Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.msi

Overview

General Information

Sample name:setup.msi
Analysis ID:1582050
MD5:80e352afef4ef8ff92c50bc3c6a251e3
SHA1:39045db215deccebf3df240a0550137c90a32471
SHA256:e322369c9865d42358c67b4bf4abdb4682f423b7ad6a7b25ada1b96ff42fb2cc
Tags:kevinflansburg-comLegionLoadermsiRobotDropperuser-aachum
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6660 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 6792 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7120 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 7CC5C262EC3DC128EF58C787A8497377 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 2140 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 6452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5696 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • obs-ffmpeg-mux.exe (PID: 6936 cmdline: "C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exe" MD5: D3CAC4D7B35BACAE314F48C374452D71)
        • conhost.exe (PID: 7144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • createdump.exe (PID: 1748 cmdline: "C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)
      • conhost.exe (PID: 1440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 7CC5C262EC3DC128EF58C787A8497377, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7120, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 2140, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 7CC5C262EC3DC128EF58C787A8497377, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7120, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 2140, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 7CC5C262EC3DC128EF58C787A8497377, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7120, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 2140, ProcessName: powershell.exe
Sigma detected: Msiexec Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.0.151, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7120, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
Sigma detected: Suspicious MsiExec Embedding Parent
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 7CC5C262EC3DC128EF58C787A8497377, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7120, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 2140, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 7CC5C262EC3DC128EF58C787A8497377, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7120, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 2140, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-29T18:38:15.650242+010028292021A Network Trojan was detected192.168.2.449730104.21.0.151443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.4% probability
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{99E2ED1F-7904-4599-AE90-6B3BEDE132E4}Jump to behavior
Source: unknownHTTPS traffic detected: 104.21.0.151:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000000.1862893315.00007FF64D318000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: ucrtbase.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: obs-ffmpeg-mux.pdb source: obs-ffmpeg-mux.exe, 0000000A.00000002.1866501854.00007FF640A05000.00000004.00000001.01000000.00000007.sdmp, obs-ffmpeg-mux.exe, 0000000A.00000000.1864980098.00007FF640A05000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000000.1862893315.00007FF64D318000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: ucrtbase.pdbUGP source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.msi, MSI9615.tmp.1.dr, 6d8b78.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.msi, 6d8b78.msi.1.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49730 -> 104.21.0.151:443
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: kevinflansburg.com
Source: unknownHTTP traffic detected: POST /updater.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: kevinflansburg.comContent-Length: 71Cache-Control: no-cache
Source: setup.msi, 6d8b78.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: setup.msi, 6d8b78.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: setup.msi, 6d8b78.msi.1.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: setup.msi, 6d8b78.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: setup.msi, 6d8b78.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: setup.msi, 6d8b78.msi.1.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: setup.msi, 6d8b78.msi.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: setup.msi, 6d8b78.msi.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: setup.msi, 6d8b78.msi.1.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
Source: setup.msi, 6d8b78.msi.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000003.00000002.1809867963.0000000005638000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: setup.msi, 6d8b78.msi.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: setup.msi, 6d8b78.msi.1.drString found in binary or memory: http://ocsp.digicert.com0K
Source: setup.msi, 6d8b78.msi.1.drString found in binary or memory: http://ocsp.digicert.com0N
Source: setup.msi, 6d8b78.msi.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000003.00000002.1807891872.0000000004726000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: setup.msi, 6d8b78.msi.1.drString found in binary or memory: http://schemas.micj
Source: powershell.exe, 00000003.00000002.1807891872.00000000045D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1807891872.0000000004726000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: setup.msi, 6d8b78.msi.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: obs-ffmpeg-mux.exe, 0000000A.00000002.1869274199.00007FFDF9F30000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.videolan.org/x264.html
Source: powershell.exe, 00000003.00000002.1807891872.00000000045D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: setup.msi, 6d8b78.msi.1.drString found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
Source: powershell.exe, 00000003.00000002.1809867963.0000000005638000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1809867963.0000000005638000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1809867963.0000000005638000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.1807891872.0000000004726000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1807891872.0000000004DFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: setup.msi, 6d8b78.msi.1.drString found in binary or memory: https://kevinflansburg.com/updater.phpx
Source: powershell.exe, 00000003.00000002.1809867963.0000000005638000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: setup.msi, 6d8b78.msi.1.drString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownHTTPS traffic detected: 104.21.0.151:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d8b75.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9519.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI95D6.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9615.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9636.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9675.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI96B5.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI96E4.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB422.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{99E2ED1F-7904-4599-AE90-6B3BEDE132E4}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC0C5.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC0D6.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d8b78.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d8b78.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI9519.tmpJump to behavior
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF640A02EE010_2_00007FF640A02EE0
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF640A02A1010_2_00007FF640A02A10
Source: avcodec-60.dll.1.drStatic PE information: Number of sections : 13 > 10
Source: avutil-58.dll.1.drStatic PE information: Number of sections : 12 > 10
Source: swresample-4.dll.1.drStatic PE information: Number of sections : 12 > 10
Source: swscale-7.dll.1.drStatic PE information: Number of sections : 12 > 10
Source: zlib.dll.1.drStatic PE information: Number of sections : 12 > 10
Source: avformat-60.dll.1.drStatic PE information: Number of sections : 12 > 10
Source: api-ms-win-core-handle-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: setup.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameDataUploader.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameucrtbase.dllj% vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenamevcruntime140.dllT vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenamemsvcp140.dllT vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs setup.msi
Source: classification engineClassification label: mal64.evad.winMSI@17/88@1/1
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CMLC84F.tmpJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4464:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6452:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7144:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_03
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF17539A6ABDEC3C99.TMPJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exe""
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7CC5C262EC3DC128EF58C787A8497377
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exe""
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exe "C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exe"
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7CC5C262EC3DC128EF58C787A8497377Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exe""Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exe "C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exeSection loaded: obs.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exeSection loaded: avcodec-60.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exeSection loaded: avutil-58.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exeSection loaded: avformat-60.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exeSection loaded: w32-pthreads.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exeSection loaded: avutil-58.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exeSection loaded: swresample-4.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{99E2ED1F-7904-4599-AE90-6B3BEDE132E4}Jump to behavior
Source: setup.msiStatic file information: File size 60716544 > 1048576
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000000.1862893315.00007FF64D318000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: ucrtbase.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: obs-ffmpeg-mux.pdb source: obs-ffmpeg-mux.exe, 0000000A.00000002.1866501854.00007FF640A05000.00000004.00000001.01000000.00000007.sdmp, obs-ffmpeg-mux.exe, 0000000A.00000000.1864980098.00007FF640A05000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000000.1862893315.00007FF64D318000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: ucrtbase.pdbUGP source: setup.msi, 6d8b78.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.msi, MSI9615.tmp.1.dr, 6d8b78.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.msi, 6d8b78.msi.1.dr
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]
Source: vcruntime140.dll.1.drStatic PE information: section name: _RDATA
Source: BCUninstaller.exe.1.drStatic PE information: section name: _RDATA
Source: createdump.exe.1.drStatic PE information: section name: _RDATA
Source: UnRar.exe.1.drStatic PE information: section name: _RDATA
Source: avformat-60.dll.1.drStatic PE information: section name: .xdata
Source: avutil-58.dll.1.drStatic PE information: section name: .xdata
Source: swresample-4.dll.1.drStatic PE information: section name: .xdata
Source: swscale-7.dll.1.drStatic PE information: section name: .xdata
Source: zlib.dll.1.drStatic PE information: section name: .xdata
Source: avcodec-60.dll.1.drStatic PE information: section name: .rodata
Source: avcodec-60.dll.1.drStatic PE information: section name: .xdata
Source: MSIC0D6.tmp.1.drStatic PE information: section name: .fptable
Source: MSI9519.tmp.1.drStatic PE information: section name: .fptable
Source: MSI95D6.tmp.1.drStatic PE information: section name: .fptable
Source: MSI9615.tmp.1.drStatic PE information: section name: .fptable
Source: MSI9636.tmp.1.drStatic PE information: section name: .fptable
Source: MSI9675.tmp.1.drStatic PE information: section name: .fptable
Source: MSI96B5.tmp.1.drStatic PE information: section name: .fptable
Source: MSI96E4.tmp.1.drStatic PE information: section name: .fptable
Source: MSIB422.tmp.1.drStatic PE information: section name: .fptable
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0086BD83 push esp; ret 3_2_0086BD93
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\avformat-60.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI96E4.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\w32-pthreads.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\vcruntime140_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB422.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\zlib.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9519.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI95D6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\avutil-58.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9636.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\swresample-4.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\avcodec-60.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\vcruntime140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\utest.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC0D6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI96B5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\swscale-7.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9615.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9675.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI96E4.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI95D6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9615.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC0D6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI96B5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB422.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9636.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9519.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9675.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3738Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1061Jump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI96E4.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\vcruntime140_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\utest.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC0D6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB422.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI96B5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\zlib.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9519.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI95D6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\swscale-7.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9615.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9636.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9675.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exeAPI coverage: 8.2 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6352Thread sleep count: 3738 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6352Thread sleep count: 1061 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3752Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6656Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: 6d8b78.msi.1.drBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: obs-ffmpeg-mux.exe, 0000000A.00000002.1869274199.00007FFDF9B1A000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: vmncVMware Screen Codec / VMware Video @
Source: obs-ffmpeg-mux.exe, 0000000A.00000002.1869274199.00007FFDF9A0D000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: VMware Screen Codec / VMware Video
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exeCode function: 7_2_00007FF64D312ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF64D312ECC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exe""Jump to behavior
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exeCode function: 7_2_00007FF64D313074 SetUnhandledExceptionFilter,7_2_00007FF64D313074
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exeCode function: 7_2_00007FF64D312ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF64D312ECC
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exeCode function: 7_2_00007FF64D312984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF64D312984
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF640A03E04 SetUnhandledExceptionFilter,10_2_00007FF640A03E04
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF640A03C5C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00007FF640A03C5C
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exeCode function: 10_2_00007FF640A03774 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FF640A03774

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exe "C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssc16c.ps1" -propfile "c:\users\user\appdata\local\temp\msic169.txt" -scriptfile "c:\users\user\appdata\local\temp\scrc16a.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrc16b.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssc16c.ps1" -propfile "c:\users\user\appdata\local\temp\msic169.txt" -scriptfile "c:\users\user\appdata\local\temp\scrc16a.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrc16b.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exeCode function: 7_2_00007FF64D312DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_00007FF64D312DA0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		1
Replication Through Removable Media		1
Command and Scripting Interpreter		1
Windows Service		1
Windows Service		21
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		1
Scripting		11
Process Injection		1
Disable or Modify Tools		LSASS Memory11
Security Software Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS21
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Timestomp		Cached Domain Credentials11
Peripheral Device Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSync13
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
File Deletion		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582050 Sample: setup.msi Startdate: 29/12/2024 Architecture: WINDOWS Score: 64 49 kevinflansburg.com 2->49 55 Suricata IDS alerts for network traffic 2->55 57 AI detected suspicious sample 2->57 59 Sigma detected: Suspicious Script Execution From Temp Folder 2->59 61 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->61 9 msiexec.exe 138 104 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 35 C:\Windows\Installer\MSIC0D6.tmp, PE32 9->35 dropped 37 C:\Windows\Installer\MSIB422.tmp, PE32 9->37 dropped 39 C:\Windows\Installer\MSI96E4.tmp, PE32 9->39 dropped 41 51 other files (none is malicious) 9->41 dropped 14 msiexec.exe 14 9->14         started        19 cmd.exe 1 9->19         started        21 createdump.exe 1 9->21         started        process6 dnsIp7 51 kevinflansburg.com 104.21.0.151, 443, 49730 CLOUDFLARENETUS United States 14->51 43 C:\Users\user\AppData\Local\...\scrC16A.ps1, Unicode 14->43 dropped 45 C:\Users\user\AppData\Local\...\pssC16C.ps1, Unicode 14->45 dropped 47 C:\Users\user\AppData\Local\...\msiC169.txt, Unicode 14->47 dropped 53 Bypasses PowerShell execution policy 14->53 23 powershell.exe 17 14->23         started        25 obs-ffmpeg-mux.exe 1 19->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        file8 signatures9 process10 process11 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
setup.msi5%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\BCUninstaller.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\UnRar.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-console-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\avcodec-60.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\avformat-60.dll3%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\avutil-58.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\msvcp140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\swresample-4.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\swscale-7.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\utest.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\vcruntime140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\vcruntime140_1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\w32-pthreads.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\zlib.dll0%ReversingLabs
C:\Windows\Installer\MSI9519.tmp0%ReversingLabs
C:\Windows\Installer\MSI95D6.tmp0%ReversingLabs
C:\Windows\Installer\MSI9615.tmp0%ReversingLabs
C:\Windows\Installer\MSI9636.tmp0%ReversingLabs
C:\Windows\Installer\MSI9675.tmp0%ReversingLabs
C:\Windows\Installer\MSI96B5.tmp0%ReversingLabs
C:\Windows\Installer\MSI96E4.tmp0%ReversingLabs
C:\Windows\Installer\MSIB422.tmp0%ReversingLabs
C:\Windows\Installer\MSIC0D6.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://schemas.micj0%Avira URL Cloudsafe
https://kevinflansburg.com/updater.php0%Avira URL Cloudsafe
https://kevinflansburg.com/updater.phpx0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
kevinflansburg.com
104.21.0.151
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://kevinflansburg.com/updater.phptrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1809867963.0000000005638000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1807891872.0000000004726000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1807891872.00000000045D1000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1807891872.0000000004726000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://go.micropowershell.exe, 00000003.00000002.1807891872.0000000004DFC000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.videolan.org/x264.htmlobs-ffmpeg-mux.exe, 0000000A.00000002.1869274199.00007FFDF9F30000.00000002.00000001.01000000.00000008.sdmpfalse
                		high
                https://contoso.com/powershell.exe, 00000003.00000002.1809867963.0000000005638000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1809867963.0000000005638000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Licensepowershell.exe, 00000003.00000002.1809867963.0000000005638000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Iconpowershell.exe, 00000003.00000002.1809867963.0000000005638000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.micjsetup.msi, 6d8b78.msi.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aka.ms/winui2/webview2download/Reload():setup.msi, 6d8b78.msi.1.drfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1807891872.00000000045D1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1807891872.0000000004726000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://kevinflansburg.com/updater.phpxsetup.msi, 6d8b78.msi.1.drfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              104.21.0.151
                              		kevinflansburg.comUnited States
                              		13335CLOUDFLARENETUStrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1582050
                              Start date and time:2024-12-29 18:37:12 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 6m 50s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:15
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:setup.msi
                              Detection:MAL
                              Classification:mal64.evad.winMSI@17/88@1/1
                              EGA Information:
                              • Successful, ratio: 33.3%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 11
                              • Number of non-executed functions: 36
                              Cookbook Comments:
                              • Found application associated with file extension: .msi

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                              • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target obs-ffmpeg-mux.exe, PID 6936 because there are no executed function
                              • Execution Graph export aborted for target powershell.exe, PID 2140 because it is empty
                              • Not all processes where analyzed, report is missing behavior information

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              12:38:17API Interceptor4x Sleep call for process: powershell.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              CLOUDFLARENETUSinstaller_1.05_36.5.exeGet hashmaliciousLummaCBrowse
                              • 172.67.208.58
                              EFT Payment_Transcript__Survitecgroup.htmlGet hashmaliciousUnknownBrowse
                              • 104.18.26.193
                              @Setup.exeGet hashmaliciousLummaC StealerBrowse
                              • 104.21.32.1
                              Lets-x64.exeGet hashmaliciousNitol, ZegostBrowse
                              • 104.21.81.224
                              KL-3.1.16.exeGet hashmaliciousNitol, ZegostBrowse
                              • 104.21.81.224
                              Whyet-4.9.exeGet hashmaliciousNitol, ZegostBrowse
                              • 104.21.81.224
                              GPU-Z.exeGet hashmaliciousLummaC, DarkTortilla, LummaC StealerBrowse
                              • 172.67.190.234
                              T1#U52a9#U624b1.0.1.exeGet hashmaliciousUnknownBrowse
                              • 172.64.150.63
                              Winter.mp4.htaGet hashmaliciousLummaCBrowse
                              • 104.21.80.1
                              MdhO83N5Fm.exeGet hashmaliciousLummaCBrowse
                              • 172.67.208.58

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              37f463bf4616ecd445d4a1937da06e19Lets-x64.exeGet hashmaliciousNitol, ZegostBrowse
                              • 104.21.0.151
                              KL-3.1.16.exeGet hashmaliciousNitol, ZegostBrowse
                              • 104.21.0.151
                              Whyet-4.9.exeGet hashmaliciousNitol, ZegostBrowse
                              • 104.21.0.151
                              QQyisSetups64.exeGet hashmaliciousGhostRatBrowse
                              • 104.21.0.151
                              wyySetups64.exeGet hashmaliciousGhostRatBrowse
                              • 104.21.0.151
                              aYu936prD4.exeGet hashmaliciousUnknownBrowse
                              • 104.21.0.151
                              aYu936prD4.exeGet hashmaliciousUnknownBrowse
                              • 104.21.0.151
                              Tool_Unlock_v1.2.exeGet hashmaliciousVidarBrowse
                              • 104.21.0.151
                              Gabriel-4.9.exeGet hashmaliciousNitol, ZegostBrowse
                              • 104.21.0.151
                              setup.msiGet hashmaliciousUnknownBrowse
                              • 104.21.0.151

