
                                                • API String ID: 3741236498-0
                                                • Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                • Instruction ID: 48b66aaf2916ad99ba7d7c3e519d6005a89472b45c0c69aa8ded052bad530d61
                                                • Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                • Instruction Fuzzy Hash: 5931C461B19F9181EB11AB27E804579A3A4FF08FE4B5945F6DE2D433A0EE3DD462C300
                                                Function 00000001400117B8 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_configthreadlocale_initialize_narrow_environment_initialize_onexit_table_onexit
                                                • String ID:
                                                • API String ID: 2153537742-0
                                                • Opcode ID: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                • Instruction ID: 534899ad21150968aac174715d7514135b35f9473fc5e80356d1b8ef46292b69
                                                • Opcode Fuzzy Hash: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                • Instruction Fuzzy Hash: 95115E38A0024155FA5FB7F398173EC11969FAC3C4F454524BB498F2F3EE7B88658662
                                                Function 00007FFE0EBE2F50 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE0EBE5F96), ref: 00007FFE0EBE2F59
                                                • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5F96), ref: 00007FFE0EBE2F6B
                                                • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE0EBE5F96), ref: 00007FFE0EBE2F7A
                                                • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE0EBE5F96), ref: 00007FFE0EBE2FE0
                                                • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE0EBE5F96), ref: 00007FFE0EBE2FEE
                                                • _wcsdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE0EBE5F96), ref: 00007FFE0EBE3001
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: __pctype_func$___lc_codepage_func___lc_locale_name_func_wcsdupcalloc
                                                • String ID:
                                                • API String ID: 490008815-0
                                                • Opcode ID: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                • Instruction ID: 81688cfba89588d0e586763b4db72daf65652c5b9e8c2e1a7758eb76e9c3d229
                                                • Opcode Fuzzy Hash: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                • Instruction Fuzzy Hash: 66212A22D18B8583E7158F38D5552B873A0FBA9B48F15A234CECC16326EF79E6E5C340
                                                Function 0000000140007850 Relevance: 9.0, APIs: 6, Instructions: 21fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: CloseHandle$FileUnmapView
                                                • String ID:
                                                • API String ID: 260491571-0
                                                • Opcode ID: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                • Instruction ID: e4157fc547da492297a5d265050bc8fab675aa544c6886f43f24823cbbcadd6d
                                                • Opcode Fuzzy Hash: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                • Instruction Fuzzy Hash: 1DF01438616E00D5FA07DB63ECA83A427A1BB8DBD9F440211EB4E4B331DE3F85998300
                                                Function 00007FFE148E1B3C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900730446.00007FFE148E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE148E0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900715248.00007FFE148E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900746407.00007FFE148E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900765601.00007FFE148E8000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900781523.00007FFE148E9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe148e0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: abort$CallEncodePointerTranslator
                                                • String ID: MOC$RCC
                                                • API String ID: 2889003569-2084237596
                                                • Opcode ID: b9d59197ed9058caaff3681df3c64902a43601032ad083162a420140406a310d
                                                • Instruction ID: 76565dce2b5945b348694ee762d3af21972db658661c487e1ee4ad7ce4cb51c5
                                                • Opcode Fuzzy Hash: b9d59197ed9058caaff3681df3c64902a43601032ad083162a420140406a310d
                                                • Instruction Fuzzy Hash: 7C91A173A08B818AE710DB66D8802EDB7B0FB46798F104179FA4D67765DF38D199CB00
                                                Function 00007FFE1A4538A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: abort$CallEncodePointerTranslator
                                                • String ID: MOC$RCC
                                                • API String ID: 2889003569-2084237596
                                                • Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                • Instruction ID: e6ea8166ce1a269e67d5f5a9ff2da1a762e861be9e7c81596e1e14aef120ebb0
                                                • Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                • Instruction Fuzzy Hash: AA91A2B3B08B818AE710DB66E4902BD7BA0F744B98F1441A6EF8D17765DF38E1A5C700
                                                Function 00007FFE1A45BB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                • API String ID: 2943138195-757766384
                                                • Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                • Instruction ID: f4d7375158b3fc1cf319c244564212f4ac27a0ac0a577c98ebed872f8e82aa37
                                                • Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                • Instruction Fuzzy Hash: 1B715DB1B08E4294EB14AF16D9401BC66B0BB05BA4F4485FBDA5D47AB8EF3CE175CB00
                                                Function 000000014000ABD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 150COMMON
                                                Download Yara Rule
                                                APIs
                                                • memcmp.VCRUNTIME140 ref: 000000014000AD12
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000ADD5
                                                  • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                  • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnmemcmp
                                                • String ID: @$[FAIL INT. ] path '%s' already exists at index %u$[FAIL INT. ] too many paths
                                                • API String ID: 3207467095-2931640462
                                                • Opcode ID: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                • Instruction ID: 2da19ac7c4dfbac8c42f28ebd32a6b72bd3b2cb838895640dc67fbc0c8e08b7c
                                                • Opcode Fuzzy Hash: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                • Instruction Fuzzy Hash: DC5169B2B10A5489EB11CF6AE8407DD37B1F709BA8F504216EF2A67BE9DB74C581C740
                                                Function 00007FFE1A453690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: abort$CallEncodePointerTranslator
                                                • String ID: MOC$RCC
                                                • API String ID: 2889003569-2084237596
                                                • Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                • Instruction ID: 8141f7a08248614ccb6f765a2cdc714d694623d21637336d0a2bdc5609fc6457
                                                • Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                • Instruction Fuzzy Hash: 48613AB7A08B858AE718DF66D4803BD77A0FB44B98F1441A6EE4D13B68DF38E065C700
                                                Function 00007FFE0EC19CD4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                Download Yara Rule
                                                APIs
                                                • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC19122), ref: 00007FFE0EC19CFA
                                                • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC19122), ref: 00007FFE0EC19D0B
                                                • isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC19122), ref: 00007FFE0EC19D64
                                                • isalnum.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC19122), ref: 00007FFE0EC19E14
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: isspace$isalnumisxdigit
                                                • String ID: (
                                                • API String ID: 3355161242-3887548279
                                                • Opcode ID: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                • Instruction ID: 9751574c17c1764370e9eb11513b917356370601c6596b7aed8b613d59cd95bb
                                                • Opcode Fuzzy Hash: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                • Instruction Fuzzy Hash: 7A41A617D0C5C266EB258F31E5A13F56B919F52B84F08D070CAD8072A6DE3FE8058712
                                                Function 00007FFE0EC1BBD8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                Download Yara Rule
                                                APIs
                                                • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC1B212), ref: 00007FFE0EC1BBFE
                                                • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC1B212), ref: 00007FFE0EC1BC0F
                                                • iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC1B212), ref: 00007FFE0EC1BC76
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: iswspace$iswxdigit
                                                • String ID: (
                                                • API String ID: 3812816871-3887548279
                                                • Opcode ID: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                • Instruction ID: 883ff5f3f2881b26a2edc56de29c078b3e45fde9c0484808efbb2c224ebd397d
                                                • Opcode Fuzzy Hash: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                • Instruction Fuzzy Hash: 2A51A756D085D3E1EB28AB61D5912F972A1EF21B88F488071DACD464B8EF7FEC41C712