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\BCUninstaller.exesetup.msiGet hashmaliciousUnknownBrowse
                                48.252.190.9.zipGet hashmaliciousUnknownBrowse
                                  setup.msiGet hashmaliciousUnknownBrowse
                                    TrdIE26br9.msiGet hashmaliciousUnknownBrowse
                                      b8ygJBG5cb.msiGet hashmaliciousUnknownBrowse
                                        setup.msiGet hashmaliciousUnknownBrowse
                                          installer.msiGet hashmaliciousUnknownBrowse
                                            setup.msiGet hashmaliciousUnknownBrowse
                                              setup.msiGet hashmaliciousUnknownBrowse
                                                installer.msiGet hashmaliciousUnknownBrowse

                                                  Created / dropped Files

                                                  C:\Config.Msi\6d8b77.rbs

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:modified
                                                  Size (bytes):20695
                                                  Entropy (8bit):5.8296035380057445
                                                  Encrypted:false
                                                  SSDEEP:384:lPcz4egstLSjVdm/rFTIbGGIwINFEkTOoqJV4Qp9XvqVW9Bu6WrpDEVRoWnz99we:lE4egstLSjVdm/rFTIbGGIwINFEkTOoi
                                                  MD5:0C52CEB43EED70658288949AAD470A8C
                                                  SHA1:F25E70C8D41E5E42532EC466EC6DFE13BF114DB6
                                                  SHA-256:59896C47E8E42D98154F1F1EF0961CDD90A83FFA18BB82B5C46F6BFB7978742A
                                                  SHA-512:0B4735D732C4EBEF87F9E20F4705E43A4D699B167AEC275D2841A19CE0F1FC89EFFC15EB598C44DE89C450E88ED237627CA8C5F71A6FAE740A080198CA1019A6
                                                  Malicious:false
                                                  Preview:...@IXOS.@.....@.d.Y.@.....@.....@.....@.....@.....@......&.{99E2ED1F-7904-4599-AE90-6B3BEDE132E4}..Strave App..setup.msi.@.....@.....@.....@......icon_24.exe..&.{249992BD-A78D-4A60-8413-E3315B4B9EB3}.....@.....@.....@.....@.......@.....@.....@.......@......Strave App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{99E2ED1F-7904-4599-AE90-6B3BEDE132E4}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{99E2ED1F-7904-4599-AE90-6B3BEDE132E4}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{99E2ED1F-7904-4599-AE90-6B3BEDE132E4}.@......&.{B61B35E4-8BE1-4171-B69B-E2423CE9179F}&.{99E2ED1F-7904-4599-AE90-6B3BEDE132E4}.@......&.{FDDB96EE-847D-4B25-85B1-65E662CF63A8}&.{99E2ED1F-7904-4599-AE90-6B3BEDE132E4}.@......&.{9608D8ED-8EC6-4540-B232-4A823606F862}&.{99E2ED1F-7904-4599-AE90-6B3BEDE132E4}.@......&.{17B6E8D6-C004-40DB-BB2D-125D7C1CC21E}&.{99E2ED1F-7904-45

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1360
                                                  Entropy (8bit):5.413197223328133
                                                  Encrypted:false
                                                  SSDEEP:24:3UWSKco4KmZjKbmOIKod6lss4RPQoUP7mZ9t7J0gt/NK3R82ia8HSVbV:EWSU4xympgv4RIoUP7mZ9tK8NWR82TVx
                                                  MD5:A91A00C61ABC842BAAF20C5F19C31FD6
                                                  SHA1:C3C442C8C706D1C15495EEAEAEDAD0BD9BE23837
                                                  SHA-256:A0494C49656F3DF8A3043A22B477CA9C90E71CA54CE1E201DCAD72427750161C
                                                  SHA-512:8CF952258CB11D23C265AA9BB8D58143B2D4279460BE23C5284458E6DD8438967D291B4A903D3793F5A420ECD6C8D941BEBA0778400F8DC7FC187C8D1E020332
                                                  Malicious:false
                                                  Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4bjv1xs.yca.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q5kjxcms.tms.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\msiC169.txt

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):100
                                                  Entropy (8bit):3.0073551160284637
                                                  Encrypted:false
                                                  SSDEEP:3:Q0JUINRYplflrOdlVWNlANf5Yplf955:Q0JB0LJOn03ANqLN
                                                  MD5:7A131AC8F407D08D1649D8B66D73C3B0
                                                  SHA1:D93E1B78B1289FB51E791E524162D69D19753F22
                                                  SHA-256:9ACBF0D3EEF230CC2D5A394CA5657AE42F3E369292DA663E2537A278A811FF5B
                                                  SHA-512:47B6FF38B4DF0845A83F17E0FE889747A478746E1E7F17926A5CCAC1DD39C71D93F05A88E0EC176C1E5D752F85D4BDCFFB5C64125D1BA92ACC91D03D6031848D
                                                  Malicious:true
                                                  Preview:..Q.u.i.t.e.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .E.x.t.e.n.d.E.x.p.i.r.e. .:.<.-.>.:. .0. .<.<.:.>.>. .

                                                  C:\Users\user\AppData\Local\Temp\pssC16C.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):6668
                                                  Entropy (8bit):3.5127462716425657
                                                  Encrypted:false
                                                  SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                  MD5:30C30EF2CB47E35101D13402B5661179
                                                  SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                  SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                  SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                  Malicious:true
                                                  Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                                  C:\Users\user\AppData\Local\Temp\scrC16A.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):254
                                                  Entropy (8bit):3.555045878547657
                                                  Encrypted:false
                                                  SSDEEP:6:QfFok79idK3fOlFogltHN+KiVmMXFVrMTlP1LlG7JidK3falnUOn03AnfInO:QfF3KvogM/XFVrMTQNeFUr3+
                                                  MD5:E8A84AE0A0597E0C4FBB7FA36F7D0CA7
                                                  SHA1:B97096DF7801FA5F91542F0F9A70616DD5D49B03
                                                  SHA-256:9F2D8F053895BF9377A4686714833304E87A4E926B7581599D44B45380B5DFDE
                                                  SHA-512:83960868B8DBFFEF2B3EE557AD89BB18CF80043FEB2A7BFDB0630F32A1870585158E4F4B367C72BBFDD760A586E5D1FEB73192C0E769507A6ED81E90BF4925EB
                                                  Malicious:true
                                                  Preview:..$.o.i.g.n.q.p. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".Q.u.i.t.e.S.e.s.".....$.a.v.o.i.j.g. .=. .[.u.i.n.t.3.2.].(.$.o.i.g.n.q.p. .-.r.e.p.l.a.c.e. .'.t.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".E.x.t.e.n.d.E.x.p.i.r.e.". .$.a.v.o.i.j.g.

                                                  C:\Users\user\AppData\Roaming\Microsoft\Installer\{99E2ED1F-7904-4599-AE90-6B3BEDE132E4}\icon_24.exe

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:MS Windows icon resource - 9 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                  Category:dropped
                                                  Size (bytes):195906
                                                  Entropy (8bit):4.669224805215773
                                                  Encrypted:false
                                                  SSDEEP:1536:k1Z0Ceau0a/r3NLZZOjjDcC7uFFy9Z8YJNs9Z7E9ykl:k1Z0vZXJZYDFufyXbJNCcr
                                                  MD5:E40B08C6FF5F07916B45741B7D0C5E87
                                                  SHA1:94C2357A59BAA3B537993F570CEA03EC51C1917B
                                                  SHA-256:131ABD59B7D4B6177F2815E8CEB0F3DA325CB1074AEFBE99F61A382F1895AF44
                                                  SHA-512:FA8453DD4936F772381E50533CD91DB8857F1A608CEB91F225300FC4E9DE8475EB416A3682D0C85829058570EBB9BBDF18CC650D36FA87E13BC262C827D0C695
                                                  Malicious:false
                                                  Preview:............ .............. .(.......``.... .........HH.... ..T..R"..@@.... .(B...v..00.... ..%...... .... ............... .....R......... .h........PNG........IHDR.............\r.f....pHYs..........o.d.. .IDATx..yx.e.>|.Ug?Y.N..d%...6M."....".=......v..f....5}..3.b.h#v..".....b.(...@.}..........8kr...}]\".N.[u.y.g....|....|....|....|....|....|....|...[..F/......h4..h$...5.....Z.f..J%322...... .p...\HH.l6.a..c.............rC>.8|..&..;....f.Y.q....a.?.e.x..eY6F....a..DBH...F....@..R.\v.!...QJ[....(...Z.!.@#!d.R..l'!.3..V........s3..|..|.`.b..LSS...._A.Q.....@. ...2.o...J)C.a(...B.a.s.B......>N.......PB.O..(.m...t..P.0L...^&..p.g.....<x..g...S......2.L..h4..a.y..#.,..A.I..@)..`.!.!.qv>W...D...Z.R...cLA..Z.|G)..p.a.J..8..t..9......S.7.EEEZ..Q*.I..;.AXJ.Y.0L....0......8Z#.....B,..*J...e...p..~???...n..+...)...7.[[[.4.M0.%..{(........jA.m..)...A.x.).+.."....|E...y.p..q..Y.m....a....CBB.,..0.s/...q.^.@1Q@nvaw.W./..#.p...J.Q.e..B..,;..._.o.Ro.....`...^....ls.!......

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\BCUninstaller.exe

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):310928
                                                  Entropy (8bit):6.001677789306043
                                                  Encrypted:false
                                                  SSDEEP:3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
                                                  MD5:147B71C906F421AC77F534821F80A0C6
                                                  SHA1:3381128CA482A62333E20D0293FDA50DC5893323
                                                  SHA-256:7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
                                                  SHA-512:2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Joe Sandbox View:
                                                  • Filename: setup.msi, Detection: malicious, Browse
                                                  • Filename: 48.252.190.9.zip, Detection: malicious, Browse
                                                  • Filename: setup.msi, Detection: malicious, Browse
                                                  • Filename: TrdIE26br9.msi, Detection: malicious, Browse
                                                  • Filename: b8ygJBG5cb.msi, Detection: malicious, Browse
                                                  • Filename: setup.msi, Detection: malicious, Browse
                                                  • Filename: installer.msi, Detection: malicious, Browse
                                                  • Filename: setup.msi, Detection: malicious, Browse
                                                  • Filename: setup.msi, Detection: malicious, Browse
                                                  • Filename: installer.msi, Detection: malicious, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}|...|...|....../p....../v....../1...u.a.l....../u...|........./v....../}...Rich|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\UnRar.exe

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):506008
                                                  Entropy (8bit):6.4284173495366845
                                                  Encrypted:false
                                                  SSDEEP:6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
                                                  MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
                                                  SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
                                                  SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
                                                  SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-console-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12224
                                                  Entropy (8bit):6.596101286914553
                                                  Encrypted:false
                                                  SSDEEP:192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
                                                  MD5:919E653868A3D9F0C9865941573025DF
                                                  SHA1:EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
                                                  SHA-256:2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
                                                  SHA-512:6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-console-l1-2-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12224
                                                  Entropy (8bit):6.640081558424349
                                                  Encrypted:false
                                                  SSDEEP:192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
                                                  MD5:7676560D0E9BC1EE9502D2F920D2892F
                                                  SHA1:4A7A7A99900E41FF8A359CA85949ACD828DDB068
                                                  SHA-256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
                                                  SHA-512:F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-datetime-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11712
                                                  Entropy (8bit):6.6023398138369505
                                                  Encrypted:false
                                                  SSDEEP:192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
                                                  MD5:AC51E3459E8FCE2A646A6AD4A2E220B9
                                                  SHA1:60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
                                                  SHA-256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
                                                  SHA-512:6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-debug-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11720
                                                  Entropy (8bit):6.614262942006268
                                                  Encrypted:false
                                                  SSDEEP:192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
                                                  MD5:B0E0678DDC403EFFC7CDC69AE6D641FB
                                                  SHA1:C1A4CE4DED47740D3518CD1FF9E9CE277D959335
                                                  SHA-256:45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
                                                  SHA-512:2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-errorhandling-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11720
                                                  Entropy (8bit):6.654155040985372
                                                  Encrypted:false
                                                  SSDEEP:192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
                                                  MD5:94788729C9E7B9C888F4E323A27AB548
                                                  SHA1:B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
                                                  SHA-256:ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
                                                  SHA-512:AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-file-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):15304
                                                  Entropy (8bit):6.548897063441128
                                                  Encrypted:false
                                                  SSDEEP:192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
                                                  MD5:580D9EA2308FC2D2D2054A79EA63227C
                                                  SHA1:04B3F21CBBA6D59A61CD839AE3192EA111856F65
                                                  SHA-256:7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
                                                  SHA-512:97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-file-l1-2-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11712
                                                  Entropy (8bit):6.622041192039296
                                                  Encrypted:false
                                                  SSDEEP:192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
                                                  MD5:35BC1F1C6FBCCEC7EB8819178EF67664
                                                  SHA1:BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
                                                  SHA-256:7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
                                                  SHA-512:9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-file-l2-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11720
                                                  Entropy (8bit):6.730719514840594
                                                  Encrypted:false
                                                  SSDEEP:192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
                                                  MD5:3BF4406DE02AA148F460E5D709F4F67D
                                                  SHA1:89B28107C39BB216DA00507FFD8ADB7838D883F6
                                                  SHA-256:349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
                                                  SHA-512:5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-handle-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11720
                                                  Entropy (8bit):6.626458901834476
                                                  Encrypted:false
                                                  SSDEEP:192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
                                                  MD5:BBAFA10627AF6DFAE5ED6E4AEAE57B2A
                                                  SHA1:3094832B393416F212DB9107ADD80A6E93A37947
                                                  SHA-256:C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
                                                  SHA-512:D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-heap-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12232
                                                  Entropy (8bit):6.577869728469469
                                                  Encrypted:false
                                                  SSDEEP:192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
                                                  MD5:3A4B6B36470BAD66621542F6D0D153AB
                                                  SHA1:5005454BA8E13BAC64189C7A8416ECC1E3834DC6
                                                  SHA-256:2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
                                                  SHA-512:84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-interlocked-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11712
                                                  Entropy (8bit):6.6496318655699795
                                                  Encrypted:false
                                                  SSDEEP:192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
                                                  MD5:A038716D7BBD490378B26642C0C18E94
                                                  SHA1:29CD67219B65339B637A1716A78221915CEB4370
                                                  SHA-256:B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
                                                  SHA-512:43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-libraryloader-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12736
                                                  Entropy (8bit):6.587452239016064
                                                  Encrypted:false
                                                  SSDEEP:192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
                                                  MD5:D75144FCB3897425A855A270331E38C9
                                                  SHA1:132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
                                                  SHA-256:08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
                                                  SHA-512:295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-localization-l1-2-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):14280
                                                  Entropy (8bit):6.658205945107734
                                                  Encrypted:false
                                                  SSDEEP:384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
                                                  MD5:8ACB83D102DABD9A5017A94239A2B0C6
                                                  SHA1:9B43A40A7B498E02F96107E1524FE2F4112D36AE
                                                  SHA-256:059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
                                                  SHA-512:B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-memory-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12224
                                                  Entropy (8bit):6.621310788423453
                                                  Encrypted:false
                                                  SSDEEP:96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
                                                  MD5:808F1CB8F155E871A33D85510A360E9E
                                                  SHA1:C6251ABFF887789F1F4FC6B9D85705788379D149
                                                  SHA-256:DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
                                                  SHA-512:441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-namedpipe-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11720
                                                  Entropy (8bit):6.7263193693903345
                                                  Encrypted:false
                                                  SSDEEP:192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
                                                  MD5:CFF476BB11CC50C41D8D3BF5183D07EC
                                                  SHA1:71E0036364FD49E3E535093E665F15E05A3BDE8F
                                                  SHA-256:B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
                                                  SHA-512:7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-processenvironment-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12744
                                                  Entropy (8bit):6.601327134572443
                                                  Encrypted:false
                                                  SSDEEP:192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
                                                  MD5:F43286B695326FC0C20704F0EEBFDEA6
                                                  SHA1:3E0189D2A1968D7F54E721B1C8949487EF11B871
                                                  SHA-256:AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
                                                  SHA-512:6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-processthreads-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):14272
                                                  Entropy (8bit):6.519411559704781
                                                  Encrypted:false
                                                  SSDEEP:192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
                                                  MD5:E173F3AB46096482C4361378F6DCB261
                                                  SHA1:7922932D87D3E32CE708F071C02FB86D33562530
                                                  SHA-256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
                                                  SHA-512:3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-processthreads-l1-1-1.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12232
                                                  Entropy (8bit):6.659079053710614
                                                  Encrypted:false
                                                  SSDEEP:192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
                                                  MD5:9C9B50B204FCB84265810EF1F3C5D70A
                                                  SHA1:0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
                                                  SHA-256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
                                                  SHA-512:EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-profile-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11200
                                                  Entropy (8bit):6.7627840671368835
                                                  Encrypted:false
                                                  SSDEEP:192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
                                                  MD5:0233F97324AAAA048F705D999244BC71
                                                  SHA1:5427D57D0354A103D4BB8B655C31E3189192FC6A
                                                  SHA-256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
                                                  SHA-512:8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12224
                                                  Entropy (8bit):6.590253878523919
                                                  Encrypted:false
                                                  SSDEEP:192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
                                                  MD5:E1BA66696901CF9B456559861F92786E
                                                  SHA1:D28266C7EDE971DC875360EB1F5EA8571693603E
                                                  SHA-256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
                                                  SHA-512:08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-string-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11720
                                                  Entropy (8bit):6.672720452347989
                                                  Encrypted:false
                                                  SSDEEP:192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
                                                  MD5:7A15B909B6B11A3BE6458604B2FF6F5E
                                                  SHA1:0FEB824D22B6BEEB97BCE58225688CB84AC809C7
                                                  SHA-256:9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
                                                  SHA-512:D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-synch-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):13760
                                                  Entropy (8bit):6.575688560984027
                                                  Encrypted:false
                                                  SSDEEP:192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
                                                  MD5:6C3FCD71A6A1A39EAB3E5C2FD72172CD
                                                  SHA1:15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
                                                  SHA-256:A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
                                                  SHA-512:EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-synch-l1-2-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12232
                                                  Entropy (8bit):6.70261983917014
                                                  Encrypted:false
                                                  SSDEEP:192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
                                                  MD5:D175430EFF058838CEE2E334951F6C9C
                                                  SHA1:7F17FBDCEF12042D215828C1D6675E483A4C62B1
                                                  SHA-256:1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
                                                  SHA-512:6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-sysinfo-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12744
                                                  Entropy (8bit):6.599515320379107
                                                  Encrypted:false
                                                  SSDEEP:192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
                                                  MD5:9D43B5E3C7C529425EDF1183511C29E4
                                                  SHA1:07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
                                                  SHA-256:19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
                                                  SHA-512:C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-timezone-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12232
                                                  Entropy (8bit):6.690164913578267
                                                  Encrypted:false
                                                  SSDEEP:192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
                                                  MD5:43E1AE2E432EB99AA4427BB68F8826BB
                                                  SHA1:EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
                                                  SHA-256:3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
                                                  SHA-512:40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-core-util-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11720
                                                  Entropy (8bit):6.615761482304143
                                                  Encrypted:false
                                                  SSDEEP:192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
                                                  MD5:735636096B86B761DA49EF26A1C7F779
                                                  SHA1:E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
                                                  SHA-256:5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
                                                  SHA-512:3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-crt-conio-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12744
                                                  Entropy (8bit):6.627282858694643
                                                  Encrypted:false
                                                  SSDEEP:192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
                                                  MD5:031DC390780AC08F498E82A5604EF1EB
                                                  SHA1:CF23D59674286D3DC7A3B10CD8689490F583F15F
                                                  SHA-256:B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
                                                  SHA-512:1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-crt-convert-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):15816
                                                  Entropy (8bit):6.435326465651674
                                                  Encrypted:false
                                                  SSDEEP:192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
                                                  MD5:285DCD72D73559678CFD3ED39F81DDAD
                                                  SHA1:DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
                                                  SHA-256:6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
                                                  SHA-512:84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-crt-environment-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):12232
                                                  Entropy (8bit):6.5874576656353145
                                                  Encrypted:false
                                                  SSDEEP:192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
                                                  MD5:5CCE7A5ED4C2EBAF9243B324F6618C0E
                                                  SHA1:FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
                                                  SHA-256:AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
                                                  SHA-512:FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\api-ms-win-crt-filesystem-l1-1-0.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):13768
                                                  Entropy (8bit):6.645869978118917
                                                  Encrypted:false
                                                  SSDEEP:192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
                                                  MD5:41FBBB054AF69F0141E8FC7480D7F122
                                                  SHA1:3613A572B462845D6478A92A94769885DA0843AF
                                                  SHA-256:974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
                                                  SHA-512:97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\avcodec-60.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                  Category:dropped
                                                  Size (bytes):37333152
                                                  Entropy (8bit):6.632921864082428
                                                  Encrypted:false
                                                  SSDEEP:393216:LzyCmQCOCLheXbl4MEf+Eidgrpj3xO6FLzq2KHplhrX5:L5WLheXbl4MEf+HgrpjVF6PD5
                                                  MD5:32F56F3E644C4AC8C258022C93E62765
                                                  SHA1:06DFF5904EBBF69551DFA9F92E6CC2FFA9679BA1
                                                  SHA-256:85AF2FB4836145098423E08218AC381110A6519CB559FF6FC7648BA310704315
                                                  SHA-512:CAE2B9E40FF71DDAF76A346C20028867439B5726A16AE1AD5E38E804253DFCF6ED0741095A619D0999728D953F2C375329E86B8DE4A0FCE55A8CDC13946D5AD8
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........(........&"...&............P........................................P.......3:...`... ......................................`...........A.....p.......t...X.9.H'.......M..............................(......................P............................text...............................`..`.rodata.0........................... ..`.data...............................@....rdata....X......X.................@..@.pdata..t...........................@..@.xdata..`...........................@..@.bss...................................edata.......`.......|..............@..@.idata...A.......B..................@....CRT....`..........................@....tls...............................@....rsrc...p..........................@....reloc...M.......N..................@..B........................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\avformat-60.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                  Category:dropped
                                                  Size (bytes):5100112
                                                  Entropy (8bit):6.374242928276845
                                                  Encrypted:false
                                                  SSDEEP:49152:WBUp8DPNkkup6GAx9HEekwEfG/66xcPiw+UgAnBM+sVf9d3PWKOyz/Omlc69kXOV:WB/Z16w8idUgfT0b6LnBSpytGyodUl
                                                  MD5:01589E66D46ABCD9ACB739DA4B542CE4
                                                  SHA1:6BF1BD142DF68FA39EF26E2CAE82450FED03ECB6
                                                  SHA-256:9BB4A5F453DA85ACD26C35969C049592A71A7EF3060BFA4EB698361F2EDB37A3
                                                  SHA-512:0527AF5C1E7A5017E223B3CC0343ED5D42EC236D53ECA30D6DECCEB2945AF0C1FBF8C7CE367E87BC10FCD54A77F5801A0D4112F783C3B7E829B2F40897AF8379
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........D..,....&"...&.R4...D.....P.........................................E.....r}N...`... .......................................D.0-....D.hX...PE.......?.......M.H'...`E..e............................>.(.....................D.`............................text....P4......R4.................`..`.data....3...p4..4...V4.............@....rdata...&....4..(....4.............@..@.pdata........?.......?.............@..@.xdata..8{....A..|...TA.............@..@.bss..........D..........................edata..0-....D.......C.............@..@.idata..hX....D..Z....C.............@....CRT....`....0E......XD.............@....tls.........@E......ZD.............@....rsrc........PE......\D.............@....reloc...e...`E..f...`D.............@..B................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\avutil-58.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1089600
                                                  Entropy (8bit):6.535744457220272
                                                  Encrypted:false
                                                  SSDEEP:24576:NFUq9wHzADwiB0Bm3k6gz0sA+wLDZyoFNRsKYw:TUdMDwIgm3kpzsNpyoFDsKYw
                                                  MD5:3AAF57892F2D66F4A4F0575C6194F0F8
                                                  SHA1:D65C9143603940EDE756D7363AB6750F6B45AB4E
                                                  SHA-256:9E0D0A05B798DA5D6C38D858CE1AD855C6D68BA2F9822FA3DA16E148E97F9926
                                                  SHA-512:A5F595D9C48B8D5191149D59896694C6DD0E9E1AF782366162D7E3C90C75B2914F6E7AFF384F4B59CA7C5A1ECCCDBF5758E90A6A2B14A8625858A599DCCA429B
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........f..X.....&"...&.2...b......P......................................... ......?....`... ......................................0 .xC.... ....... .h.......@>...x..H'.... ............................. Z..(..................... .P............................text....1.......2..................`..`.data........P.......6..............@....rdata...,...`.......8..............@..@.pdata..@>.......@...f..............@..@.xdata...K.......L..................@..@.bss......... ...........................edata..xC...0 ..D..................@..@.idata........ ......6..............@....CRT....`..... ......N..............@....tls.......... ......P..............@....rsrc...h..... ......R..............@....reloc........ ......V..............@..B................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exe

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):57488
                                                  Entropy (8bit):6.382541157520703
                                                  Encrypted:false
                                                  SSDEEP:768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
                                                  MD5:71F796B486C7FAF25B9B16233A7CE0CD
                                                  SHA1:21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
                                                  SHA-256:B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
                                                  SHA-512:A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\iwhgjds.rar

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:RAR archive data, v5
                                                  Category:dropped
                                                  Size (bytes):414206
                                                  Entropy (8bit):7.999579797967773
                                                  Encrypted:true
                                                  SSDEEP:12288:2GGrNFDDiLrieAOW/WLup5RrfXs5sZ6psdHpTRFo:2GqNFqLnQ/We5Rrf5gpsdHD6
                                                  MD5:3369EC99E74F030639BA5BB316B7A1F0
                                                  SHA1:D703EDEC018861DEC872146989E49C756B2043CD
                                                  SHA-256:F452D95C5A69B1E7B00A8BC90711C62EDC8221BE80A61CF73D3A426A0DD00D40
                                                  SHA-512:ADE0797581BEB431153A21C95B7B3F8F9BB98B4AA5D0DA5DFE63198FBED6A34CD8AC87994AE10A58CF497862F46515738E487102A08DCC85C62BC8ABE6472575
                                                  Malicious:false
                                                  Preview:Rar!....C.-.!..........;.;...` !.7<[...pv.?{...f..Z.R]..h.U.)..Fr../A;<.1.... L*6..f.B+..\..p...@.......]_?..(..#L..0......3..^.-.5.ht...3..P.%...Zd9b.W..m..5R.{o@1-:4.....B2K..oC..*.6j....VF.....Y.q.tGA.A.?.k\..^.'s.[..}):...(J.jJ..6...HN..|.....V..l..L.)..~=s/ob.Y5@B#iw=cw.P.....m.{A...3.B.[...2.....b.8a..M.m...........v.i;.M.4wuQ.|.=.\.s7*a3..TT&a.....:SO..X.Gp.R.:'........C..+.k...!.E...(....P.."cJ...,..:......z%.maq.h{.;.cC.rBB..G.i.KZ.....a.*..=..jx.l...O.!.GM....M....)7..%p..sY..J.Ye.#\....-pl0S4.v.t.tps<+..je.qt..h.h....A. 5R....d..T]......Y.e#.......\.z.....;.....Q....@...x.c|.Bt........*...R...wGb....>..Y...1b..Im2.W.!..d..dL....4....^....O$.PN.\zl{..pJ)..XA.0.>:.cp.sK._..>I..V.......~.....|..E.....?....K5.!u...U{.M*-a......RRG..d..>T.....I.W.........vMWbX..>.*2G........l...&.2..;...v8.<.4...N.$.oD..Q"b.0..{...|..G.Y...uF..S~.nyY.d...B.%.3.o.7......`.,...!.wp.)..O....M...!*....HY......<Z... .1..}.y.\.K....c`....,M5.J....aEH*.. z%-4

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\msvcp140.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):566704
                                                  Entropy (8bit):6.494428734965787
                                                  Encrypted:false
                                                  SSDEEP:12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
                                                  MD5:6DA7F4530EDB350CF9D967D969CCECF8
                                                  SHA1:3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
                                                  SHA-256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
                                                  SHA-512:1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exe

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):35656
                                                  Entropy (8bit):6.370522595411868
                                                  Encrypted:false
                                                  SSDEEP:768:ixmeWkfdHAWcgj7Y7rEabyLcRwEpYinAMx1nyqaJ:pXUdg8jU7r4LcRZ7Hx1nyqa
                                                  MD5:D3CAC4D7B35BACAE314F48C374452D71
                                                  SHA1:95D2980786BC36FEC50733B9843FDE9EAB081918
                                                  SHA-256:4233600651FB45B9E50D2EC8B98B9A76F268893B789A425B4159675B74F802AA
                                                  SHA-512:21C8D73CC001EF566C1F3C7924324E553A6DCA68764ECB11C115846CA54E74BD1DFED12A65AF28D9B00DDABA04F987088AA30E91B96E050E4FC1A256FFF20880
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........D..D..D..M.3.J......F......W......N......G......F..D..l......A..D.........E...._.E......E..RichD..................PE..d................"....#.2...4......`7.........@..........................................`..................................................b..,....................d..H'......<....Z..p...........................`Y..@............P...............................text....1.......2.................. ..`.rdata..H"...P...$...6..............@..@.data...H............Z..............@....pdata...............\..............@..@.rsrc................`..............@..@.reloc..<............b..............@..B........................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\suriqk.bat

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):22
                                                  Entropy (8bit):3.879664004902594
                                                  Encrypted:false
                                                  SSDEEP:3:mKDDlR+7H6U:hOD6U
                                                  MD5:D9324699E54DC12B3B207C7433E1711C
                                                  SHA1:864EB0A68C2979DCFF624118C9C0618FF76FA76C
                                                  SHA-256:EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
                                                  SHA-512:E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
                                                  Malicious:false
                                                  Preview:@echo off..Start "" %1

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\swresample-4.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                  Category:dropped
                                                  Size (bytes):158968
                                                  Entropy (8bit):6.4238235663554955
                                                  Encrypted:false
                                                  SSDEEP:1536:izN/1rbQ+rTccg/Lla75jjVBzYCDNzuDQr5whduOd7EKPuh9Aco6uAGUtQFUzcnX:8N/FQ+rejlaFhdrXORhjD6VGUtQWk
                                                  MD5:7FB892E2AC9FF6981B6411FF1F932556
                                                  SHA1:861B6A1E59D4CD0816F4FEC6FD4E31FDE8536C81
                                                  SHA-256:A45A29AECB118FC1A27ECA103EAD50EDD5343F85365D1E27211FE3903643C623
                                                  SHA-512:986672FBB14F3D61FFF0924801AAB3E9D6854BB3141B95EE708BF5B80F8552D5E0D57182226BABA0AE8995A6A6F613864AB0E5F26C4DCE4EB88AB82B060BDAC5
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...........O.....&"...&.h..........P.....................................................`... ...................................... .......0..T....`..........X....E..H'...p..................................(...................02...............................text....f.......h..................`..`.data................l..............@....rdata...Q.......R...n..............@..@.pdata..X...........................@..@.xdata..............................@..@.bss.....................................edata....... ......................@..@.idata..T....0......................@....CRT....X....@......................@....tls.........P......................@....rsrc........`......................@....reloc.......p......................@..B................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\swscale-7.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                  Category:dropped
                                                  Size (bytes):707200
                                                  Entropy (8bit):6.610520126248797
                                                  Encrypted:false
                                                  SSDEEP:12288:hTl8xt5jEuhuoWZz8Rt5brZcXVEZMbYwepVQ0G6ddTD8qevJMLf50555555555mj:hZ8xt5jEuhuoWZz8Rt5brZcXVEZMbYJz
                                                  MD5:1144E36E0F8F739DB55A7CF9D4E21E1B
                                                  SHA1:9FA49645C0E3BAE0EDD44726138D7C72EECE06DD
                                                  SHA-256:65F8E4D76067C11F183C0E1670972D81E878E6208E501475DE514BC4ED8638FD
                                                  SHA-512:A82290D95247A67C4D06E5B120415318A0524D00B9149DDDD8B32E21BBD0EE4D86BB397778C4F137BF60DDD4167EE2E9C6490B3018031053E9FE3C0D0B3250E7
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...........-.....&"...&............P.....................................................`... ......................................P.......`..........x....P......8...H'......................................(....................c..`............................text...(...........................`..`.data...............................@....rdata...s.......t..................@..@.pdata.......P...0...&..............@..@.xdata...9.......:...V..............@..@.bss.....................................edata.......P......................@..@.idata.......`......................@....CRT....`....p......................@....tls................................@....rsrc...x...........................@....reloc..............................@..B................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\una_front\classes.jsa

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):12124160
                                                  Entropy (8bit):4.1175508751036585
                                                  Encrypted:false
                                                  SSDEEP:49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
                                                  MD5:8A13CBE402E0BBF3DA56315F0EBA7F8E
                                                  SHA1:EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
                                                  SHA-256:7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
                                                  SHA-512:46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
                                                  Malicious:false
                                                  Preview:.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\una_front\java.datatransfer.jmod

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Java jmod module version 1.0
                                                  Category:dropped
                                                  Size (bytes):51389
                                                  Entropy (8bit):7.916683616123071
                                                  Encrypted:false
                                                  SSDEEP:768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
                                                  MD5:8F4C0388762CD566EAE3261FF8E55D14
                                                  SHA1:B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
                                                  SHA-256:AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
                                                  SHA-512:1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
                                                  Malicious:false
                                                  Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^*#.j...R.A..qV.1o...p.....|._.-N$.!.;X....|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be.*.eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.*t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N....*..r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\una_front\java.instrument.jmod

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Java jmod module version 1.0
                                                  Category:dropped
                                                  Size (bytes):41127
                                                  Entropy (8bit):7.961466748192397
                                                  Encrypted:false
                                                  SSDEEP:768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
                                                  MD5:D039093C051B1D555C8F9B245B3D7FA0
                                                  SHA1:C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
                                                  SHA-256:4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
                                                  SHA-512:334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
                                                  Malicious:false
                                                  Preview:JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...*A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z|*.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\una_front\java.logging.jmod

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Java jmod module version 1.0
                                                  Category:dropped
                                                  Size (bytes):113725
                                                  Entropy (8bit):7.928841651831531
                                                  Encrypted:false
                                                  SSDEEP:3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
                                                  MD5:3A03EF8F05A2D0472AE865D9457DAB32
                                                  SHA1:7204170A08115A16A50D5A06C3DE7B0ADB6113B1
                                                  SHA-256:584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
                                                  SHA-512:1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
                                                  Malicious:false
                                                  Preview:JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm......*..Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h.*.^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz|..^.........8q..{...}.*G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j*..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\una_front\java.management.jmod