                                                Function 00007FFE0EC039E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FFE0EC1B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
                                                  • Part of subcall function 00007FFE0EC1B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
                                                  • Part of subcall function 00007FFE0EC1B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
                                                  • Part of subcall function 00007FFE0EC1B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD
                                                • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFE0EBFA22C), ref: 00007FFE0EC03A25
                                                  • Part of subcall function 00007FFE0EBEB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EC11347,?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EBEB7BF
                                                  • Part of subcall function 00007FFE0EBEB794: memmove.VCRUNTIME140(?,?,00000000,00007FFE0EC11347,?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EBEB7DB
                                                • _Getvals.LIBCPMT ref: 00007FFE0EC03A61
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
                                                • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                • API String ID: 3031888307-3573081731
                                                • Opcode ID: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                • Instruction ID: 3721014ccf9136a2136447127ad442cd4960a47e0681dc451f69f4ec4855eebb
                                                • Opcode Fuzzy Hash: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                • Instruction Fuzzy Hash: B141BE72A08BC1ABE725CF66958057D7BA0FB85B81B044235DB8943E21DF79F571CB00
                                                Function 00007FFE0EC03CB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                                Download Yara Rule
                                                APIs
                                                • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EC03CE2
                                                  • Part of subcall function 00007FFE0EC1B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
                                                  • Part of subcall function 00007FFE0EC1B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
                                                  • Part of subcall function 00007FFE0EC1B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
                                                  • Part of subcall function 00007FFE0EC1B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD
                                                • _Maklocstr.LIBCPMT ref: 00007FFE0EC03D5B
                                                • _Maklocstr.LIBCPMT ref: 00007FFE0EC03D71
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                • String ID: false$true
                                                • API String ID: 309754672-2658103896
                                                • Opcode ID: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                • Instruction ID: 4a875babe7295aebd8193d04d75b4e318b8aa3ff2c88c6a3647d1c5db6d6c592
                                                • Opcode Fuzzy Hash: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                • Instruction Fuzzy Hash: C9414923A18B85A9E714CFB0E4901ED33B0FB88748B405136EE8D67B69EF38D595C794
                                                Function 00007FFE0EBE83E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                • API String ID: 2003779279-1866435925
                                                • Opcode ID: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                • Instruction ID: 9a4aea7ab831396da08781dad93c818f930da4b54411dc3eecb651b3eb6d54ed
                                                • Opcode Fuzzy Hash: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                • Instruction Fuzzy Hash: 6D21A162A18B8696EE28DF25E5813B96370FB50784F884031D6CD47BB9DF3DE1A5CB00
                                                Function 00007FFE0EBE8D10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                • API String ID: 2003779279-1866435925
                                                • Opcode ID: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                • Instruction ID: b89b571d83ab09ca7de993d3b0f756d6072d179c7ebbee554d04edccf5b821c7
                                                • Opcode Fuzzy Hash: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                • Instruction Fuzzy Hash: C4F0D6A1A18A4AE5EE28CB10E4816F92321FB90744F984435D18D066B9DF3EE146CB41
                                                Function 0000000140006B70 Relevance: 7.8, APIs: 5, Instructions: 255COMMON
                                                Download Yara Rule
                                                APIs
                                                • ?Recycle@MemoryRecycler@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140006CC6
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140006CF5
                                                • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006D52
                                                • memcpy.VCRUNTIME140 ref: 0000000140006DD5
                                                • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006E6E
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: D@std@@@std@@Pninc@?$basic_streambuf@U?$char_traits@$MemoryRecycle@Recycler@allocator@dvacore@@_invalid_parameter_noinfo_noreturnmemcpy
                                                • String ID:
                                                • API String ID: 3275830057-0
                                                • Opcode ID: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                • Instruction ID: 3173563bc62d35887f7c9779bdd612006aafe20ffacca945d5b8f48763ffbb63
                                                • Opcode Fuzzy Hash: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                • Instruction Fuzzy Hash: 5CA16BB2704B8485EB16CF2AE5443A977A2F389FE8F584516EF8D177A4DB38C895C340
                                                Function 00007FFE0EBF4A60 Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: fgetwc
                                                • String ID:
                                                • API String ID: 2948136663-0
                                                • Opcode ID: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                • Instruction ID: 7b6d0cd1994a07db59450b6f70136df15b4138547ebad035d42f3e0653dffa0f
                                                • Opcode Fuzzy Hash: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                • Instruction Fuzzy Hash: 07816D73605A81C8EB24CF65C0903AD33A1FB48B98F511636EB9E97BA9DF3AD454C700
                                                Function 0000000140009FD0 Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                                • String ID:
                                                • API String ID: 2665656946-0
                                                • Opcode ID: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                • Instruction ID: 6f8685d0ee64a854513a2710a76b76ebba126a19a16799565d604b2c87d49ee9
                                                • Opcode Fuzzy Hash: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                • Instruction Fuzzy Hash: 884191B2304B8495EE16DB27B9043D9A395A74EBE0F440625BF6D0B7E5DE7CC081C304
                                                Function 00007FFE0EBEB90C Relevance: 7.6, APIs: 5, Instructions: 101COMMON
                                                Download Yara Rule
                                                APIs
                                                • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEB9D3
                                                • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEB9E1
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBA1A
                                                • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBA24
                                                • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBA32
                                                  • Part of subcall function 00007FFE0EC325AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5AF8), ref: 00007FFE0EC325C6
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: memmovememset$_invalid_parameter_noinfo_noreturnmalloc
                                                • String ID:
                                                • API String ID: 3042321802-0
                                                • Opcode ID: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                • Instruction ID: d108c35fd97fb65bc0fae609ff0e1806d27cdf1927f5d9ab38a00a1e6fad36e3
                                                • Opcode Fuzzy Hash: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                • Instruction Fuzzy Hash: FD31F425B0868291EE34DF26A5883BA6351FB08BD0F184531DFDD0BBBADE7CE4818741
                                                Function 00007FFE1A459FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: NameName::$Name::operator+
                                                • String ID:
                                                • API String ID: 826178784-0
                                                • Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                • Instruction ID: 481c71f12d8dc657a2eb355d85b103667f52c7a1ab074373772cce4ab92c22e3
                                                • Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                • Instruction Fuzzy Hash: CF4147A2B18F5699EB10EF22D8841B833B4BB15FA4B5444F3EA5D533A5DF38E865C300
                                                Function 00007FFE0EBE4C30 Relevance: 7.5, APIs: 6, Instructions: 38COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FFE0EBF2160: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FFE0EBE4C3E,?,?,00000000,00007FFE0EBE5B5B), ref: 00007FFE0EBF216F
                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5B5B), ref: 00007FFE0EBE4C47
                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5B5B), ref: 00007FFE0EBE4C5B
                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5B5B), ref: 00007FFE0EBE4C6F
                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5B5B), ref: 00007FFE0EBE4C83