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Java jmod module version 1.0
                                                  Category:dropped
                                                  Size (bytes):896846
                                                  Entropy (8bit):7.923431656723031
                                                  Encrypted:false
                                                  SSDEEP:12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
                                                  MD5:C6FBB7D49CAA027010C2A817D80CA77C
                                                  SHA1:4191E275E1154271ABF1E54E85A4FF94F59E7223
                                                  SHA-256:1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
                                                  SHA-512:FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
                                                  Malicious:false
                                                  Preview:JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..|..]{.........S|...(cu/..i.d.z...[....'.M|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\utest.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):639224
                                                  Entropy (8bit):6.219852228773659
                                                  Encrypted:false
                                                  SSDEEP:12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
                                                  MD5:01DACEA3CBE5F2557D0816FC64FAE363
                                                  SHA1:566064A9CB1E33DB10681189A45B105CDD504FD4
                                                  SHA-256:B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
                                                  SHA-512:C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\vcruntime140.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):98224
                                                  Entropy (8bit):6.452201564717313
                                                  Encrypted:false
                                                  SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                  MD5:F34EB034AA4A9735218686590CBA2E8B
                                                  SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                  SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                  SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\vcruntime140_1.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):37256
                                                  Entropy (8bit):6.297533243519742
                                                  Encrypted:false
                                                  SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
                                                  MD5:135359D350F72AD4BF716B764D39E749
                                                  SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
                                                  SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
                                                  SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\w32-pthreads.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):53576
                                                  Entropy (8bit):6.371750593889357
                                                  Encrypted:false
                                                  SSDEEP:1536:ij2SSS5nVoSiH/pOfv3Q3cY37Hx1nI6q:GhSSntiH/pOfvAf3
                                                  MD5:E1EEBD44F9F4B52229D6E54155876056
                                                  SHA1:052CEA514FC3DA5A23DE6541F97CD4D5E9009E58
                                                  SHA-256:D96F2242444A334319B4286403D4BFADAF3F9FCCF390F3DD40BE32FB48CA512A
                                                  SHA-512:235BB9516409A55FE7DDB49B4F3179BDCA406D62FD0EC1345ACDDF032B0F3F111C43FF957D4D09AD683D39449C0FFC4C050B387507FADF5384940BD973DAB159
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.<.K.o.K.o.K.o.3.o.K.oK7.n.K.oK7so.K.oK7.n.K.oK7.n.K.oK7.n.K.o'9.n.K.o.K.o.K.o,6.n.K.o,6.n.K.o,6qo.K.o.K.o.K.o,6.n.K.oRich.K.o........PE..d....Q............" ...#.b...J.......f............................................../.....`............................................X...(...........................H'......8.......p...........................P...@...............@............................text...ha.......b.................. ..`.rdata..P,...........f..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..8...........................@..B........................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\zlib.dll

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                  Category:dropped
                                                  Size (bytes):144200
                                                  Entropy (8bit):6.592048391646652
                                                  Encrypted:false
                                                  SSDEEP:1536:GjxOs8gLeu4iSssNiTh9Yks32X3KqVy5SmBolzXfqLROJA0o1ZXMvr7Rn6dheIOI:I34iDsG5vm4bfqFKoDmr7h2MHTtwV6K
                                                  MD5:3A0DBC5701D20AA87BE5680111A47662
                                                  SHA1:BC581374CA1EBE8565DB182AC75FB37413220F03
                                                  SHA-256:D53BC4348AD6355C20F75ED16A2F4F641D24881956A7AE8A0B739C0B50CF8091
                                                  SHA-512:4740945606636C110AB6C365BD1BE6377A2A9AC224DE6A79AA506183472A9AD0641ECC63E5C5219EE8097ADEF6533AB35E2594D6F8A91788347FDA93CDB0440E
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...&............P....................................................`... ......................................0..|....@..8....p..................H'......................................(....................A..p............................text...............................`..`.data...............................@....rdata...W.......X..................@..@.pdata..............................@..@.xdata..............................@..@.bss......... ...........................edata..|....0......................@..@.idata..8....@......................@....CRT....X....P......................@....tls.........`......................@....rsrc........p......................@....reloc..............................@..B................................................................................................................................

                                                  C:\Windows\Installer\6d8b75.msi

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {249992BD-A78D-4A60-8413-E3315B4B9EB3}, Number of Words: 10, Subject: Strave App, Author: Triaox Completely Solutions, Name of Creating Application: Strave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Strave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Dec 29 14:50:09 2024, Last Saved Time/Date: Sun Dec 29 14:50:09 2024, Last Printed: Sun Dec 29 14:50:09 2024, Number of Pages: 450
                                                  Category:dropped
                                                  Size (bytes):60716544
                                                  Entropy (8bit):7.214699868014829
                                                  Encrypted:false
                                                  SSDEEP:1572864:SrQVmrjV7eIvnOTZZcak5wE7nTZh8MoF:MT4c7XzVC5
                                                  MD5:80E352AFEF4EF8FF92C50BC3C6A251E3
                                                  SHA1:39045DB215DECCEBF3DF240A0550137C90A32471
                                                  SHA-256:E322369C9865D42358C67B4BF4ABDB4682F423B7AD6A7B25ADA1B96FF42FB2CC
                                                  SHA-512:19C9A526B46B9A681C04F047A05A2CD7CDA8F324F7A94C7A428DC64AD17199A9A5B3AEC96C751E37C5D32676E86ADB005E485F4619CF3806A8CB2529E24EB844
                                                  Malicious:false
                                                  Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...X...K...L...e...N...O...P...Q...R...S...T...U...V...W...("..""..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                  C:\Windows\Installer\6d8b78.msi

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {249992BD-A78D-4A60-8413-E3315B4B9EB3}, Number of Words: 10, Subject: Strave App, Author: Triaox Completely Solutions, Name of Creating Application: Strave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Strave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Dec 29 14:50:09 2024, Last Saved Time/Date: Sun Dec 29 14:50:09 2024, Last Printed: Sun Dec 29 14:50:09 2024, Number of Pages: 450
                                                  Category:dropped
                                                  Size (bytes):60716544
                                                  Entropy (8bit):7.214699868014829
                                                  Encrypted:false
                                                  SSDEEP:1572864:SrQVmrjV7eIvnOTZZcak5wE7nTZh8MoF:MT4c7XzVC5
                                                  MD5:80E352AFEF4EF8FF92C50BC3C6A251E3
                                                  SHA1:39045DB215DECCEBF3DF240A0550137C90A32471
                                                  SHA-256:E322369C9865D42358C67B4BF4ABDB4682F423B7AD6A7B25ADA1B96FF42FB2CC
                                                  SHA-512:19C9A526B46B9A681C04F047A05A2CD7CDA8F324F7A94C7A428DC64AD17199A9A5B3AEC96C751E37C5D32676E86ADB005E485F4619CF3806A8CB2529E24EB844
                                                  Malicious:false
                                                  Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...X...K...L...e...N...O...P...Q...R...S...T...U...V...W...("..""..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                  C:\Windows\Installer\MSI9519.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1021792
                                                  Entropy (8bit):6.608727172078022
                                                  Encrypted:false
                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSI95D6.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1021792
                                                  Entropy (8bit):6.608727172078022
                                                  Encrypted:false
                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSI9615.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1021792
                                                  Entropy (8bit):6.608727172078022
                                                  Encrypted:false
                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSI9636.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1021792
                                                  Entropy (8bit):6.608727172078022
                                                  Encrypted:false
                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSI9675.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1201504
                                                  Entropy (8bit):6.4557937684843365
                                                  Encrypted:false
                                                  SSDEEP:24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
                                                  MD5:E83D774F643972B8ECCDB3A34DA135C5
                                                  SHA1:A58ECCFB12D723C3460563C5191D604DEF235D15
                                                  SHA-256:D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
                                                  SHA-512:CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.|CF..@G.|DF..@G.|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSI96B5.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1021792
                                                  Entropy (8bit):6.608727172078022
                                                  Encrypted:false
                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSI96E4.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1021792
                                                  Entropy (8bit):6.608727172078022
                                                  Encrypted:false
                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSIB422.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):380520
                                                  Entropy (8bit):6.512348002260683
                                                  Encrypted:false
                                                  SSDEEP:6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
                                                  MD5:FFDAACB43C074A8CB9A608C612D7540B
                                                  SHA1:8F054A7F77853DE365A7763D93933660E6E1A890
                                                  SHA-256:7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
                                                  SHA-512:A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\MSIC0C5.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):215952
                                                  Entropy (8bit):4.955920194618924
                                                  Encrypted:false
                                                  SSDEEP:1536:2RGjX9WTU1Z0Ceau0a/r3NLZZOjjDcC7uFFy9Z8YJNs9Z7E9yk7G:2SX9L1Z0vZXJZYDFufyXbJNCcE
                                                  MD5:07D827F2E6906040E316A04386CEE833
                                                  SHA1:51D40381FBEC02B38B2E267616B288AF54861949
                                                  SHA-256:2FCA4029D7FDF1FDE4BDB8C5F457F73CA8B351026E66BBE73AE61DA19468A950
                                                  SHA-512:4400E0ADB9ADD48A64F6F6A1E526DB03F2B8B0EC9FDE71ECE3237B553E3D07A7961D216913FBE5CA10322B7C41F531C0ABEC914B52F5F7AB81754F34CA5630B8
                                                  Malicious:false
                                                  Preview:...@IXOS.@.....@.d.Y.@.....@.....@.....@.....@.....@......&.{99E2ED1F-7904-4599-AE90-6B3BEDE132E4}..Strave App..setup.msi.@.....@.....@.....@......icon_24.exe..&.{249992BD-A78D-4A60-8413-E3315B4B9EB3}.....@.....@.....@.....@.......@.....@.....@.......@......Strave App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@3....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F}F.C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82};.21:\Software\Triaox Completely Solutions\Strave App\Version.@.......@.....@.....@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}O.C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\utest.dll.@.......@.....@.....@......&.{B61B35E4-8BE1-4171-B69B-E2423CE9179F}V.C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\vcruntime140.dll.@...

                                                  C:\Windows\Installer\MSIC0D6.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):787808
                                                  Entropy (8bit):6.693392695195763
                                                  Encrypted:false
                                                  SSDEEP:24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
                                                  MD5:8CF47242B5DF6A7F6D2D7AF9CC3A7921
                                                  SHA1:B51595A8A113CF889B0D1DD4B04DF16B3E18F318
                                                  SHA-256:CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
                                                  SHA-512:748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\SourceHash{99E2ED1F-7904-4599-AE90-6B3BEDE132E4}

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                  Category:dropped
                                                  Size (bytes):20480
                                                  Entropy (8bit):1.1621048051928857
                                                  Encrypted:false
                                                  SSDEEP:12:JSbX72Fj1fAGiLIlHVRpMh/7777777777777777777777777vDHF6qUKC3fp3XlN:JfQI5cyth6F
                                                  MD5:9D7168EE3B9AD0F2BE9473695950C8C7
                                                  SHA1:4A13FC8AC55BF285AFC021324FF431F5C67575EB
                                                  SHA-256:ED92B70A5B029B8367832026423615ACD4C148458811F28A1A5BDE02780C69BE
                                                  SHA-512:50BD7D218FF6938D0A97E07B628C07544CC284B97CA5CBE1ABC8AD30D744E3A46240EB6F694D0D6F8E80C66560AF3098309BEA6E7D10A81CC9BF20C1F6A9F41D
                                                  Malicious:false
                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Installer\inprogressinstallinfo.ipi

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                  Category:dropped
                                                  Size (bytes):20480
                                                  Entropy (8bit):1.5860734220955992
                                                  Encrypted:false
                                                  SSDEEP:48:08PhuuRc06WXOCnT5w4SVD8lQMoAECiCyKSCD8l5oiXOD8lQSCD8lITuN:Lhu1UnTGiEChMXGQ
                                                  MD5:BA84B1A9077F01FD4A618D52B00FA141
                                                  SHA1:C4070EFCCFE9EC263E97E7E4444458B32B34D7AB
                                                  SHA-256:3231AB13FE66E12B55CADF78A9985FDF49694AD7B4F1AFADD355BD2011E9919C
                                                  SHA-512:39BF13B2A654D80FD274B8DE9A4D7FD2AF5528FF5F14A21786A3D555D7B145BB134F6A479BA8EDA22A4291E8FA9E9C87054C515DF56BEA256F632CDF96665649
                                                  Malicious:false
                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):432221
                                                  Entropy (8bit):5.375183325014179
                                                  Encrypted:false
                                                  SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauZ:zTtbmkExhMJCIpEr0
                                                  MD5:6492B24E5EF197F0BFAAF5EBB1753810
                                                  SHA1:A5E2ACB093249AC5F446733377363F155DAC559E
                                                  SHA-256:1B471759CA73243AFA51090C688CD164414D4EE4468F66F24022F4F8406CEAC0
                                                  SHA-512:8825CF24ECD60E3A9C319B19C28E2BB223B0A9F74F44A806B34CF81F102332EFCDC3CBA4BF52028062EB470CA0A4D7872C7DBAF895795B3BAD77E24C13F1D33A
                                                  Malicious:false
                                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                  C:\Windows\Temp\~DF0BAB8190C571A6D1.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                  Category:dropped
                                                  Size (bytes):32768
                                                  Entropy (8bit):1.2692193160445753
                                                  Encrypted:false
                                                  SSDEEP:48:0RmuMNvcFXOxT5K4SVD8lQMoAECiCyKSCD8l5oiXOD8lQSCD8lITuN:smssTQiEChMXGQ
                                                  MD5:00D12CC65D17588BF3C43313DA3609AD
                                                  SHA1:407214712D71B121F38928DAAE4B2941F6197BBE
                                                  SHA-256:9A396EE4BBEC0F1CF6EF80AD218363FD4CD3F9A96AAD5EEA85016B6080EB959F
                                                  SHA-512:86E51D62665557BC06C9698AAAC4F874FC6FDF43A7894B529CAF90A481F5467173B6E1D14AD19674B631B1CFE8EA889C34AA59B3AA23A409CC8D012E1168F0BF
                                                  Malicious:false
                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DF17539A6ABDEC3C99.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):73728
                                                  Entropy (8bit):0.14587294006547544
                                                  Encrypted:false
                                                  SSDEEP:48:FNXTeD8lQSCD8llD8lQMoAECiCyKSCD8l5oiXF24:F05EChMXF
                                                  MD5:CD70F4180D5A24D2DAF6D25D05E15022
                                                  SHA1:493DC69F0C8A458B1B67F3F89C966E74D12A2507
                                                  SHA-256:445DF026FD3E078B9CCDF42C36ECEE03808B53A6CC32D92B669E6B59AADE5A97
                                                  SHA-512:FB1846F6E36C938D59F6720497D070D8C2805123928E94E35730E495CF65BF55C4E9D114A6A64B22F27FA9D21BFE8B9545522DC9C62E17BE85F6A71D570A0514
                                                  Malicious:false
                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DF27495D451E27FFA2.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                  Category:dropped
                                                  Size (bytes):20480
                                                  Entropy (8bit):1.5860734220955992
                                                  Encrypted:false
                                                  SSDEEP:48:08PhuuRc06WXOCnT5w4SVD8lQMoAECiCyKSCD8l5oiXOD8lQSCD8lITuN:Lhu1UnTGiEChMXGQ
                                                  MD5:BA84B1A9077F01FD4A618D52B00FA141
                                                  SHA1:C4070EFCCFE9EC263E97E7E4444458B32B34D7AB
                                                  SHA-256:3231AB13FE66E12B55CADF78A9985FDF49694AD7B4F1AFADD355BD2011E9919C
                                                  SHA-512:39BF13B2A654D80FD274B8DE9A4D7FD2AF5528FF5F14A21786A3D555D7B145BB134F6A479BA8EDA22A4291E8FA9E9C87054C515DF56BEA256F632CDF96665649
                                                  Malicious:false
                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DF2887C138110D3076.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DF33EA22D9C2B386CC.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DF5A2D031FBE1ADE6C.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DF683A38FF365356CB.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                  Category:dropped
                                                  Size (bytes):32768
                                                  Entropy (8bit):1.2692193160445753
                                                  Encrypted:false
                                                  SSDEEP:48:0RmuMNvcFXOxT5K4SVD8lQMoAECiCyKSCD8l5oiXOD8lQSCD8lITuN:smssTQiEChMXGQ
                                                  MD5:00D12CC65D17588BF3C43313DA3609AD
                                                  SHA1:407214712D71B121F38928DAAE4B2941F6197BBE
                                                  SHA-256:9A396EE4BBEC0F1CF6EF80AD218363FD4CD3F9A96AAD5EEA85016B6080EB959F
                                                  SHA-512:86E51D62665557BC06C9698AAAC4F874FC6FDF43A7894B529CAF90A481F5467173B6E1D14AD19674B631B1CFE8EA889C34AA59B3AA23A409CC8D012E1168F0BF
                                                  Malicious:false
                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DF95FD3F1E76517F0D.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DFB36CD7615198F0E3.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                  Category:dropped
                                                  Size (bytes):20480
                                                  Entropy (8bit):1.5860734220955992
                                                  Encrypted:false
                                                  SSDEEP:48:08PhuuRc06WXOCnT5w4SVD8lQMoAECiCyKSCD8l5oiXOD8lQSCD8lITuN:Lhu1UnTGiEChMXGQ
                                                  MD5:BA84B1A9077F01FD4A618D52B00FA141
                                                  SHA1:C4070EFCCFE9EC263E97E7E4444458B32B34D7AB
                                                  SHA-256:3231AB13FE66E12B55CADF78A9985FDF49694AD7B4F1AFADD355BD2011E9919C
                                                  SHA-512:39BF13B2A654D80FD274B8DE9A4D7FD2AF5528FF5F14A21786A3D555D7B145BB134F6A479BA8EDA22A4291E8FA9E9C87054C515DF56BEA256F632CDF96665649
                                                  Malicious:false
                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DFC0D1FBE0009E52B2.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                  Category:dropped
                                                  Size (bytes):32768
                                                  Entropy (8bit):1.2692193160445753
                                                  Encrypted:false
                                                  SSDEEP:48:0RmuMNvcFXOxT5K4SVD8lQMoAECiCyKSCD8l5oiXOD8lQSCD8lITuN:smssTQiEChMXGQ
                                                  MD5:00D12CC65D17588BF3C43313DA3609AD
                                                  SHA1:407214712D71B121F38928DAAE4B2941F6197BBE
                                                  SHA-256:9A396EE4BBEC0F1CF6EF80AD218363FD4CD3F9A96AAD5EEA85016B6080EB959F
                                                  SHA-512:86E51D62665557BC06C9698AAAC4F874FC6FDF43A7894B529CAF90A481F5467173B6E1D14AD19674B631B1CFE8EA889C34AA59B3AA23A409CC8D012E1168F0BF
                                                  Malicious:false
                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DFED5C6682F99BC2AB.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):32768
                                                  Entropy (8bit):0.0689400817940797
                                                  Encrypted:false
                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO6qUfoxC3QyVky6l3X:2F0i8n0itFzDHF6qUKC3q3X
                                                  MD5:E8FE55FDFB32119F173A613E57580C32
                                                  SHA1:BC63A247381095C974EDB3B87D79258754B16C64
                                                  SHA-256:5D26435E09F6412E82D9291D8C5B7D41F40EEFCD1A7AA5496BDD338FB321B875
                                                  SHA-512:6965A0ADCBDF7636E1B3933B42F25EEEA0951E1AC55CA21647BF669F36B71616A9DE96438D39C8155646A2C9C875EC4362E03D46707EA10D80A8F5E837DDE2B0
                                                  Malicious:false
                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\Temp\~DFFDC174AED1A48FFF.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\msiexec.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  \Device\ConDrv