                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5B5B), ref: 00007FFE0EBE4C97
                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5B5B), ref: 00007FFE0EBE4CAB
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: free$setlocale
                                                • String ID:
                                                • API String ID: 294139027-0
                                                • Opcode ID: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                • Instruction ID: 1e5e5b5c56ee6cdaed43a69cc404b4ccdd17864811d9adf89869215911524983
                                                • Opcode Fuzzy Hash: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                • Instruction Fuzzy Hash: FA110922A06A4591EB69DF71C0E633963A1EF44F48F180534CA4E0A368CF6EE894D3C1
                                                Function 00007FFE0EBF3380 Relevance: 7.5, APIs: 5, Instructions: 17COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$abortfputcfputs
                                                • String ID:
                                                • API String ID: 2697642930-0
                                                • Opcode ID: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                • Instruction ID: 7bdc807064fb7b8a419106e8305be1092c2de405a92226c96f21e0b23743f289
                                                • Opcode Fuzzy Hash: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                • Instruction Fuzzy Hash: D2E0ECA4A186C6A6EB08ABB1EC9933563269F48F52F240538C98F46378CE2D64884212
                                                Function 00007FFE0EC0C480 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                • String ID: %.0Lf$0123456789-
                                                • API String ID: 4032823789-3094241602
                                                • Opcode ID: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                • Instruction ID: ec0ec5e9b4c5a6d559d8996877f88adf1f1b31fe7816efb027d36354706b5d0d
                                                • Opcode Fuzzy Hash: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                • Instruction Fuzzy Hash: 1A717B66B09B95A9EB10CFA5D4906BC7371EB48B88F404136EE8D17BA8DE3DD44AC341
                                                Function 00007FFE0EC16E40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo_noreturnmemchrmemmove
                                                • String ID: 0123456789-
                                                • API String ID: 2457263114-3850129594
                                                • Opcode ID: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                • Instruction ID: d043602b282152a7f51340c5a60ffe27758ae94b0e2e64b35f45cc576cd214c9
                                                • Opcode Fuzzy Hash: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                • Instruction Fuzzy Hash: 78719D22B09BC5A9FB10CBB5D4902AC7771EB4AB98F440076DE9D17BA9CE39D45AC301
                                                Function 000000014000CA70 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 174COMMON
                                                Download Yara Rule
                                                APIs
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CB86
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CCD1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                • String ID: gfffffff$gfffffff
                                                • API String ID: 3668304517-161084747
                                                • Opcode ID: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                • Instruction ID: 0937b4d6cc115db4af66b3ecbb46b401b0ea56f4de858bbb036e92e46f157e0a
                                                • Opcode Fuzzy Hash: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                • Instruction Fuzzy Hash: D151B5B2311B8942EE25CB17F945799B355E748BE4F048226AFAD8B7E4DF38D081C301
                                                Function 00007FFE0EC170C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: memset$_invalid_parameter_noinfo_noreturnswprintf_s
                                                • String ID: %.0Lf
                                                • API String ID: 1248405305-1402515088
                                                • Opcode ID: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                • Instruction ID: 170b2e4c54f029ca353c0237e47f5d75a17ec4ae1e901d4e7d2bb818d132b581
                                                • Opcode Fuzzy Hash: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                • Instruction Fuzzy Hash: F161B222B08BC195EB11CB76E8802AD7771EB4AB94F544172EE8D27B7ADE3DD046C301
                                                Function 00007FFE148E20B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FFE148E349C: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFE148E1222), ref: 00007FFE148E34DC
                                                • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE148E222F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900730446.00007FFE148E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE148E0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900715248.00007FFE148E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900746407.00007FFE148E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900765601.00007FFE148E8000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900781523.00007FFE148E9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe148e0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: abort
                                                • String ID: $csm$csm
                                                • API String ID: 4206212132-1512788406
                                                • Opcode ID: a09d5685cbd6900e1f150081fbd72c345e37c8c45745b80ef19bb6454a475952
                                                • Instruction ID: 39d22c314121869f3d429201b8a0cd8b679c4aa2f2d1a14809639999d4f79f85
                                                • Opcode Fuzzy Hash: a09d5685cbd6900e1f150081fbd72c345e37c8c45745b80ef19bb6454a475952
                                                • Instruction Fuzzy Hash: 4D71B432908A828AD7218F56D49077DFBA0FB02BA5F048175EE4C67BA6DF3CD595C701
                                                Function 00007FFE1A454044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FFE1A456710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A45239E), ref: 00007FFE1A45671E
                                                • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4541C3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: abort
                                                • String ID: $csm$csm
                                                • API String ID: 4206212132-1512788406
                                                • Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                • Instruction ID: ec594808b087c04fd1a0d2c26028ba867c211003b764cc75c8273e96fe0df898
                                                • Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                • Instruction Fuzzy Hash: 9371D3B2B08A9186D7249F22944477D7BA1FB04FE8F1481B6EF4C4BAA6CB3CD461C741
                                                Function 00007FFE1A453E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FFE1A456710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A45239E), ref: 00007FFE1A45671E
                                                • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453F13
                                                • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE1A453F23
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Frameabort$EmptyHandler3::StateUnwind
                                                • String ID: csm$csm
                                                • API String ID: 4108983575-3733052814
                                                • Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                • Instruction ID: e9fd3555d480e4ebadda4588c98b609b91d73cdf49de688a137fe66b11dbd346
                                                • Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                • Instruction Fuzzy Hash: E1515CB2B08A8286EA64AB57945427876E0FB44FA5F1441B7DB8D47AE5CF3CF860C701
                                                Function 00007FFE0EBE2500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Exception$RaiseThrowabort
                                                • String ID: csm
                                                • API String ID: 3758033050-1018135373
                                                • Opcode ID: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                • Instruction ID: 4dad2432ed843e0dd4c3fbfeea940604966ccbf5ff9c41dd446f0edd81151b3a
                                                • Opcode Fuzzy Hash: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                • Instruction Fuzzy Hash: 10514E62904BC58AEB25CF28C4902A833A0FB58B58F159735DB9D077BADF39E5D5C700
                                                Function 00007FFE0EBEF950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EBEF8D4
                                                • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EBEF8E6
                                                • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EBEF96B
                                                  • Part of subcall function 00007FFE0EBE4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D72
                                                  • Part of subcall function 00007FFE0EBE4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D98
                                                  • Part of subcall function 00007FFE0EBE4D50: memmove.VCRUNTIME140(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4DB0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: setlocale$freemallocmemmove
                                                • String ID: bad locale name
                                                • API String ID: 4085402405-1405518554
                                                • Opcode ID: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                • Instruction ID: f4d8b6c2ec17e84438cef60d70aded4d98fd57b0038f4cc4463f4e829c42e9c9
                                                • Opcode Fuzzy Hash: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                • Instruction Fuzzy Hash: 6D31B762F0868291FF75CF16E44017A6292AF85BC0F588036DADD477B9DE3CE9818B80
                                                Function 00007FFE0EC1430C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FFE0EC1B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
                                                  • Part of subcall function 00007FFE0EC1B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
                                                  • Part of subcall function 00007FFE0EC1B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
                                                  • Part of subcall function 00007FFE0EC1B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD
                                                • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,0000003F,?,00000001,00007FFE0EC12278), ref: 00007FFE0EC1434D
                                                  • Part of subcall function 00007FFE0EBEB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EC11347,?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EBEB7BF
                                                  • Part of subcall function 00007FFE0EBEB794: memmove.VCRUNTIME140(?,?,00000000,00007FFE0EC11347,?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EBEB7DB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
                                                • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                • API String ID: 462457024-3573081731
                                                • Opcode ID: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                • Instruction ID: 6ac8ded6fc11c79231212b8992a6c4e377acc6cb44d8c5a235c7b8cd186b1adb
                                                • Opcode Fuzzy Hash: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                • Instruction Fuzzy Hash: A541BC72A08BC2A7E728CF25A1C056D7BA1FB85B81B444275CB9D53E21DB39E562CB01
                                                Function 00007FFE0EC038A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FFE0EC1B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
                                                  • Part of subcall function 00007FFE0EC1B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
                                                  • Part of subcall function 00007FFE0EC1B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
                                                  • Part of subcall function 00007FFE0EC1B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD
                                                • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFE0EBFA07C), ref: 00007FFE0EC038E1
                                                  • Part of subcall function 00007FFE0EBEB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EC11347,?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EBEB7BF
                                                  • Part of subcall function 00007FFE0EBEB794: memmove.VCRUNTIME140(?,?,00000000,00007FFE0EC11347,?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EBEB7DB
                                                  • Part of subcall function 00007FFE0EBF67B0: _Maklocstr.LIBCPMT ref: 00007FFE0EBF67E0
                                                  • Part of subcall function 00007FFE0EBF67B0: _Maklocstr.LIBCPMT ref: 00007FFE0EBF67FF
                                                  • Part of subcall function 00007FFE0EBF67B0: _Maklocstr.LIBCPMT ref: 00007FFE0EBF681E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
                                                • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                • API String ID: 2504686060-3573081731
                                                • Opcode ID: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                • Instruction ID: 6bac62e39f1cb5dccde1ceffd44b32d0e1b2d4eeb643a20a54010ff53746cf9d
                                                • Opcode Fuzzy Hash: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                • Instruction Fuzzy Hash: 3141AB72A08BC2A7E725CF2596C057E7BA1FB84781B054235DB8943A21DB7AF566CB00
                                                Function 00007FFE1A45A714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: NameName::
                                                • String ID: %lf
                                                • API String ID: 1333004437-2891890143
                                                • Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                • Instruction ID: 52a06e46274a47030e9f96064f132dc5cc12c5c0162778aa279589fb8ebc8a47
                                                • Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                • Instruction Fuzzy Hash: 6F31B4B2B0CF8585EA60DB26A8502797370FB45F94F4481F3E9AE87265CF3CD5518740
                                                Function 00007FFE0EBEA4C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: FileFindNext$wcscpy_s
                                                • String ID: .
                                                • API String ID: 544952861-248832578
                                                • Opcode ID: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                • Instruction ID: 1adf0ff5e90be026389c28cafe96758654166a0e10e3971f532cd5a026d60d4f
                                                • Opcode Fuzzy Hash: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                • Instruction Fuzzy Hash: 12219362A1C68296FA70DF25E8443BA73A4EF88B94F544131EACD477A8DF3CD4498F40
                                                Function 00007FFE0EBE6C00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                • String ID: ios_base::badbit set
                                                • API String ID: 1099746521-3882152299
                                                • Opcode ID: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                • Instruction ID: b8b9a6409c4d5668fafb674ac6677d50372e393dfe1f735d706a93c092d75075
                                                • Opcode Fuzzy Hash: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                • Instruction Fuzzy Hash: CC01D6A1E28A4AA1FB38CE25D4825B91312EFE0744F148536D5CE06BBDDE3EE5068A00
                                                Function 00007FFE148E1268 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FFE148E349C: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFE148E1222), ref: 00007FFE148E34DC
                                                • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE148E12A6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900730446.00007FFE148E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE148E0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900715248.00007FFE148E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900746407.00007FFE148E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900765601.00007FFE148E8000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900781523.00007FFE148E9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe148e0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: abortterminate
                                                • String ID: MOC$RCC$csm
                                                • API String ID: 661698970-2671469338
                                                • Opcode ID: 603a5f7e1ffd35de89984d0ad558701558f89ae88de5ad9bc6a09e4dc68ebe23
                                                • Instruction ID: 77d66feac71ca210eb8329663ebc2b7bcd2c93c3f07015ec2589e7ebc1627dd8
                                                • Opcode Fuzzy Hash: 603a5f7e1ffd35de89984d0ad558701558f89ae88de5ad9bc6a09e4dc68ebe23
                                                • Instruction Fuzzy Hash: DCF04F36918A0782E750AB92E5C51ACB6A4EF4AB64F0951B1E74866362CF3CD898CB01
                                                Function 00007FFE1A452400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FFE1A456710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A45239E), ref: 00007FFE1A45671E
                                                • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45243E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: abortterminate
                                                • String ID: MOC$RCC$csm
                                                • API String ID: 661698970-2671469338
                                                • Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                • Instruction ID: 4707af12d9462f3d6f2484c01aa28e356b36a809efe0c17d0255c4ddf99349d1
                                                • Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                • Instruction Fuzzy Hash: 86F03C76A18A4682EB506F66A1810797665EB48F64F1950F3E74807262CF3CD4B0CA41
                                                Function 00007FFE1A45E9E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                • __C_specific_handler.LIBVCRUNTIME ref: 00007FFE1A45E9F0
                                                  • Part of subcall function 00007FFE1A45EC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1A45ECF0
                                                  • Part of subcall function 00007FFE1A45EC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1A45E9F5), ref: 00007FFE1A45ED3F
                                                  • Part of subcall function 00007FFE1A456710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A45239E), ref: 00007FFE1A45671E
                                                • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45EA1A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
                                                • String ID: csm$f
                                                • API String ID: 2451123448-629598281
                                                • Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                • Instruction ID: b479b3da4346521d8074b59fb9537204e4fa657b5a33c0ea2cf2e72905c2445c
                                                • Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                • Instruction Fuzzy Hash: 57E037A5F18B4181D7307B62B14117D66A5AF15F64F1480F6D64807656CE78D8B04641
                                                Function 00007FFE1A459CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID:
                                                • API String ID: 2943138195-0
                                                • Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                • Instruction ID: 996857dac50c7e8b3cf74c3128a7ebda37b01281f1425cd5fdf23e82d048d11c
                                                • Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                • Instruction Fuzzy Hash: B4918EA6F08F5689FB119BA2D8403BC2BB0BB05B24F5440F7DA4D576A6DF3CA865C740
                                                Function 00007FFE1A45A44C Relevance: 6.1, APIs: 4, Instructions: 134COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Name::operator+$NameName::