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):638
                                                  Entropy (8bit):4.751962275036146
                                                  Encrypted:false
                                                  SSDEEP:12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
                                                  MD5:15CA959638E74EEC47E0830B90D0696E
                                                  SHA1:E836936738DCB6C551B6B76054F834CFB8CC53E5
                                                  SHA-256:57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
                                                  SHA-512:101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
                                                  Malicious:false
                                                  Preview:[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

                                                  Static File Info

                                                  General

                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {249992BD-A78D-4A60-8413-E3315B4B9EB3}, Number of Words: 10, Subject: Strave App, Author: Triaox Completely Solutions, Name of Creating Application: Strave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Strave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Dec 29 14:50:09 2024, Last Saved Time/Date: Sun Dec 29 14:50:09 2024, Last Printed: Sun Dec 29 14:50:09 2024, Number of Pages: 450
                                                  Entropy (8bit):7.214699868014829
                                                  TrID:
                                                  • Windows SDK Setup Transform Script (63028/2) 88.73%
                                                  • Generic OLE2 / Multistream Compound File (8008/1) 11.27%
                                                  File name:setup.msi
                                                  File size:60'716'544 bytes
                                                  MD5:80e352afef4ef8ff92c50bc3c6a251e3
                                                  SHA1:39045db215deccebf3df240a0550137c90a32471
                                                  SHA256:e322369c9865d42358c67b4bf4abdb4682f423b7ad6a7b25ada1b96ff42fb2cc
                                                  SHA512:19c9a526b46b9a681c04f047a05a2cd7cda8f324f7a94c7a428dc64ad17199a9a5b3aec96c751e37c5d32676e86adb005e485f4619cf3806a8cb2529e24eb844
                                                  SSDEEP:1572864:SrQVmrjV7eIvnOTZZcak5wE7nTZh8MoF:MT4c7XzVC5
                                                  TLSH:A5D76C01B3FA4148F2F75EB17EBA85A5947ABD521B30C0EF1244A60E1B71BC25BB1763
                                                  File Content Preview:........................>............................................2..................................................................x......................................................................................................................

                                                  File Icon

                                                  Icon Hash:2d2e3797b32b2b99

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-12-29T18:38:15.650242+01002829202ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA1192.168.2.449730104.21.0.151443TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 29, 2024 18:38:14.287026882 CET49730443192.168.2.4104.21.0.151
                                                  Dec 29, 2024 18:38:14.287079096 CET44349730104.21.0.151192.168.2.4
                                                  Dec 29, 2024 18:38:14.287139893 CET49730443192.168.2.4104.21.0.151
                                                  Dec 29, 2024 18:38:14.291095972 CET49730443192.168.2.4104.21.0.151
                                                  Dec 29, 2024 18:38:14.291110992 CET44349730104.21.0.151192.168.2.4
                                                  Dec 29, 2024 18:38:15.604878902 CET44349730104.21.0.151192.168.2.4
                                                  Dec 29, 2024 18:38:15.604976892 CET49730443192.168.2.4104.21.0.151
                                                  Dec 29, 2024 18:38:15.645798922 CET49730443192.168.2.4104.21.0.151
                                                  Dec 29, 2024 18:38:15.645817041 CET44349730104.21.0.151192.168.2.4
                                                  Dec 29, 2024 18:38:15.646090031 CET44349730104.21.0.151192.168.2.4
                                                  Dec 29, 2024 18:38:15.646143913 CET49730443192.168.2.4104.21.0.151
                                                  Dec 29, 2024 18:38:15.650095940 CET49730443192.168.2.4104.21.0.151
                                                  Dec 29, 2024 18:38:15.650199890 CET49730443192.168.2.4104.21.0.151
                                                  Dec 29, 2024 18:38:15.650227070 CET44349730104.21.0.151192.168.2.4
                                                  Dec 29, 2024 18:38:16.400165081 CET44349730104.21.0.151192.168.2.4
                                                  Dec 29, 2024 18:38:16.400224924 CET44349730104.21.0.151192.168.2.4
                                                  Dec 29, 2024 18:38:16.400243044 CET49730443192.168.2.4104.21.0.151
                                                  Dec 29, 2024 18:38:16.400268078 CET49730443192.168.2.4104.21.0.151
                                                  Dec 29, 2024 18:38:16.400624037 CET49730443192.168.2.4104.21.0.151
                                                  Dec 29, 2024 18:38:16.400650024 CET44349730104.21.0.151192.168.2.4
                                                  Dec 29, 2024 18:38:16.400660038 CET49730443192.168.2.4104.21.0.151
                                                  Dec 29, 2024 18:38:16.400693893 CET49730443192.168.2.4104.21.0.151

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 29, 2024 18:38:13.954982042 CET5586953192.168.2.41.1.1.1
                                                  Dec 29, 2024 18:38:14.281878948 CET53558691.1.1.1192.168.2.4

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Dec 29, 2024 18:38:13.954982042 CET192.168.2.41.1.1.10x82bdStandard query (0)kevinflansburg.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Dec 29, 2024 18:38:14.281878948 CET1.1.1.1192.168.2.40x82bdNo error (0)kevinflansburg.com104.21.0.151A (IP address)IN (0x0001)false
                                                  Dec 29, 2024 18:38:14.281878948 CET1.1.1.1192.168.2.40x82bdNo error (0)kevinflansburg.com172.67.151.29A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • kevinflansburg.com

                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.449730104.21.0.1514437120C:\Windows\SysWOW64\msiexec.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-29 17:38:15 UTC196OUTPOST /updater.php HTTP/1.1
                                                  Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                  User-Agent: AdvancedInstaller
                                                  Host: kevinflansburg.com
                                                  Content-Length: 71
                                                  Cache-Control: no-cache
                                                  2024-12-29 17:38:15 UTC71OUTData Raw: 44 61 74 65 3d 32 39 25 32 46 31 32 25 32 46 32 30 32 34 26 54 69 6d 65 3d 31 32 25 33 41 33 38 25 33 41 31 33 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 38 2e 39 2e 39 26 53 6f 72 6f 71 56 69 6e 73 3d 54 72 75 65
                                                  Data Ascii: Date=29%2F12%2F2024&Time=12%3A38%3A13&BuildVersion=8.9.9&SoroqVins=True
                                                  2024-12-29 17:38:16 UTC837INHTTP/1.1 500 Internal Server Error
                                                  Date: Sun, 29 Dec 2024 17:38:16 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Cache-Control: no-store
                                                  cf-cache-status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JsgyL9%2F08ETNC0JrZUAMdZMCOreS0ssbMn8PjsQSA2YpBXSgsDmTM640YyFrJc5dHd3HKsgIZGnAZ2%2FfHCuhHyfC5A4P%2B7bsrV6o00MDJvq6xvP933ZGFZBGsKOK6Ub%2Fsxo1e5A%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8f9b90114ba342b5-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1581&min_rtt=1576&rtt_var=601&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=927&delivery_rate=1805813&cwnd=218&unsent_bytes=0&cid=059c970b25522cf1&ts=794&x=0"
                                                  2024-12-29 17:38:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:12:38:02
                                                  Start date:29/12/2024
                                                  Path:C:\Windows\System32\msiexec.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
                                                  Imagebase:0x7ff79ba60000
                                                  File size:69'632 bytes
                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:1
                                                  Start time:12:38:02
                                                  Start date:29/12/2024
                                                  Path:C:\Windows\System32\msiexec.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                  Imagebase:0x7ff79ba60000
                                                  File size:69'632 bytes
                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:2
                                                  Start time:12:38:05
                                                  Start date:29/12/2024
                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 7CC5C262EC3DC128EF58C787A8497377
                                                  Imagebase:0x870000
                                                  File size:59'904 bytes
                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:12:38:16
                                                  Start date:29/12/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssC16C.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiC169.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrC16A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrC16B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                  Imagebase:0xe10000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:12:38:16
                                                  Start date:29/12/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:12:38:22
                                                  Start date:29/12/2024
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exe""
                                                  Imagebase:0x7ff7f5dd0000
                                                  File size:289'792 bytes
                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:12:38:22
                                                  Start date:29/12/2024
                                                  Path:C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\createdump.exe"
                                                  Imagebase:0x7ff64d310000
                                                  File size:57'488 bytes
                                                  MD5 hash:71F796B486C7FAF25B9B16233A7CE0CD
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 0%, ReversingLabs
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:8
                                                  Start time:12:38:22
                                                  Start date:29/12/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0xb90000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:9
                                                  Start time:12:38:23
                                                  Start date:29/12/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:10
                                                  Start time:12:38:23
                                                  Start date:29/12/2024
                                                  Path:C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\Triaox Completely Solutions\Strave App\obs-ffmpeg-mux.exe"
                                                  Imagebase:0x7ff640a00000
                                                  File size:35'656 bytes
                                                  MD5 hash:D3CAC4D7B35BACAE314F48C374452D71
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 0%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:11
                                                  Start time:12:38:23
                                                  Start date:29/12/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Executed Functions

                                                    Function 06F81B50 Relevance: 3.9, Strings: 3, Instructions: 157COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1812465580.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6f80000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $^q$$^q$$^q
                                                    • API String ID: 0-831282457
                                                    • Opcode ID: 8e1efc25c6059e39049a5c4a1fca44f48ff08f475c960915d8ceadd672b99ff2
                                                    • Instruction ID: 1f7b5781b66dc29535b0ec3bb597dadd4243001d45093a2b13df5f8fef575c0f
                                                    • Opcode Fuzzy Hash: 8e1efc25c6059e39049a5c4a1fca44f48ff08f475c960915d8ceadd672b99ff2
                                                    • Instruction Fuzzy Hash: CB51E531F0020A9FDB64EF69D544AAA7BE6AF85310F1485BAE409CB352DB31CD46C7A1
                                                    Function 00868460 Relevance: .3, Instructions: 266COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1807695958.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_860000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 91a8befd6d9bbd62805744a1c0d3193f3eb9b1a61c0efec035ac5fa74da0366b
                                                    • Instruction ID: 6a5897a7bb54ab08375544fda8d1b50128542b4845fd4228da137994d65c8e2d
                                                    • Opcode Fuzzy Hash: 91a8befd6d9bbd62805744a1c0d3193f3eb9b1a61c0efec035ac5fa74da0366b
                                                    • Instruction Fuzzy Hash: E7A14035A00208DFDB14DFA4D944A9DB7B2FF84310F268669E40AEF365DB74AD49CB40
                                                    Function 00868BB0 Relevance: .2, Instructions: 200COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1807695958.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_860000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 929af927d9852d105a1cd5be9a178842076d8a6fe0eac60812e49cee25a94b61
                                                    • Instruction ID: 9bc17f81cc9e98e7fec520051e83bc134a9ec03d0d9833b8eca0eb80010fead5
                                                    • Opcode Fuzzy Hash: 929af927d9852d105a1cd5be9a178842076d8a6fe0eac60812e49cee25a94b61
                                                    • Instruction Fuzzy Hash: 4D719D30A00609CFCB14DF68D844A9EBBF6FF85304F158669E459EB3A1DB35AC46CB90
                                                    Function 00868D1E Relevance: .2, Instructions: 188COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1807695958.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_860000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ff1c3dcf5c004c0582e999bda87a137f3f7703a77312d69c9e3855f116a21c20
                                                    • Instruction ID: 86df8e133c1a7fcca2e03faf19d1a98d01fa185be1cf988ab413c25f4e514cef
                                                    • Opcode Fuzzy Hash: ff1c3dcf5c004c0582e999bda87a137f3f7703a77312d69c9e3855f116a21c20
                                                    • Instruction Fuzzy Hash: 61715E30A00208DFDB14DFA4D494AADBBF2FF84344F258529E41AAB2A1DF35AD46CB51
                                                    Function 00868941 Relevance: .1, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1807695958.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_860000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 114e2e9dcb2716c0dfe855e79f3df3d9dba716db3ec8f1378aeacc2e4ea750c9
                                                    • Instruction ID: 50ce02d54be34f042a3d6310bc9bc844ee92967a8275d2097105ab1b3aeff3c2
                                                    • Opcode Fuzzy Hash: 114e2e9dcb2716c0dfe855e79f3df3d9dba716db3ec8f1378aeacc2e4ea750c9
                                                    • Instruction Fuzzy Hash: FB41C231600204CFDB14DB64C859AAEBBF6FF89750F194669E50AEB3A1CF74AC41CB90
                                                    Function 00868B9B Relevance: .1, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1807695958.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_860000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5f8f678fd662610000fcd94bef2575ab6e4ce0e6c6c4894e8d91c0d7dae15cf6
                                                    • Instruction ID: 886d66974b8186edec958c37eb0426a109aa046e4b387f1f65884324287e6564
                                                    • Opcode Fuzzy Hash: 5f8f678fd662610000fcd94bef2575ab6e4ce0e6c6c4894e8d91c0d7dae15cf6
                                                    • Instruction Fuzzy Hash: 4A414D70A00208DFDB14DFA5C88469DBBF2FF85344F158529D40AAB7A5DF74AC85CB94
                                                    Function 00863E0E Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1807695958.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_860000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 438dc3af2b7fbb9ee1ce8e90426bf365c63dd173e0b06f31c55e81f8db9a40ac
                                                    • Instruction ID: 150ffaea586a3f6080f5c5cae168b06189d5cafcf4f850f9209f4733b3a13789
                                                    • Opcode Fuzzy Hash: 438dc3af2b7fbb9ee1ce8e90426bf365c63dd173e0b06f31c55e81f8db9a40ac
                                                    • Instruction Fuzzy Hash: ABF0D435A001099FDB15CF9CD990AEEF7B1FF88324F208159E515A72A1C736AD52CB60
                                                    Function 008688D5 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1807695958.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_860000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a57d6485729df092dcdf8022d8f56e368d4fbe74b81ed36fd8ab91e04e1a0d3b
                                                    • Instruction ID: cbfcb6a0d1eb9e0fdc4d86f00ebfd7aa41a894922e23dc3b2cf848a904faeaf0
                                                    • Opcode Fuzzy Hash: a57d6485729df092dcdf8022d8f56e368d4fbe74b81ed36fd8ab91e04e1a0d3b
                                                    • Instruction Fuzzy Hash: 6BF01C30B4020ACFDB14DBA4C5A5B6E7BA2EF41344F114524E106DF3A8CB7999488B80