                                                • String ID:
                                                • API String ID: 168861036-0
                                                • Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                • Instruction ID: b4e96470f146aab0293c23c966a862d76a51084b61ddae11b320a541f2fb1d8e
                                                • Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                • Instruction Fuzzy Hash: 405169B2F18B5A89E711DF22E8447BC37A0BB44B68F5480B2DA5E477A5DF39E461C340
                                                Function 0000000140001ED0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: memset$_invalid_parameter_noinfo_noreturnmemcpy
                                                • String ID:
                                                • API String ID: 3533975685-0
                                                • Opcode ID: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                • Instruction ID: 948ad675966271c9991ceaad39470193d7d81f5c1b48440d7dc352eab6ab828f
                                                • Opcode Fuzzy Hash: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                • Instruction Fuzzy Hash: B431B4B2711A9451EA06DF66F5443EDA291A788BE0F548635AF6C077E5EF38C4E2C300
                                                Function 00007FFE0EBF6DC8 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                Download Yara Rule
                                                APIs
                                                • memmove.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE0EBF67E5), ref: 00007FFE0EBF6EA1
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE0EBF67E5), ref: 00007FFE0EBF6EF2
                                                • memmove.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE0EBF67E5), ref: 00007FFE0EBF6EFC
                                                • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE0EBF6F3D
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                • String ID:
                                                • API String ID: 2016347663-0
                                                • Opcode ID: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                • Instruction ID: c58e08a437e9de3710e52511b8f1c69e31d33772cbdcad1cb28ad8f73539506f
                                                • Opcode Fuzzy Hash: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                • Instruction Fuzzy Hash: 1041E132B0868691EE28DF22E1141796355AB08BE4F584631EEAD0BBFDEE3CE041C740
                                                Function 00007FFE0EBE9BE8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                • String ID:
                                                • API String ID: 2016347663-0
                                                • Opcode ID: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                • Instruction ID: 7a77ce6ca3c77304176ef3fa8d087e0b5f40da72f3af81b35e913360177fe2c7
                                                • Opcode Fuzzy Hash: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                • Instruction Fuzzy Hash: E5312471B0868691EE24EF26E544269A391EF44BE4F548231DEBD07BF9DE7CE085C700
                                                Function 00007FFE0EC0FD50 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Xp_movx$Xp_setw_errnoldexpmemmove
                                                • String ID:
                                                • API String ID: 2295688418-0
                                                • Opcode ID: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                • Instruction ID: 0a85e545afe9412b81f2529d0dcaaafc5f1be510ff752befada2ba9932dfc66f
                                                • Opcode Fuzzy Hash: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                • Instruction Fuzzy Hash: 2F41FB22B1CAC6A6F760DB6590C22F96350AF89740F144235DEDD133B6DF3EF9858602
                                                Function 00007FFE0EBE3160 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcislower
                                                • String ID:
                                                • API String ID: 2234106055-0
                                                • Opcode ID: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                • Instruction ID: 0d4ac8cde90858d07377424d1239d202cd80d9cd8051e2f19ed6d96dd03e394d
                                                • Opcode Fuzzy Hash: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                • Instruction Fuzzy Hash: CD318322A0C78182F7358F16A45427DAAD1EB94B91F184039DECA077ADDE3CE845CB11
                                                Function 00007FFE0EBE3020 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcisupper
                                                • String ID:
                                                • API String ID: 3857474680-0
                                                • Opcode ID: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                • Instruction ID: 9fac6a03dc35ae83f347bd09b1ef4f8a746c6b3949d1f7ee91cce2de28b543d9
                                                • Opcode Fuzzy Hash: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                • Instruction Fuzzy Hash: 5431C472A0C78286FB258F15A45437D6AE1EB90B91F184035DECE07BAEDE2DE484CB11
                                                Function 00007FFE1A45C87C Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID:
                                                • API String ID: 2943138195-0
                                                • Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                • Instruction ID: 8d907fbcc80c657dde9576ae18326677b863449b53272ee15ec5d3a58e6a5ca5
                                                • Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                • Instruction Fuzzy Hash: 624164B2B08B858AEB01DF66D8413BC77B0BB44B68F5481A6DA8D57769DF3894A1C700
                                                Function 00007FFE0EC1AF70 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                Download Yara Rule
                                                APIs
                                                • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,00000000,?,?,?,00007FFE0EC0E921), ref: 00007FFE0EC1AFB7
                                                • memmove.VCRUNTIME140(?,00000000,?,?,?,00007FFE0EC0E921), ref: 00007FFE0EC1AFDB
                                                • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE0EC0E921), ref: 00007FFE0EC1AFE8
                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE0EC0E921), ref: 00007FFE0EC1B05B
                                                  • Part of subcall function 00007FFE0EBE2E30: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EBE2E5A
                                                  • Part of subcall function 00007FFE0EBE2E30: LCMapStringEx.KERNEL32 ref: 00007FFE0EBE2E9E
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: String___lc_locale_name_funcfreemallocmemmovewcsnlen
                                                • String ID:
                                                • API String ID: 1076354707-0
                                                • Opcode ID: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                • Instruction ID: e507555a5d34d480644444e5f7719f87ab749f7b6b7ace8188be642d950a497b
                                                • Opcode Fuzzy Hash: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                • Instruction Fuzzy Hash: BE213661B08BD2D5E6309F12A48042AAA94FB46FE4F584235DEBD17BF8DF3DD5028700
                                                Function 00007FFE0EBEAAA0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: _fsopen$fclosefseek
                                                • String ID:
                                                • API String ID: 410343947-0
                                                • Opcode ID: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                • Instruction ID: 06a18dcda788e537b6ff60ea6f854762e6a334651de5a53c67ef3afd51ab79e4
                                                • Opcode Fuzzy Hash: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                • Instruction Fuzzy Hash: 2E31C121B2878641EB78CB26A4956767696EF84FC4F084634CE8E477B8DE3CF9418B00
                                                Function 00007FFE0EBEABB4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: _wfsopen$fclosefseek
                                                • String ID:
                                                • API String ID: 1261181034-0
                                                • Opcode ID: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                • Instruction ID: fb633595e1fb4fd3bb729ee42f33187743bf6a500f5b17957dfb2ca0b9a758e4
                                                • Opcode Fuzzy Hash: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                • Instruction Fuzzy Hash: 9631B621B1968642EB79CF16A8966766795FFC4F84F085534CE8E43BA8DE3CF8418B40
                                                Function 0000000140010660 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$FormatFreeLibraryMessage
                                                • String ID:
                                                • API String ID: 4174221723-0
                                                • Opcode ID: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                • Instruction ID: 329cc6dd5267e1a20a6fc7da630ad77381380cdf8f0f417e816be49fa379c834
                                                • Opcode Fuzzy Hash: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                • Instruction Fuzzy Hash: F4315072A18B8441EB128B26E4453AE6751E79DBF4F249301F7FD0B6F9DBB9D5C08600
                                                Function 00007FFE0EC1A5D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFE0EC1576B), ref: 00007FFE0EC1A604
                                                • ___lc_collate_cp_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFE0EC1576B), ref: 00007FFE0EC1A60E
                                                  • Part of subcall function 00007FFE0EBE26E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EBE2728
                                                  • Part of subcall function 00007FFE0EBE26E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EBE274E
                                                  • Part of subcall function 00007FFE0EBE26E0: GetCPInfo.KERNEL32 ref: 00007FFE0EBE2792
                                                • memcmp.VCRUNTIME140(?,?,?,?,?,?,?,00007FFE0EC1576B), ref: 00007FFE0EC1A631
                                                • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FFE0EC1576B), ref: 00007FFE0EC1A66F
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: __strncnt$Info___lc_collate_cp_func___lc_locale_name_func_errnomemcmp
                                                • String ID:
                                                • API String ID: 3421985146-0
                                                • Opcode ID: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                • Instruction ID: b740310971cb88be5131d16dfe8db4977c958e3718cdd8eba842a5f94753823d
                                                • Opcode Fuzzy Hash: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                • Instruction Fuzzy Hash: 9C21A132A08BC286EB148F2AD48002DB7A4FB85FD4B454235DE9D537A8CF3DE8018701
                                                Function 000000014000FAA0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                  • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                  • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func__stdio_common_vfprintfmemset
                                                • String ID: [FINALIZE ] %08X %s$[UNLOAD LIB]$[UNLOAD LIB] %08X %s
                                                • API String ID: 1351999747-1487749591
                                                • Opcode ID: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                • Instruction ID: 71482a23b425682d2a021b79c21f529c824127a60a25d7ce3ea3483a94a8a675
                                                • Opcode Fuzzy Hash: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                • Instruction Fuzzy Hash: 42213972215B8485E352DF22E5503DE37A4F74CF88F588129EB890BB69CF39C662D750
                                                Function 00007FFE0EC18620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: memmove$FormatFreeLocalMessage
                                                • String ID: unknown error
                                                • API String ID: 725469203-3078798498
                                                • Opcode ID: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                • Instruction ID: c82aefa378e33c3c416ab02116ce774155000ae05278ee3f7cb737d277afea52
                                                • Opcode Fuzzy Hash: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                • Instruction Fuzzy Hash: 21115B236097C592E7259F25E18036DB7A0FB8ABC8F484134DACC0B7AACF7DD5508741
                                                Function 00007FFE0EC1B090 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
                                                • ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
                                                • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
                                                • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_func
                                                • String ID:
                                                • API String ID: 3203701943-0
                                                • Opcode ID: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                • Instruction ID: 6c2849c9110cf77f94335d8534ac6ae6aeb5100cb60be31ecdb3cacc00ef2f0e
                                                • Opcode Fuzzy Hash: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                • Instruction Fuzzy Hash: 920108A2E1479186DB058F7AD440068B7A0FB59B84B148235EE8E87320DA3DD0C18B01
                                                Function 00007FFE0EBE2468 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: malloc
                                                • String ID: MOC$RCC$csm
                                                • API String ID: 2803490479-2671469338
                                                • Opcode ID: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                • Instruction ID: 2eb1c19de738b88ba82bd1bf061b96b689ca80283cdc8b96d1157aeb2975832e
                                                • Opcode Fuzzy Hash: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                • Instruction Fuzzy Hash: B8018425E08342C6FF789F25958517D22B5EF49B84F284031DB8E077BDCE2CE981CA02
                                                Function 00007FFE0EC0C9A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                • String ID: 0123456789-
                                                • API String ID: 4032823789-3850129594
                                                • Opcode ID: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                • Instruction ID: 1d5f5aaa04bfac841dc5666850276e3ec94d94a1513c201bfc51a0f5f5129009
                                                • Opcode Fuzzy Hash: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                • Instruction Fuzzy Hash: 93716C22B09B95A9EB10CFB5D4906BC7371FB48B88F444136EE8D17BA8DE39D45AC341
                                                Function 00007FFE0EC0C710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                • String ID: %.0Lf
                                                • API String ID: 296878162-1402515088
                                                • Opcode ID: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                • Instruction ID: b8dc7059670c45cf85f28a551a8c86511b7d106f83ca8d8d196ab4857605fec4
                                                • Opcode Fuzzy Hash: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                • Instruction Fuzzy Hash: 51717222B08B8595EB11CBB5E4806BDA371EF84B94F104232EE8D67B79DF39D055C341
                                                Function 00007FFE0EC0CC30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                • String ID: %.0Lf
                                                • API String ID: 296878162-1402515088
                                                • Opcode ID: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                • Instruction ID: 5c1ad8c4f86044b0de9967c2e97fcb5a0aa395e3e49030e1fbaa052058f967bc
                                                • Opcode Fuzzy Hash: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                • Instruction Fuzzy Hash: 4E718222B08B8595EB11CBB6E4806ADB371EF94B98F144232EE8D67B69DF3DD045C341
                                                Function 00007FFE0EC18F00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: rand_s
                                                • String ID: invalid random_device value
                                                • API String ID: 863162693-3926945683
                                                • Opcode ID: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                • Instruction ID: 92f52aab7b28c24b77f8b9c55f013a41ce65f42103c345a43d91220d29c84884
                                                • Opcode Fuzzy Hash: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                • Instruction Fuzzy Hash: 97510722D18EC5A5F252CB3484E11BA6364BF5B3C4F048776E5EE365B5DF3FA0928242
                                                Function 00007FFE148E2590 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FFE148E349C: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFE148E1222), ref: 00007FFE148E34DC
                                                • _CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE148E2666
                                                • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE148E26C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900730446.00007FFE148E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE148E0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900715248.00007FFE148E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900746407.00007FFE148E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900765601.00007FFE148E8000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900781523.00007FFE148E9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe148e0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: abort$CreateFrameInfo
                                                • String ID: csm
                                                • API String ID: 2697087660-1018135373
                                                • Opcode ID: 6e99a40f12b24c169b8c8d77f5cbd6e99d42a79d20cf72913f8a52ee3316c6bc
                                                • Instruction ID: 7838d7a9e5297f331b8acdd8298ddfabe58c08d8de74ee4e89e513dadfea6941
                                                • Opcode Fuzzy Hash: 6e99a40f12b24c169b8c8d77f5cbd6e99d42a79d20cf72913f8a52ee3316c6bc
                                                • Instruction Fuzzy Hash: 75517332618B4286D620EF16E48066EB7B4F789BA4F101574FB8D17B66CF3CE855CB00
                                                Function 00007FFE1A454710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: abort$CreateFrameInfo
                                                • String ID: csm
                                                • API String ID: 2697087660-1018135373
                                                • Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                • Instruction ID: e20f068562fb8a79c6376a3f11815f6f1b5ea2c11c22a2b7706f1c1482beb7f7
                                                • Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                • Instruction Fuzzy Hash: 6E514FB6718B4186D620AB26E04127E77B5F788FA0F1415B6EB8D07B66CF38D461CB00
                                                Function 00007FFE0EC17330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Strftime_invalid_parameter_noinfo_noreturn
                                                • String ID: !%x
                                                • API String ID: 1195835417-1893981228
                                                • Opcode ID: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                • Instruction ID: 4f1ef3fd37f85a9046cf1d732c31e1c53946f4c50606fb24339a8bb074c353e2
                                                • Opcode Fuzzy Hash: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                • Instruction Fuzzy Hash: 3941AC22F14AD1A8FB00CBB5D8807EC2B31BB4A798F444572EE8D17BA9DF3991858300
                                                Function 00007FFE0EBE32D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON
                                                Download Yara Rule
                                                APIs
                                                • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE0EBE3305
                                                  • Part of subcall function 00007FFE0EC325AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5AF8), ref: 00007FFE0EC325C6