                                                    Non-executed Functions

                                                    Function 06F81658 Relevance: 8.9, Strings: 7, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1812465580.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6f80000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: tP^q$tP^q$$^q$$^q$$^q$Pk$Pk
                                                    • API String ID: 0-3035638447
                                                    • Opcode ID: 40c202d275ff25859fbd594b9bbda335d30014fcfea5b6d17fd48740cab8e96a
                                                    • Instruction ID: 91d20dfec00ec89babd3200f57fadbfc0aedde6ed9d8af3e4e4e773ed33bc950
                                                    • Opcode Fuzzy Hash: 40c202d275ff25859fbd594b9bbda335d30014fcfea5b6d17fd48740cab8e96a
                                                    • Instruction Fuzzy Hash: CF314032F042158FD758DA69D40466ABBE5EFC5720B2886AEE445CF361CE32DC46C790
                                                    Function 06F817A0 Relevance: 6.4, Strings: 5, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1812465580.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6f80000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 84Xk$84Xk$tP^q$tP^q$$^q
                                                    • API String ID: 0-452708387
                                                    • Opcode ID: 0b1028c6d5c4777c654efc09fe47f556adcc9e351c083788d83e8c9ccecd21c4
                                                    • Instruction ID: b0c6116f96f37f114ea77bde61cd7482f65a993d27c817d307b1d5393f0de292
                                                    • Opcode Fuzzy Hash: 0b1028c6d5c4777c654efc09fe47f556adcc9e351c083788d83e8c9ccecd21c4
                                                    • Instruction Fuzzy Hash: 6A312831F041169FDB64EB69D405A6BF7E2EB84310F1485AAE5099B340DF32D806C790
                                                    Function 06F80898 Relevance: 6.4, Strings: 5, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1812465580.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6f80000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                    • API String ID: 0-3272787073
                                                    • Opcode ID: 59c6f59354518423f1b40f600891f31ea190a4ebbac0e3e8e2813d5524531930
                                                    • Instruction ID: 1e311eec31ccdf081cd65bb92ddd55acad71a62228dc811551d3cd1f4beb5fb6
                                                    • Opcode Fuzzy Hash: 59c6f59354518423f1b40f600891f31ea190a4ebbac0e3e8e2813d5524531930
                                                    • Instruction Fuzzy Hash: 20310931F04319CFEF646A6998046AABBF5AF84210F6484BBD8058B345DF31C88DCB91
                                                    Function 06F80E88 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1812465580.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6f80000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4Wk$4Wk$$^q$$^q$$^q
                                                    • API String ID: 0-3095741987
                                                    • Opcode ID: 53f28d099084aa685e0f27b48dc43f67f190939b05cdf8cc4d6e5f7e665279d2
                                                    • Instruction ID: f506311f5b9489f828c01dae25df0840c58a14aa68bf744ed5a9846b754442dd
                                                    • Opcode Fuzzy Hash: 53f28d099084aa685e0f27b48dc43f67f190939b05cdf8cc4d6e5f7e665279d2
                                                    • Instruction Fuzzy Hash: F5115032B102058FE7752569581067B77C6CFD0650794C47AD905CF395DF36C84AC3B9
                                                    Function 06F804D3 Relevance: 5.0, Strings: 4, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1812465580.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6f80000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4'^q$4'^q$$^q$$^q
                                                    • API String ID: 0-2049395529
                                                    • Opcode ID: ee1330aae9ce449fa5ddafc526635c8c260b6770dada096919c055ca2a6f7d2b
                                                    • Instruction ID: 202774e5b20ae085462f936d5966d3c060c373876830e8b3ae30d51c8443c7f2
                                                    • Opcode Fuzzy Hash: ee1330aae9ce449fa5ddafc526635c8c260b6770dada096919c055ca2a6f7d2b
                                                    • Instruction Fuzzy Hash: CB01D421B4E3894FD36B226C1C249667FB61E8355075B01DBD081DF2A7CD258C49C3B2

                                                    Execution Graph

                                                    Execution Coverage:3.4%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:1.7%
                                                    Total number of Nodes:701
                                                    Total number of Limit Nodes:1
                                                    execution_graph 2961 7ff64d311d39 2962 7ff64d311d40 2961->2962 2962->2962 2964 7ff64d3118a0 2962->2964 2971 7ff64d312040 2962->2971 2966 7ff64d311dd0 2964->2966 2969 7ff64d3120c0 21 API calls 2964->2969 2970 7ff64d311d76 2964->2970 2965 7ff64d312660 __GSHandlerCheck_EH 8 API calls 2968 7ff64d311d87 2965->2968 2967 7ff64d311450 6 API calls 2966->2967 2967->2970 2969->2964 2970->2965 2972 7ff64d3120a2 2971->2972 2975 7ff64d312063 BuildCatchObjectHelperInternal 2971->2975 2973 7ff64d312230 22 API calls 2972->2973 2974 7ff64d3120b5 2973->2974 2974->2964 2975->2964 2976 7ff64d31733c _seh_filter_exe 2505 7ff64d312700 2506 7ff64d312710 2505->2506 2518 7ff64d312bd8 2506->2518 2508 7ff64d312ecc 7 API calls 2509 7ff64d3127b5 2508->2509 2510 7ff64d312734 _RTC_Initialize 2516 7ff64d312797 2510->2516 2526 7ff64d312e64 InitializeSListHead 2510->2526 2516->2508 2517 7ff64d3127a5 2516->2517 2519 7ff64d312be9 2518->2519 2524 7ff64d312c1b 2518->2524 2520 7ff64d312c58 2519->2520 2523 7ff64d312bee __scrt_release_startup_lock 2519->2523 2521 7ff64d312ecc 7 API calls 2520->2521 2522 7ff64d312c62 2521->2522 2523->2524 2525 7ff64d312c0b _initialize_onexit_table 2523->2525 2524->2510 2525->2524 2987 7ff64d3148c7 abort 2586 7ff64d311510 2587 7ff64d313cc0 __std_exception_copy 2 API calls 2586->2587 2588 7ff64d311539 2587->2588 2530 7ff64d313090 2531 7ff64d3130a8 2530->2531 2532 7ff64d3130c4 2530->2532 2531->2532 2537 7ff64d3141c0 2531->2537 2536 7ff64d3130e2 2543 7ff64d3143d0 2537->2543 2539 7ff64d3130d6 2540 7ff64d3141d4 2539->2540 2541 7ff64d3143d0 _CreateFrameInfo 10 API calls 2540->2541 2542 7ff64d3141dd 2541->2542 2542->2536 2546 7ff64d3143ec 2543->2546 2545 7ff64d3143d9 2545->2539 2547 7ff64d31440b GetLastError 2546->2547 2548 7ff64d314404 2546->2548 2560 7ff64d316678 2547->2560 2548->2545 2561 7ff64d316498 __vcrt_InitializeCriticalSectionEx 5 API calls 2560->2561 2562 7ff64d31669f TlsGetValue 2561->2562 2564 7ff64d313490 2567 7ff64d313d50 2564->2567 2566 7ff64d3134b2 2568 7ff64d313d67 2567->2568 2569 7ff64d313d5f free 2567->2569 2568->2566 2569->2568 2570 7ff64d317090 2571 7ff64d3170d2 __GSHandlerCheckCommon 2570->2571 2572 7ff64d3170fa 2571->2572 2574 7ff64d313d78 2571->2574 2577 7ff64d313da8 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 2574->2577 2575 7ff64d313e99 2575->2572 2576 7ff64d313e64 RtlUnwindEx 2576->2577 2577->2575 2577->2576 2578 7ff64d317290 2579 7ff64d3172b0 2578->2579 2580 7ff64d3172a3 2578->2580 2582 7ff64d311e80 2580->2582 2583 7ff64d311e93 2582->2583 2584 7ff64d311eb7 2582->2584 2583->2584 2585 7ff64d311ed8 _invalid_parameter_noinfo_noreturn 2583->2585 2584->2579 2988 7ff64d311550 2989 7ff64d313d50 __std_exception_destroy free 2988->2989 2990 7ff64d311567 2989->2990 2991 7ff64d3127d0 2995 7ff64d313074 SetUnhandledExceptionFilter 2991->2995 2592 7ff64d317411 2593 7ff64d317495 2592->2593 2594 7ff64d317429 2592->2594 2594->2593 2595 7ff64d3143d0 _CreateFrameInfo 10 API calls 2594->2595 2596 7ff64d317476 2595->2596 2597 7ff64d3143d0 _CreateFrameInfo 10 API calls 2596->2597 2598 7ff64d31748b terminate 2597->2598 2598->2593 2996 7ff64d3174d6 2997 7ff64d313b54 11 API calls 2996->2997 3001 7ff64d3174e9 2997->3001 2998 7ff64d31751a __GSHandlerCheck_EH 2999 7ff64d3143d0 _CreateFrameInfo 10 API calls 2998->2999 3000 7ff64d31752e 2999->3000 3002 7ff64d3143d0 _CreateFrameInfo 10 API calls 3000->3002 3001->2998 3003 7ff64d314104 10 API calls 3001->3003 3004 7ff64d31753b 3002->3004 3003->2998 3005 7ff64d3143d0 _CreateFrameInfo 10 API calls 3004->3005 3006 7ff64d317548 3005->3006 2599 7ff64d311b18 _time64 2600 7ff64d311b34 2599->2600 2600->2600 2601 7ff64d311bf1 2600->2601 2615 7ff64d311ee0 2600->2615 2604 7ff64d311c34 BuildCatchObjectHelperInternal 2601->2604 2629 7ff64d312230 2601->2629 2605 7ff64d3118a0 2604->2605 2606 7ff64d311da2 _invalid_parameter_noinfo_noreturn 2604->2606 2610 7ff64d311dd0 2605->2610 2613 7ff64d3120c0 21 API calls 2605->2613 2614 7ff64d311d76 2605->2614 2607 7ff64d311da9 WSAGetLastError 2606->2607 2608 7ff64d311450 6 API calls 2607->2608 2608->2614 2609 7ff64d312660 __GSHandlerCheck_EH 8 API calls 2612 7ff64d311d87 2609->2612 2611 7ff64d311450 6 API calls 2610->2611 2611->2614 2613->2605 2614->2609 2616 7ff64d311f04 BuildCatchObjectHelperInternal 2615->2616 2620 7ff64d311f25 2615->2620 2616->2601 2617 7ff64d312031 2618 7ff64d3117e0 21 API calls 2617->2618 2622 7ff64d312036 2618->2622 2619 7ff64d311f74 2621 7ff64d312690 5 API calls 2619->2621 2619->2622 2620->2617 2620->2619 2623 7ff64d311fa9 2620->2623 2628 7ff64d311f92 BuildCatchObjectHelperInternal 2621->2628 2624 7ff64d311720 Concurrency::cancel_current_task 4 API calls 2622->2624 2626 7ff64d312690 5 API calls 2623->2626 2623->2628 2627 7ff64d31203c 2624->2627 2625 7ff64d31202a _invalid_parameter_noinfo_noreturn 2625->2617 2626->2628 2628->2616 2628->2625 2630 7ff64d3123ab 2629->2630 2631 7ff64d31225e 2629->2631 2633 7ff64d3117e0 21 API calls 2630->2633 2632 7ff64d3122be 2631->2632 2635 7ff64d3122e6 2631->2635 2636 7ff64d3122b1 2631->2636 2637 7ff64d312690 5 API calls 2632->2637 2634 7ff64d3123b0 2633->2634 2638 7ff64d311720 Concurrency::cancel_current_task 4 API calls 2634->2638 2641 7ff64d312690 5 API calls 2635->2641 2642 7ff64d3122cf BuildCatchObjectHelperInternal 2635->2642 2636->2632 2636->2634 2637->2642 2639 7ff64d3123b6 2638->2639 2640 7ff64d312364 _invalid_parameter_noinfo_noreturn 2643 7ff64d312357 BuildCatchObjectHelperInternal 2640->2643 2641->2642 2642->2640 2642->2643 2643->2604 3007 7ff64d317559 3010 7ff64d314158 3007->3010 3011 7ff64d314170 3010->3011 3012 7ff64d314182 3010->3012 3011->3012 3013 7ff64d314178 3011->3013 3014 7ff64d3143d0 _CreateFrameInfo 10 API calls 3012->3014 3016 7ff64d314180 3013->3016 3017 7ff64d3143d0 _CreateFrameInfo 10 API calls 3013->3017 3015 7ff64d314187 3014->3015 3015->3016 3018 7ff64d3143d0 _CreateFrameInfo 10 API calls 3015->3018 3019 7ff64d3141a7 3017->3019 3018->3016 3020 7ff64d3143d0 _CreateFrameInfo 10 API calls 3019->3020 3021 7ff64d3141b4 terminate 3020->3021 2644 7ff64d31191a 2645 7ff64d31194d 2644->2645 2648 7ff64d3118a0 2644->2648 2646 7ff64d3120c0 21 API calls 2645->2646 2646->2648 2647 7ff64d311d76 2649 7ff64d312660 __GSHandlerCheck_EH 8 API calls 2647->2649 2648->2647 2650 7ff64d311dd0 2648->2650 2653 7ff64d3120c0 21 API calls 2648->2653 2652 7ff64d311d87 2649->2652 2651 7ff64d311450 6 API calls 2650->2651 2651->2647 2653->2648 2654 7ff64d31291a 2655 7ff64d313020 __scrt_is_managed_app GetModuleHandleW 2654->2655 2656 7ff64d312921 2655->2656 2657 7ff64d312960 _exit 2656->2657 2658 7ff64d312925 2656->2658 3022 7ff64d31195f 3023 7ff64d31196d 3022->3023 3024 7ff64d311a23 3023->3024 3025 7ff64d311ee0 22 API calls 3023->3025 3026 7ff64d312230 22 API calls 3024->3026 3027 7ff64d311a67 BuildCatchObjectHelperInternal 3024->3027 3025->3024 3026->3027 3028 7ff64d311da2 _invalid_parameter_noinfo_noreturn 3027->3028 3029 7ff64d3118a0 3027->3029 3030 7ff64d311da9 WSAGetLastError 3028->3030 3033 7ff64d311d76 3029->3033 3034 7ff64d311dd0 3029->3034 3037 7ff64d3120c0 21 API calls 3029->3037 3031 7ff64d311450 6 API calls 3030->3031 3031->3033 3032 7ff64d312660 __GSHandlerCheck_EH 8 API calls 3036 7ff64d311d87 3032->3036 3033->3032 3035 7ff64d311450 6 API calls 3034->3035 3035->3033 3037->3029 3038 7ff64d315860 3039 7ff64d3143d0 _CreateFrameInfo 10 API calls 3038->3039 3040 7ff64d3158ad 3039->3040 3041 7ff64d3143d0 _CreateFrameInfo 10 API calls 3040->3041 3042 7ff64d3158bb __except_validate_context_record 3041->3042 3043 7ff64d3143d0 _CreateFrameInfo 10 API calls 3042->3043 3044 7ff64d315914 3043->3044 3045 7ff64d3143d0 _CreateFrameInfo 10 API calls 3044->3045 3046 7ff64d31591d 3045->3046 3047 7ff64d3143d0 _CreateFrameInfo 10 API calls 3046->3047 3048 7ff64d315926 3047->3048 3067 7ff64d313b18 3048->3067 3051 7ff64d3143d0 _CreateFrameInfo 10 API calls 3052 7ff64d315959 3051->3052 3053 7ff64d315aa9 abort 3052->3053 3054 7ff64d315991 3052->3054 3055 7ff64d313b54 11 API calls 3054->3055 3059 7ff64d315a31 3055->3059 3056 7ff64d315a5a __GSHandlerCheck_EH 3057 7ff64d3143d0 _CreateFrameInfo 10 API calls 3056->3057 3058 7ff64d315a6d 3057->3058 3060 7ff64d3143d0 _CreateFrameInfo 10 API calls 3058->3060 3059->3056 3061 7ff64d314104 10 API calls 3059->3061 3062 7ff64d315a76 3060->3062 3061->3056 3063 7ff64d3143d0 _CreateFrameInfo 10 API calls 3062->3063 3064 7ff64d315a7f 3063->3064 3065 7ff64d3143d0 _CreateFrameInfo 10 API calls 3064->3065 3066 7ff64d315a8e 3065->3066 3068 7ff64d3143d0 _CreateFrameInfo 10 API calls 3067->3068 3069 7ff64d313b29 3068->3069 3070 7ff64d313b34 3069->3070 3071 7ff64d3143d0 _CreateFrameInfo 10 API calls 3069->3071 3072 7ff64d3143d0 _CreateFrameInfo 10 API calls 3070->3072 3071->3070 3073 7ff64d313b45 3072->3073 3073->3051 3073->3052 3074 7ff64d317260 3075 7ff64d317280 3074->3075 3076 7ff64d317273 3074->3076 3077 7ff64d311e80 _invalid_parameter_noinfo_noreturn 3076->3077 3077->3075 3078 7ff64d311ce0 3079 7ff64d312688 5 API calls 3078->3079 3080 7ff64d311cea gethostname 3079->3080 3081 7ff64d311d08 3080->3081 3082 7ff64d311da9 WSAGetLastError 3080->3082 3084 7ff64d312040 22 API calls 3081->3084 3083 7ff64d311450 6 API calls 3082->3083 3085 7ff64d311d76 3083->3085 3088 7ff64d3118a0 3084->3088 3086 7ff64d312660 __GSHandlerCheck_EH 8 API calls 3085->3086 3087 7ff64d311d87 3086->3087 3088->3085 3089 7ff64d311dd0 3088->3089 3091 7ff64d3120c0 21 API calls 3088->3091 3090 7ff64d311450 6 API calls 3089->3090 3090->3085 3091->3088 2662 7ff64d314024 2669 7ff64d31642c 2662->2669 2665 7ff64d314031 2681 7ff64d316714 2669->2681 2672 7ff64d31402d 2672->2665 2674 7ff64d3144ac 2672->2674 2673 7ff64d316460 __vcrt_uninitialize_locks DeleteCriticalSection 2673->2672 2686 7ff64d3165e8 2674->2686 2682 7ff64d316498 __vcrt_InitializeCriticalSectionEx 5 API calls 2681->2682 2683 7ff64d31674a 2682->2683 2684 7ff64d31675f InitializeCriticalSectionAndSpinCount 2683->2684 2685 7ff64d316444 2683->2685 2684->2685 2685->2672 2685->2673 2687 7ff64d316498 __vcrt_InitializeCriticalSectionEx 5 API calls 2686->2687 2688 7ff64d31660d TlsAlloc 2687->2688 2690 7ff64d3174a7 2693 7ff64d315cc0 2690->2693 2698 7ff64d315c38 2693->2698 2696 7ff64d315ce0 2697 7ff64d3143d0 _CreateFrameInfo 10 API calls 2697->2696 2699 7ff64d315c5a 2698->2699 2701 7ff64d315ca3 2698->2701 2700 7ff64d3143d0 _CreateFrameInfo 10 API calls 2699->2700 2699->2701 2700->2701 2701->2696 2701->2697 2256 7ff64d3127ec 2279 7ff64d312b8c 2256->2279 2259 7ff64d31280d 2262 7ff64d31294d 2259->2262 2268 7ff64d31282b __scrt_release_startup_lock 2259->2268 2260 7ff64d312943 2319 7ff64d312ecc IsProcessorFeaturePresent 2260->2319 2263 7ff64d312ecc 7 API calls 2262->2263 2264 7ff64d312958 2263->2264 2266 7ff64d312960 _exit 2264->2266 2265 7ff64d312850 2267 7ff64d3128d6 _get_initial_narrow_environment __p___argv __p___argc 2285 7ff64d311060 2267->2285 2268->2265 2268->2267 2271 7ff64d3128ce _register_thread_local_exe_atexit_callback 2268->2271 2271->2267 2274 7ff64d312903 2275 7ff64d312908 _cexit 2274->2275 2276 7ff64d31290d 2274->2276 2275->2276 2315 7ff64d312d20 2276->2315 2326 7ff64d31316c 2279->2326 2282 7ff64d312805 2282->2259 2282->2260 2283 7ff64d312bbb __scrt_initialize_crt 2283->2282 2328 7ff64d31404c 2283->2328 2286 7ff64d311386 2285->2286 2310 7ff64d3110b4 2285->2310 2355 7ff64d311450 __acrt_iob_func 2286->2355 2288 7ff64d311399 2313 7ff64d313020 GetModuleHandleW 2288->2313 2289 7ff64d311289 2289->2286 2290 7ff64d31129f 2289->2290 2360 7ff64d312688 2290->2360 2292 7ff64d3112a9 2294 7ff64d3112b9 GetTempPathA 2292->2294 2295 7ff64d311325 2292->2295 2293 7ff64d311125 strcmp 2293->2310 2298 7ff64d3112e9 strcat_s 2294->2298 2299 7ff64d3112cb GetLastError 2294->2299 2369 7ff64d3123c0 2295->2369 2296 7ff64d311151 strcmp 2296->2310 2298->2295 2302 7ff64d311304 2298->2302 2301 7ff64d311450 6 API calls 2299->2301 2305 7ff64d3112df GetLastError 2301->2305 2306 7ff64d311450 6 API calls 2302->2306 2303 7ff64d311344 __acrt_iob_func fflush __acrt_iob_func fflush 2309 7ff64d311312 2303->2309 2304 7ff64d31117d strcmp 2304->2310 2305->2309 2306->2309 2309->2288 2310->2289 2310->2293 2310->2296 2310->2304 2311 7ff64d311226 strcmp 2310->2311 2311->2310 2312 7ff64d311239 atoi 2311->2312 2312->2310 2314 7ff64d3128ff 2313->2314 2314->2264 2314->2274 2317 7ff64d312d31 __scrt_initialize_crt 2315->2317 2316 7ff64d312916 2316->2265 2317->2316 2318 7ff64d31404c __scrt_initialize_crt 7 API calls 2317->2318 2318->2316 2320 7ff64d312ef2 2319->2320 2321 7ff64d312f11 RtlCaptureContext RtlLookupFunctionEntry 2320->2321 2322 7ff64d312f76 2321->2322 2323 7ff64d312f3a RtlVirtualUnwind 2321->2323 2324 7ff64d312fa8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2322->2324 2323->2322 2325 7ff64d312ffa 2324->2325 2325->2262 2327 7ff64d312bae __scrt_dllmain_crt_thread_attach 2326->2327 2327->2282 2327->2283 2329 7ff64d31405e 2328->2329 2330 7ff64d314054 2328->2330 2329->2282 2334 7ff64d3144f4 2330->2334 2335 7ff64d314059 2334->2335 2336 7ff64d314503 2334->2336 2338 7ff64d316460 2335->2338 2342 7ff64d316630 2336->2342 2339 7ff64d31648b 2338->2339 2340 7ff64d31646e DeleteCriticalSection 2339->2340 2341 7ff64d31648f 2339->2341 2340->2339 2341->2329 2346 7ff64d316498 2342->2346 2347 7ff64d3165b2 TlsFree 2346->2347 2348 7ff64d3164dc 2346->2348 2348->2347 2349 7ff64d31650a LoadLibraryExW 2348->2349 2350 7ff64d3165a1 GetProcAddress 2348->2350 2354 7ff64d31654d LoadLibraryExW 2348->2354 2351 7ff64d31652b GetLastError 2349->2351 2352 7ff64d316581 2349->2352 2350->2347 2351->2348 2352->2350 2353 7ff64d316598 FreeLibrary 2352->2353 2353->2350 2354->2348 2354->2352 2405 7ff64d311010 2355->2405 2357 7ff64d31148a __acrt_iob_func 2408 7ff64d311000 2357->2408 2359 7ff64d3114a2 __stdio_common_vfprintf __acrt_iob_func fflush 2359->2288 2363 7ff64d312690 2360->2363 2361 7ff64d3126aa malloc 2362 7ff64d3126b4 2361->2362 2361->2363 2362->2292 2363->2361 2364 7ff64d3126ba 2363->2364 2367 7ff64d3126c5 2364->2367 2410 7ff64d312b30 2364->2410 2414 7ff64d311720 2367->2414 2368 7ff64d3126cb 2368->2292 2370 7ff64d312688 5 API calls 2369->2370 2371 7ff64d3123f5 OpenProcess 2370->2371 2372 7ff64d312458 K32GetModuleBaseNameA 2371->2372 2373 7ff64d31243b GetLastError 2371->2373 2375 7ff64d312470 GetLastError 2372->2375 2376 7ff64d312492 2372->2376 2374 7ff64d311450 6 API calls 2373->2374 2385 7ff64d312453 2374->2385 2377 7ff64d311450 6 API calls 2375->2377 2431 7ff64d311800 2376->2431 2380 7ff64d312484 CloseHandle 2377->2380 2380->2385 2381 7ff64d3124ae 2384 7ff64d3113c0 6 API calls 2381->2384 2382 7ff64d3125b3 CloseHandle 2382->2385 2383 7ff64d3125fa 2442 7ff64d312660 2383->2442 2386 7ff64d3124cf CreateFileA 2384->2386 2385->2383 2387 7ff64d3125f3 _invalid_parameter_noinfo_noreturn 2385->2387 2388 7ff64d31250f GetLastError 2386->2388 2397 7ff64d312543 2386->2397 2387->2383 2390 7ff64d311450 6 API calls 2388->2390 2393 7ff64d312538 CloseHandle 2390->2393 2391 7ff64d312550 MiniDumpWriteDump 2394 7ff64d312576 GetLastError 2391->2394 2398 7ff64d31258a CloseHandle CloseHandle 2391->2398 2393->2385 2396 7ff64d31258c 2394->2396 2394->2397 2399 7ff64d311450 6 API calls 2396->2399 2397->2391 2397->2398 2398->2385 2399->2398 2400 7ff64d3113c0 __acrt_iob_func 2401 7ff64d311010 fprintf __stdio_common_vfprintf 2400->2401 2402 7ff64d3113fa __acrt_iob_func 2401->2402 2501 7ff64d311000 2402->2501 2404 7ff64d311412 __stdio_common_vfprintf __acrt_iob_func fflush 2404->2303 2409 7ff64d311000 2405->2409 2407 7ff64d311036 __stdio_common_vfprintf 2407->2357 2408->2359 2409->2407 2411 7ff64d312b3e std::bad_alloc::bad_alloc 2410->2411 2420 7ff64d313f84 2411->2420 2413 7ff64d312b4f 2415 7ff64d31172e Concurrency::cancel_current_task 2414->2415 2416 7ff64d313f84 Concurrency::cancel_current_task 2 API calls 2415->2416 2417 7ff64d31173f 2416->2417 2425 7ff64d313cc0 2417->2425 2421 7ff64d313fc0 RtlPcToFileHeader 2420->2421 2422 7ff64d313fa3 2420->2422 2423 7ff64d313fe7 RaiseException 2421->2423 2424 7ff64d313fd8 2421->2424 2422->2421 2423->2413 2424->2423 2426 7ff64d31176d 2425->2426 2427 7ff64d313ce1 2425->2427 2426->2368 2427->2426 2428 7ff64d313cf6 malloc 2427->2428 2429 7ff64d313d23 free 2428->2429 2430 7ff64d313d07 2428->2430 2429->2426 2430->2429 2432 7ff64d311850 2431->2432 2433 7ff64d311863 WSAStartup 2431->2433 2434 7ff64d311450 6 API calls 2432->2434 2435 7ff64d31185c 2433->2435 2440 7ff64d31187f 2433->2440 2434->2435 2436 7ff64d312660 __GSHandlerCheck_EH 8 API calls 2435->2436 2437 7ff64d311d87 2436->2437 2437->2381 2437->2382 2438 7ff64d311dd0 2439 7ff64d311450 6 API calls 2438->2439 2439->2435 2440->2435 2440->2438 2451 7ff64d3120c0 2440->2451 2443 7ff64d312669 2442->2443 2444 7ff64d311334 2443->2444 2445 7ff64d3129c0 IsProcessorFeaturePresent 2443->2445 2444->2303 2444->2400 2446 7ff64d3129d8 2445->2446 2496 7ff64d312a94 RtlCaptureContext 2446->2496 2452 7ff64d312218 2451->2452 2453 7ff64d3120e9 2451->2453 2475 7ff64d3117e0 2452->2475 2456 7ff64d312137 2453->2456 2459 7ff64d312144 2453->2459 2460 7ff64d31216c 2453->2460 2455 7ff64d31221d 2458 7ff64d311720 Concurrency::cancel_current_task 4 API calls 2455->2458 2456->2455 2456->2459 2461 7ff64d312223 2458->2461 2466 7ff64d312690 2459->2466 2463 7ff64d312690 5 API calls 2460->2463 2464 7ff64d312155 BuildCatchObjectHelperInternal 2460->2464 2462 7ff64d3121e0 _invalid_parameter_noinfo_noreturn 2465 7ff64d3121d3 BuildCatchObjectHelperInternal 2462->2465 2463->2464 2464->2462 2464->2465 2465->2440 2467 7ff64d3126aa malloc 2466->2467 2468 7ff64d31269b 2467->2468 2469 7ff64d3126b4 2467->2469 2468->2467 2470 7ff64d3126ba 2468->2470 2469->2464 2471 7ff64d3126c5 2470->2471 2472 7ff64d312b30 Concurrency::cancel_current_task 2 API calls 2470->2472 2473 7ff64d311720 Concurrency::cancel_current_task 4 API calls 2471->2473 2472->2471 2474 7ff64d3126cb 2473->2474 2474->2464 2488 7ff64d3134d4 2475->2488 2493 7ff64d3133f8 2488->2493 2491 7ff64d313f84 Concurrency::cancel_current_task 2 API calls 2492 7ff64d3134f6 2491->2492 2494 7ff64d313cc0 __std_exception_copy 2 API calls 2493->2494 2495 7ff64d31342c 2494->2495 2495->2491 2497 7ff64d312aae RtlLookupFunctionEntry 2496->2497 2498 7ff64d3129eb 2497->2498 2499 7ff64d312ac4 RtlVirtualUnwind 2497->2499 2500 7ff64d312984 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2498->2500 2499->2497 2499->2498 2501->2404 2702 7ff64d3159ad 2703 7ff64d3143d0 _CreateFrameInfo 10 API calls 2702->2703 2704 7ff64d3159ba 2703->2704 2705 7ff64d3143d0 _CreateFrameInfo 10 API calls 2704->2705 2707 7ff64d3159c3 __GSHandlerCheck_EH 2705->2707 2706 7ff64d315a0a RaiseException 2708 7ff64d315a29 2706->2708 2707->2706 2721 7ff64d313b54 2708->2721 2710 7ff64d3143d0 _CreateFrameInfo 10 API calls 2711 7ff64d315a6d 2710->2711 2713 7ff64d3143d0 _CreateFrameInfo 10 API calls 2711->2713 2715 7ff64d315a76 2713->2715 2717 7ff64d3143d0 _CreateFrameInfo 10 API calls 2715->2717 2716 7ff64d315a5a __GSHandlerCheck_EH 2716->2710 2718 7ff64d315a7f 2717->2718 2719 7ff64d3143d0 _CreateFrameInfo 10 API calls 2718->2719 2720 7ff64d315a8e 2719->2720 2722 7ff64d3143d0 _CreateFrameInfo 10 API calls 2721->2722 2723 7ff64d313b66 2722->2723 2724 7ff64d313ba1 abort 2723->2724 2725 7ff64d3143d0 _CreateFrameInfo 10 API calls 2723->2725 2727 7ff64d313b71 2725->2727 2726 7ff64d313b8d 2728 7ff64d3143d0 _CreateFrameInfo 10 API calls 2726->2728 2727->2724 2727->2726 2729 7ff64d313b92 2728->2729 2729->2716 2730 7ff64d314104 2729->2730 2731 7ff64d3143d0 _CreateFrameInfo 10 API calls 2730->2731 2732 7ff64d314112 2731->2732 2732->2716 3095 7ff64d31756f 3096 7ff64d3143d0 _CreateFrameInfo 10 API calls 3095->3096 3097 7ff64d31757d 3096->3097 3098 7ff64d3143d0 _CreateFrameInfo 10 API calls 3097->3098 3099 7ff64d317588 3097->3099 3098->3099 2733 7ff64d317130 2734 7ff64d317168 __GSHandlerCheckCommon 2733->2734 2735 7ff64d317194 2734->2735 2737 7ff64d313c00 2734->2737 2738 7ff64d3143d0 _CreateFrameInfo 10 API calls 2737->2738 2739 7ff64d313c42 2738->2739 2740 7ff64d3143d0 _CreateFrameInfo 10 API calls 2739->2740 2741 7ff64d313c4f 2740->2741 2742 7ff64d3143d0 _CreateFrameInfo 10 API calls 2741->2742 2743 7ff64d313c58 __GSHandlerCheck_EH 2742->2743 2746 7ff64d315414 2743->2746 2747 7ff64d315443 __except_validate_context_record 2746->2747 2748 7ff64d3143d0 _CreateFrameInfo 10 API calls 2747->2748 2749 7ff64d315448 2748->2749 2750 7ff64d315498 2749->2750 2755 7ff64d3155b2 __GSHandlerCheck_EH 2749->2755 2761 7ff64d313ca9 2749->2761 2751 7ff64d31559f 2750->2751 2759 7ff64d3154f3 __GSHandlerCheck_EH 2750->2759 2750->2761 2786 7ff64d313678 2751->2786 2752 7ff64d3155f7 2752->2761 2793 7ff64d3149a4 2752->2793 2755->2752 2755->2761 2790 7ff64d313bbc 2755->2790 2756 7ff64d3156a2 abort 2758 7ff64d315543 2762 7ff64d315cf0 2758->2762 2759->2756 2759->2758 2761->2735 2846 7ff64d313ba8 2762->2846 2764 7ff64d315d40 __GSHandlerCheck_EH 2765 7ff64d315d5b 2764->2765 2766 7ff64d315d72 2764->2766 2767 7ff64d3143d0 _CreateFrameInfo 10 API calls 2765->2767 2768 7ff64d3143d0 _CreateFrameInfo 10 API calls 2766->2768 2770 7ff64d315d60 2767->2770 2769 7ff64d315d77 2768->2769 2771 7ff64d315d6a 2769->2771 2773 7ff64d3143d0 _CreateFrameInfo 10 API calls 2769->2773 2770->2771 2772 7ff64d315fd0 abort 2770->2772 2774 7ff64d3143d0 _CreateFrameInfo 10 API calls 2771->2774 2775 7ff64d315d82 2773->2775 2784 7ff64d315d96 __GSHandlerCheck_EH 2774->2784 2776 7ff64d3143d0 _CreateFrameInfo 10 API calls 2775->2776 2776->2771 2777 7ff64d315f92 2778 7ff64d3143d0 _CreateFrameInfo 10 API calls 2777->2778 2779 7ff64d315f97 2778->2779 2780 7ff64d315fa2 2779->2780 2781 7ff64d3143d0 _CreateFrameInfo 10 API calls 2779->2781 2782 7ff64d312660 __GSHandlerCheck_EH 8 API calls 2780->2782 2781->2780 2783 7ff64d315fb5 2782->2783 2783->2761 2784->2777 2849 7ff64d313bd0 2784->2849 2787 7ff64d31368a 2786->2787 2788 7ff64d315cf0 __GSHandlerCheck_EH 19 API calls 2787->2788 2789 7ff64d3136a5 2788->2789 2789->2761 2791 7ff64d3143d0 _CreateFrameInfo 10 API calls 2790->2791 2792 7ff64d313bc5 2791->2792 2792->2752 2794 7ff64d314a01 __GSHandlerCheck_EH 2793->2794 2795 7ff64d314a09 2794->2795 2796 7ff64d314a20 2794->2796 2797 7ff64d3143d0 _CreateFrameInfo 10 API calls 2795->2797 2798 7ff64d3143d0 _CreateFrameInfo 10 API calls 2796->2798 2806 7ff64d314a0e 2797->2806 2799 7ff64d314a25 2798->2799 2801 7ff64d3143d0 _CreateFrameInfo 10 API calls 2799->2801 2799->2806 2800 7ff64d314e99 abort 2802 7ff64d314a30 2801->2802 2803 7ff64d3143d0 _CreateFrameInfo 10 API calls 2802->2803 2803->2806 2804 7ff64d314b54 __GSHandlerCheck_EH 2805 7ff64d314def 2804->2805 2840 7ff64d314b90 __GSHandlerCheck_EH 2804->2840 2805->2800 2819 7ff64d314ded 2805->2819 2888 7ff64d314ea0 2805->2888 2806->2800 2806->2804 2807 7ff64d3143d0 _CreateFrameInfo 10 API calls 2806->2807 2808 7ff64d314ac0 2807->2808 2810 7ff64d314e37 2808->2810 2815 7ff64d3143d0 _CreateFrameInfo 10 API calls 2808->2815 2809 7ff64d3143d0 _CreateFrameInfo 10 API calls 2812 7ff64d314e30 2809->2812 2813 7ff64d312660 __GSHandlerCheck_EH 8 API calls 2810->2813 2812->2800 2812->2810 2816 7ff64d314e43 2813->2816 2814 7ff64d314dd4 __GSHandlerCheck_EH 2814->2819 2820 7ff64d314e81 2814->2820 2817 7ff64d314ad0 2815->2817 2816->2761 2818 7ff64d3143d0 _CreateFrameInfo 10 API calls 2817->2818 2821 7ff64d314ad9 2818->2821 2819->2809 2822 7ff64d3143d0 _CreateFrameInfo 10 API calls 2820->2822 2852 7ff64d313be8 2821->2852 2824 7ff64d314e86 2822->2824 2826 7ff64d3143d0 _CreateFrameInfo 10 API calls 2824->2826 2828 7ff64d314e8f terminate 2826->2828 2827 7ff64d3143d0 _CreateFrameInfo 10 API calls 2829 7ff64d314b16 2827->2829 2828->2800 2829->2804 2831 7ff64d3143d0 _CreateFrameInfo 10 API calls 2829->2831 2830 7ff64d313bbc 10 API calls BuildCatchObjectHelperInternal 2830->2840 2832 7ff64d314b22 2831->2832 2833 7ff64d3143d0 _CreateFrameInfo 10 API calls 2832->2833 2834 7ff64d314b2b 2833->2834 2855 7ff64d315fd8 2834->2855 2838 7ff64d314b3f 2862 7ff64d3160c8 2838->2862 2840->2814 2840->2830 2866 7ff64d3152d0 2840->2866 2880 7ff64d3148d0 2840->2880 2842 7ff64d314e7b terminate 2842->2820 2843 7ff64d314b47 std::bad_alloc::bad_alloc __GSHandlerCheck_EH 2843->2842 2844 7ff64d313f84 Concurrency::cancel_current_task 2 API calls 2843->2844 2845 7ff64d314e7a 2844->2845 2845->2842 2847 7ff64d3143d0 _CreateFrameInfo 10 API calls 2846->2847 2848 7ff64d313bb1 2847->2848 2848->2764 2850 7ff64d3143d0 _CreateFrameInfo 10 API calls 2849->2850 2851 7ff64d313bde 2850->2851 2851->2784 2853 7ff64d3143d0 _CreateFrameInfo 10 API calls 2852->2853 2854 7ff64d313bf6 2853->2854 2854->2800 2854->2827 2856 7ff64d3160bf abort 2855->2856 2861 7ff64d316003 2855->2861 2857 7ff64d314b3b 2857->2804 2857->2838 2858 7ff64d313bbc 10 API calls BuildCatchObjectHelperInternal 2858->2861 2859 7ff64d313ba8 BuildCatchObjectHelperInternal 10 API calls 2859->2861 2861->2857 2861->2858 2861->2859 2904 7ff64d315190 2861->2904 2863 7ff64d316135 2862->2863 2865 7ff64d3160e5 Is_bad_exception_allowed 2862->2865 2863->2843 2864 7ff64d313ba8 10 API calls BuildCatchObjectHelperInternal 2864->2865 2865->2863 2865->2864 2867 7ff64d3152fd 2866->2867 2877 7ff64d31538d 2866->2877 2868 7ff64d313ba8 BuildCatchObjectHelperInternal 10 API calls 2867->2868 2869 7ff64d315306 2868->2869 2870 7ff64d313ba8 BuildCatchObjectHelperInternal 10 API calls 2869->2870 2871 7ff64d31531f 2869->2871 2869->2877 2870->2871 2872 7ff64d31534c 2871->2872 2873 7ff64d313ba8 BuildCatchObjectHelperInternal 10 API calls 2871->2873 2871->2877 2874 7ff64d313bbc BuildCatchObjectHelperInternal 10 API calls 2872->2874 2873->2872 2875 7ff64d315360 2874->2875 2876 7ff64d315379 2875->2876 2875->2877 2878 7ff64d313ba8 BuildCatchObjectHelperInternal 10 API calls 2875->2878 2879 7ff64d313bbc BuildCatchObjectHelperInternal 10 API calls 2876->2879 2877->2840 2878->2876 2879->2877 2881 7ff64d31490d __GSHandlerCheck_EH 2880->2881 2882 7ff64d314933 2881->2882 2918 7ff64d31480c 2881->2918 2884 7ff64d313ba8 BuildCatchObjectHelperInternal 10 API calls 2882->2884 2885 7ff64d314945 2884->2885 2927 7ff64d313838 RtlUnwindEx 2885->2927 2889 7ff64d315169 2888->2889 2890 7ff64d314ef4 2888->2890 2891 7ff64d312660 __GSHandlerCheck_EH 8 API calls 2889->2891 2892 7ff64d3143d0 _CreateFrameInfo 10 API calls 2890->2892 2893 7ff64d315175 2891->2893 2894 7ff64d314ef9 2892->2894 2893->2819 2895 7ff64d314f60 __GSHandlerCheck_EH 2894->2895 2896 7ff64d314f0e EncodePointer 2894->2896 2895->2889 2898 7ff64d315189 abort 2895->2898 2902 7ff64d314f82 __GSHandlerCheck_EH 2895->2902 2897 7ff64d3143d0 _CreateFrameInfo 10 API calls 2896->2897 2899 7ff64d314f1e 2897->2899 2899->2895 2951 7ff64d3134f8 2899->2951 2901 7ff64d3148d0 __GSHandlerCheck_EH 21 API calls 2901->2902 2902->2889 2902->2901 2903 7ff64d313ba8 10 API calls BuildCatchObjectHelperInternal 2902->2903 2903->2902 2905 7ff64d3151bd 2904->2905 2916 7ff64d31524c 2904->2916 2906 7ff64d313ba8 BuildCatchObjectHelperInternal 10 API calls 2905->2906 2907 7ff64d3151c6 2906->2907 2908 7ff64d313ba8 BuildCatchObjectHelperInternal 10 API calls 2907->2908 2909 7ff64d3151df 2907->2909 2907->2916 2908->2909 2910 7ff64d31520b 2909->2910 2911 7ff64d313ba8 BuildCatchObjectHelperInternal 10 API calls 2909->2911 2909->2916 2912 7ff64d313bbc BuildCatchObjectHelperInternal 10 API calls 2910->2912 2911->2910 2913 7ff64d31521f 2912->2913 2914 7ff64d315238 2913->2914 2915 7ff64d313ba8 BuildCatchObjectHelperInternal 10 API calls 2913->2915 2913->2916 2917 7ff64d313bbc BuildCatchObjectHelperInternal 10 API calls 2914->2917 2915->2914 2916->2861 2917->2916 2919 7ff64d31482f 2918->2919 2930 7ff64d314608 2919->2930 2921 7ff64d314840 2922 7ff64d314881 __AdjustPointer 2921->2922 2925 7ff64d314845 __AdjustPointer 2921->2925 2923 7ff64d314864 BuildCatchObjectHelperInternal 2922->2923 2924 7ff64d313bbc BuildCatchObjectHelperInternal 10 API calls 2922->2924 2923->2882 2924->2923 2925->2923 2926 7ff64d313bbc BuildCatchObjectHelperInternal 10 API calls 2925->2926 2926->2923 2928 7ff64d312660 __GSHandlerCheck_EH 8 API calls 2927->2928 2929 7ff64d31394e 2928->2929 2929->2840 2931 7ff64d314635 2930->2931 2933 7ff64d31463e 2930->2933 2932 7ff64d313ba8 BuildCatchObjectHelperInternal 10 API calls 2931->2932 2932->2933 2934 7ff64d313ba8 BuildCatchObjectHelperInternal 10 API calls 2933->2934 2935 7ff64d31465d 2933->2935 2942 7ff64d3146c2 __AdjustPointer BuildCatchObjectHelperInternal 2933->2942 2934->2935 2936 7ff64d3146aa 2935->2936 2937 7ff64d3146ca 2935->2937 2935->2942 2939 7ff64d3147e9 abort abort 2936->2939 2936->2942 2938 7ff64d313bbc BuildCatchObjectHelperInternal 10 API calls 2937->2938 2941 7ff64d31474a 2937->2941 2937->2942 2938->2941 2940 7ff64d31480c 2939->2940 2943 7ff64d314608 BuildCatchObjectHelperInternal 10 API calls 2940->2943 2941->2942 2944 7ff64d313bbc BuildCatchObjectHelperInternal 10 API calls 2941->2944 2942->2921 2945 7ff64d314840 2943->2945 2944->2942 2946 7ff64d314881 __AdjustPointer 2945->2946 2947 7ff64d314845 __AdjustPointer 2945->2947 2948 7ff64d313bbc BuildCatchObjectHelperInternal 10 API calls 2946->2948 2950 7ff64d314864 BuildCatchObjectHelperInternal 2946->2950 2949 7ff64d313bbc BuildCatchObjectHelperInternal 10 API calls 2947->2949 2947->2950 2948->2950 2949->2950 2950->2921 2952 7ff64d3143d0 _CreateFrameInfo 10 API calls 2951->2952 2953 7ff64d313524 2952->2953 2953->2895 2954 7ff64d3143b0 2955 7ff64d3143b9 2954->2955 2956 7ff64d3143ca 2954->2956 2955->2956 2957 7ff64d3143c5 free 2955->2957 2957->2956 3107 7ff64d312970 3110 7ff64d312da0 3107->3110 3111 7ff64d312979 3110->3111 3112 7ff64d312dc3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 3110->3112 3112->3111 3113 7ff64d317372 3114 7ff64d3143d0 _CreateFrameInfo 10 API calls 3113->3114 3115 7ff64d317389 3114->3115 3116 7ff64d3143d0 _CreateFrameInfo 10 API calls 3115->3116 3117 7ff64d3173a4 3116->3117 3118 7ff64d3143d0 _CreateFrameInfo 10 API calls 3117->3118 3119 7ff64d3173ad 3118->3119 3120 7ff64d315414 __GSHandlerCheck_EH 31 API calls 3119->3120 3121 7ff64d3173f3 3120->3121 3122 7ff64d3143d0 _CreateFrameInfo 10 API calls 3121->3122 3123 7ff64d3173f8 3122->3123 3124 7ff64d315f75 3132 7ff64d315e35 __GSHandlerCheck_EH 3124->3132 3125 7ff64d315f92 3126 7ff64d3143d0 _CreateFrameInfo 10 API calls 3125->3126 3127 7ff64d315f97 3126->3127 3128 7ff64d315fa2 3127->3128 3129 7ff64d3143d0 _CreateFrameInfo 10 API calls 3127->3129 3130 7ff64d312660 __GSHandlerCheck_EH 8 API calls 3128->3130 3129->3128 3131 7ff64d315fb5 3130->3131 3132->3125 3133 7ff64d313bd0 __GSHandlerCheck_EH 10 API calls 3132->3133 3133->3132