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE0EBE57FA,?,?,?,00007FFE0EBE4438), ref: 00007FFE0EBE32FE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                • String ID: ios_base::failbit set
                                                • API String ID: 1934640635-3924258884
                                                • Opcode ID: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                • Instruction ID: 1e18ddd2b4c2fab6ebbd19e75b9ab896aec9d19895ff2c456dee20c1fac4955f
                                                • Opcode Fuzzy Hash: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                • Instruction Fuzzy Hash: B3218521B09B8195DA70CF11A5406AAB3E4FB88BA0F544631EEDC43BADEF3CD9558B00
                                                Function 00007FFE1A459BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID: void$void
                                                • API String ID: 2943138195-3746155364
                                                • Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                • Instruction ID: fdc32364626f0b2789df4b3192eb21c8d56db032a9ea0fa3e03a73e331164180
                                                • Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                • Instruction Fuzzy Hash: BB3159A6F18E5598FB01DBA1E8410FC33B0BB49B58B4405B7DE4D53B69DF389164C750
                                                Function 000000014000E370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000000014000FAA0: memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000E441
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                • String ID: [FAIL LOAD ] %s$[LOAD LIB ] %s
                                                • API String ID: 1654775311-1428855073
                                                • Opcode ID: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                • Instruction ID: e1e0474e3a99f30cd742c56738cdfbd4506b2c38850e860c1e011aff6007d584
                                                • Opcode Fuzzy Hash: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                • Instruction Fuzzy Hash: EC218EB2714B8481FA16CB1AF44439A6362E78DBE4F544321BBA94BAF9DF38C181C740
                                                Function 00007FFE0EBEF1B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                                Download Yara Rule
                                                APIs
                                                • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFE0EBEC744), ref: 00007FFE0EBEF1D4
                                                  • Part of subcall function 00007FFE0EC1B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
                                                  • Part of subcall function 00007FFE0EC1B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
                                                  • Part of subcall function 00007FFE0EC1B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
                                                  • Part of subcall function 00007FFE0EC1B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                • String ID: false$true
                                                • API String ID: 2502581279-2658103896
                                                • Opcode ID: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                • Instruction ID: bc8211e2495447682a580ea38c79d532fc456c7f39770575664ffbb2b3210e27
                                                • Opcode Fuzzy Hash: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                • Instruction Fuzzy Hash: AB21AD76608BC591EB20DF21E0803AA37A0FB98BA8F450532DADC07769DF38D590CB80
                                                Function 00007FFE1A45604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: FileHeader$ExceptionRaise
                                                • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                • API String ID: 3685223789-3176238549
                                                • Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                • Instruction ID: 77a8a98164203b78b10b3da5ce8721de4c4edb34ad194b7efa84b1de598d03d5
                                                • Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                • Instruction Fuzzy Hash: 49015EA1B29E4692EE40EB16E450178A360FF90FA4F4454F3D61E476B6EF6CD524C700
                                                Function 00007FFE148E31C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900730446.00007FFE148E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE148E0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900715248.00007FFE148E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900746407.00007FFE148E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900765601.00007FFE148E8000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900781523.00007FFE148E9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe148e0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ExceptionFileHeaderRaise
                                                • String ID: csm
                                                • API String ID: 2573137834-1018135373
                                                • Opcode ID: 9f7a33d673fc978609ae4b898b368f5314f81222cced0233053e09beae7f99e8
                                                • Instruction ID: d82a711e70e945946843aedf6190d053fd3bf8c44618b138b5a3e22b6bd87d04
                                                • Opcode Fuzzy Hash: 9f7a33d673fc978609ae4b898b368f5314f81222cced0233053e09beae7f99e8
                                                • Instruction Fuzzy Hash: 14113D32608B4582EB118F16F480269B7A1FB89B94F584270EEDD17765DF3DD959CB00
                                                Function 00007FFE1A4563F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ExceptionFileHeaderRaise
                                                • String ID: csm
                                                • API String ID: 2573137834-1018135373
                                                • Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                • Instruction ID: 24809a1097e044ec1e9fade81df69fa3e485ba4df1af179a0e31790d86056fee
                                                • Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                • Instruction Fuzzy Hash: A0113D32618F8182EB518F16F440269B7A5FB88F94F2842B2DE9C07B68EF3CD561C700
                                                Function 00007FFE0EBE6330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE0EBE633D
                                                  • Part of subcall function 00007FFE0EBE4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D72
                                                  • Part of subcall function 00007FFE0EBE4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D98
                                                  • Part of subcall function 00007FFE0EBE4D50: memmove.VCRUNTIME140(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4DB0
                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBE635A
                                                Strings
                                                • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE0EBE6365
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: free$Getmonthsmallocmemmove
                                                • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
                                                • API String ID: 794196016-4232081075
                                                • Opcode ID: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                • Instruction ID: 35090479cc9d7afca55063f62e8f6ed4253ce10587154346303ee8e7e748347c
                                                • Opcode Fuzzy Hash: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                • Instruction Fuzzy Hash: 54E03922A15B42A2EE10CB22F58426963B0EB18B80F584034DA9D02764DF3CE4E4C780
                                                Function 00007FFE0EBE62C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE0EBE62CD
                                                  • Part of subcall function 00007FFE0EBE4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D72
                                                  • Part of subcall function 00007FFE0EBE4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D98
                                                  • Part of subcall function 00007FFE0EBE4D50: memmove.VCRUNTIME140(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4DB0
                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBE62EA
                                                Strings
                                                • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE0EBE62F5
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: free$Getdaysmallocmemmove
                                                • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                • API String ID: 2126063425-3283725177
                                                • Opcode ID: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                • Instruction ID: aa54157cec7efe12e5c7362c08b095d1d56b19a628b0a53b61cf7da5b99a5aea
                                                • Opcode Fuzzy Hash: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                • Instruction Fuzzy Hash: EDE0ED22B14B82A2EA14DF12F594369A360FF48B80F948435DBAD07765EF3DE4A48700
                                                Function 00007FFE0EBE6A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE0EBE6A3D
                                                  • Part of subcall function 00007FFE0EBE4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBF6AB5,?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBE4DF9
                                                  • Part of subcall function 00007FFE0EBE4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBF6AB5,?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBE4E28
                                                  • Part of subcall function 00007FFE0EBE4DD0: memmove.VCRUNTIME140(?,?,00000000,00007FFE0EBF6AB5,?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBE4E3F
                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBE6A5A
                                                Strings
                                                • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE0EBE6A65
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: free$Getmonthsmallocmemmove
                                                • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece
                                                • API String ID: 794196016-2030377133
                                                • Opcode ID: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                • Instruction ID: b07fb7295196d19319b88440c316a95a3036724d518de6996436e5f7480b0d40
                                                • Opcode Fuzzy Hash: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                • Instruction Fuzzy Hash: 69E06D22B04B46A2EA50CF12F5843696360FF48B80F846034DB4E03B68DF3CE4B4C700
                                                Function 00007FFE0EBE69E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE0EBE69ED
                                                  • Part of subcall function 00007FFE0EBE4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBF6AB5,?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBE4DF9
                                                  • Part of subcall function 00007FFE0EBE4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBF6AB5,?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBE4E28
                                                  • Part of subcall function 00007FFE0EBE4DD0: memmove.VCRUNTIME140(?,?,00000000,00007FFE0EBF6AB5,?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBE4E3F
                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBE6A0A
                                                Strings
                                                • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE0EBE6A15
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: free$Getdaysmallocmemmove
                                                • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                • API String ID: 2126063425-3283725177
                                                • Opcode ID: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                • Instruction ID: 4c2c9bd95ee69f7376c4a9290b66d55bf9cfda4c4bf0cff48f310521c847f9ef
                                                • Opcode Fuzzy Hash: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                • Instruction Fuzzy Hash: 70E06D22B14B86A2EA20CF12F58436963A0EF48B90F545134DB4D03B68DF3CE4A48700
                                                Function 0000000140012990 Relevance: 5.1, APIs: 4, Instructions: 105COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ExceptionThrow
                                                • String ID:
                                                • API String ID: 432778473-0
                                                • Opcode ID: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                • Instruction ID: 3f6ef9a8942bd25f1c030384d86529519749b139d31aef7b6ed3ba5bf9942206
                                                • Opcode Fuzzy Hash: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                • Instruction Fuzzy Hash: 582153B6610A8489E729EE37E8523E92311F78C7D8F149426BF4D4FBAECE31C4518340
                                                Function 00000001400124D0 Relevance: 5.1, APIs: 4, Instructions: 77COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1898987015.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 0000000A.00000002.1898965602.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899013375.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899036002.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 0000000A.00000002.1899056194.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ExceptionThrow$_invalid_parameter_noinfo_noreturn
                                                • String ID:
                                                • API String ID: 2822070131-0
                                                • Opcode ID: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                • Instruction ID: fb8aed582c15149af4c4f009e579fb1eee3dc1aedb4e9a74b926e9b9865ab3f7
                                                • Opcode Fuzzy Hash: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                • Instruction Fuzzy Hash: 331151B5710A40C9E71DEB73A8423EA1211EB887C4F149536BF480BA6ECE76C4518740
                                                Function 00007FFE148E33DC Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,?,00007FFE148E329D,?,?,?,?,00007FFE148E411A,?,?,?,?,?), ref: 00007FFE148E33FB
                                                • SetLastError.KERNEL32(?,?,?,00007FFE148E329D,?,?,?,?,00007FFE148E411A,?,?,?,?,?), ref: 00007FFE148E3483
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900730446.00007FFE148E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE148E0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900715248.00007FFE148E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900746407.00007FFE148E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900765601.00007FFE148E8000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900781523.00007FFE148E9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe148e0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ErrorLast
                                                • String ID:
                                                • API String ID: 1452528299-0
                                                • Opcode ID: 945a849ef1e4ef306028dce5c92f669efe6900a2f555f55e0f0d86f2d5e2500a
                                                • Instruction ID: ff5f9667a7d2de80b22b7ae82c5b2a24ff8e0444f45d27e88628d332f2e3da78
                                                • Opcode Fuzzy Hash: 945a849ef1e4ef306028dce5c92f669efe6900a2f555f55e0f0d86f2d5e2500a
                                                • Instruction Fuzzy Hash: DD117260E19F5252FA119B63A8C0138A291AF577F4F084AB4F92E233F4DF3CEC098210
                                                Function 00007FFE1A45672C Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,?,00007FFE1A4565B9,?,?,?,?,00007FFE1A45FB22,?,?,?,?,?), ref: 00007FFE1A45674B
                                                • SetLastError.KERNEL32(?,?,?,00007FFE1A4565B9,?,?,?,?,00007FFE1A45FB22,?,?,?,?,?), ref: 00007FFE1A4567D4
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900829487.00007FFE1A451000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A450000, based on PE: true
                                                • Associated: 0000000A.00000002.1900797886.00007FFE1A450000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900854827.00007FFE1A461000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900872704.00007FFE1A466000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900892624.00007FFE1A467000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe1a450000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: ErrorLast
                                                • String ID:
                                                • API String ID: 1452528299-0
                                                • Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                • Instruction ID: fdb1df9c94b19d349ed69f8c166ea8bf2120ad24cba9874ee0081fe6e84b312c
                                                • Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                • Instruction Fuzzy Hash: D1112164B0DA5242FA54AB27B804134A2A1AF48FB0F1846F6D97E077F5DF2CE8618700
                                                Function 00007FFE0EBF8CD0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: free
                                                • String ID:
                                                • API String ID: 1294909896-0
                                                • Opcode ID: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                • Instruction ID: 0cb4e1ea0baf92eeda4fd9ba8e0bd9ebc7b17799e056605ccc12a76f4c90764d
                                                • Opcode Fuzzy Hash: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                • Instruction Fuzzy Hash: 0FF0EC36B18B82A2DB44DB25E9D4168A360FF88B90B144031CB8D43B74DF7EE4A58301
                                                Function 00007FFE0EBF8C60 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: free
                                                • String ID:
                                                • API String ID: 1294909896-0
                                                • Opcode ID: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                • Instruction ID: adcdf30cbc1f35811041453819d414d3ba2057ab6de7c56bd707dcbe0ecccb35
                                                • Opcode Fuzzy Hash: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                • Instruction Fuzzy Hash: 68F0EC36B19B82A6DB48DB25E9D4168B360FF88B90B144031CB8D43B74DF7EE4A58301
                                                Function 00007FFE0EC11DB0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: free
                                                • String ID:
                                                • API String ID: 1294909896-0
                                                • Opcode ID: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                • Instruction ID: 62901fffe4049f804ef103ea5574176b033b001d8b236f79fa01328e729728a4
                                                • Opcode Fuzzy Hash: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                • Instruction Fuzzy Hash: 31F0EC36B19B82A6DB45DB25E9D4168A360FF88F90B544031CB8D43B70DF6EE4A58301
                                                Function 00007FFE0EBF8A08 Relevance: 5.0, APIs: 4, Instructions: 16COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1900506958.00007FFE0EBE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE0EBE0000, based on PE: true
                                                • Associated: 0000000A.00000002.1900488919.00007FFE0EBE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900552082.00007FFE0EC35000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900589225.00007FFE0EC63000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900608853.00007FFE0EC64000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 0000000A.00000002.1900630692.00007FFE0EC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7ffe0ebe0000_ImporterREDServer.jbxd
                                                Similarity
                                                • API ID: free
                                                • String ID:
                                                • API String ID: 1294909896-0
                                                • Opcode ID: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                • Instruction ID: 7335619da59392e714d45d6e7b9caaf169661e64cbf3c5c369e70a6bca2670ed
                                                • Opcode Fuzzy Hash: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                • Instruction Fuzzy Hash: FFE0B663F14A4192EB64DF32D8E4038A370FF88F59B181032CF8E46334CE69D8A58381