                                                    Executed Functions

                                                    Function 00007FF64D311060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214stringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 7ff64d311060-7ff64d3110ae 1 7ff64d311386-7ff64d311394 call 7ff64d311450 0->1 2 7ff64d3110b4-7ff64d3110c6 0->2 7 7ff64d311399 1->7 3 7ff64d3110d0-7ff64d3110d6 2->3 5 7ff64d3110dc-7ff64d3110df 3->5 6 7ff64d31127f-7ff64d311283 3->6 9 7ff64d3110ed 5->9 10 7ff64d3110e1-7ff64d3110e5 5->10 6->3 8 7ff64d311289-7ff64d311299 6->8 11 7ff64d31139e-7ff64d3113b7 7->11 8->1 12 7ff64d31129f-7ff64d3112b7 call 7ff64d312688 8->12 14 7ff64d3110f0-7ff64d3110fc 9->14 10->9 13 7ff64d3110e7-7ff64d3110eb 10->13 23 7ff64d3112b9-7ff64d3112c9 GetTempPathA 12->23 24 7ff64d31132a-7ff64d311336 call 7ff64d3123c0 12->24 13->9 16 7ff64d311104-7ff64d31110b 13->16 17 7ff64d3110fe-7ff64d311102 14->17 18 7ff64d311110-7ff64d311113 14->18 20 7ff64d31127b 16->20 17->14 17->16 21 7ff64d311125-7ff64d311136 strcmp 18->21 22 7ff64d311115-7ff64d311119 18->22 20->6 26 7ff64d311267-7ff64d31126e 21->26 27 7ff64d31113c-7ff64d31113f 21->27 22->21 25 7ff64d31111b-7ff64d31111f 22->25 31 7ff64d3112e9-7ff64d311302 strcat_s 23->31 32 7ff64d3112cb-7ff64d3112e7 GetLastError call 7ff64d311450 GetLastError 23->32 41 7ff64d311346 24->41 42 7ff64d311338-7ff64d311344 call 7ff64d3113c0 24->42 25->21 25->26 33 7ff64d311276 26->33 28 7ff64d311151-7ff64d311162 strcmp 27->28 29 7ff64d311141-7ff64d311145 27->29 36 7ff64d311258-7ff64d311265 28->36 37 7ff64d311168-7ff64d31116b 28->37 29->28 34 7ff64d311147-7ff64d31114b 29->34 39 7ff64d311304-7ff64d311312 call 7ff64d311450 31->39 40 7ff64d311325 31->40 52 7ff64d311313-7ff64d311323 call 7ff64d312680 32->52 33->20 34->28 34->36 36->20 43 7ff64d31117d-7ff64d31118e strcmp 37->43 44 7ff64d31116d-7ff64d311171 37->44 39->52 40->24 49 7ff64d31134b-7ff64d311384 __acrt_iob_func fflush __acrt_iob_func fflush call 7ff64d312680 41->49 42->49 50 7ff64d311247-7ff64d311256 43->50 51 7ff64d311194-7ff64d311197 43->51 44->43 48 7ff64d311173-7ff64d311177 44->48 48->43 48->50 49->11 50->33 56 7ff64d311199-7ff64d31119d 51->56 57 7ff64d3111a5-7ff64d3111af 51->57 52->11 56->57 60 7ff64d31119f-7ff64d3111a3 56->60 61 7ff64d3111b0-7ff64d3111bb 57->61 60->57 63 7ff64d3111c3-7ff64d3111d2 60->63 64 7ff64d3111d7-7ff64d3111da 61->64 65 7ff64d3111bd-7ff64d3111c1 61->65 63->33 66 7ff64d3111ec-7ff64d3111f6 64->66 67 7ff64d3111dc-7ff64d3111e0 64->67 65->61 65->63 69 7ff64d311200-7ff64d31120b 66->69 67->66 68 7ff64d3111e2-7ff64d3111e6 67->68 68->20 68->66 70 7ff64d31120d-7ff64d311211 69->70 71 7ff64d311215-7ff64d311218 69->71 70->69 72 7ff64d311213 70->72 73 7ff64d311226-7ff64d311237 strcmp 71->73 74 7ff64d31121a-7ff64d31121e 71->74 72->20 73->20 76 7ff64d311239-7ff64d311245 atoi 73->76 74->73 75 7ff64d311220-7ff64d311224 74->75 75->20 75->73 76->20
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
                                                    • String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
                                                    • API String ID: 2647627392-2367407095
                                                    • Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                    • Instruction ID: fb9030d0bfba30c23cfa3619cb1cdcc493f979f288304d98da13af6efda21e4e
                                                    • Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                    • Instruction Fuzzy Hash: 71A14E62D0C68355FB63BB20A8402BDEFE4AF47794F085131CA5E8669AFE7CE845C311
                                                    Function 00007FF64D3127EC Relevance: 13.6, APIs: 9, Instructions: 102COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                    • String ID:
                                                    • API String ID: 2308368977-0
                                                    • Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                    • Instruction ID: def7a4a9f0d0fa2427c0c865607ac86b87411f10906426ea37cd4039de7df220
                                                    • Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                    • Instruction Fuzzy Hash: 9A311925E0C24346FA16FB25A4223BDEA91AF47784F485435EA8DC73E7FE2CA8458354
                                                    Function 00007FF64D311450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                    • String ID: [createdump]
                                                    • API String ID: 3735572767-2657508301
                                                    • Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                    • Instruction ID: 5a4230425df10caefb50982474ace02180c2e9be7678fb507c646ade10b1a7e8
                                                    • Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                    • Instruction Fuzzy Hash: 0C014B61E0CB8292E602BB50F8051AEEB64EB86BD1F004539EE8D83769EF7CD456C704

                                                    Non-executed Functions

                                                    Function 00007FF64D312ECC Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                    • String ID:
                                                    • API String ID: 3140674995-0
                                                    • Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                    • Instruction ID: e888f062d2364e29be10fdc79d3d8c117f43e2075c409ea758954e3c9c5e40d4
                                                    • Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                    • Instruction Fuzzy Hash: B2316072A08A8796EB61EF60E8403EDB761FB45744F444039DA4E87B94EF3CC648C714
                                                    Function 00007FF64D313074 Relevance: .0, Instructions: 2COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                    • Instruction ID: f72f376f643a33cd90f26de36e94046072ff2d36a4ef59ccc4c09454c405b095
                                                    • Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                    • Instruction Fuzzy Hash: 07A00221D0CC07F0EA46FB10EC54139AB70FF52304B400531D04EC10A0BF3CA544C304
                                                    Function 00007FF64D3123C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64D31242D
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64D31243B
                                                      • Part of subcall function 00007FF64D311450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF64D311475
                                                      • Part of subcall function 00007FF64D311450: fprintf.MSPDB140-MSVCRT ref: 00007FF64D311485
                                                      • Part of subcall function 00007FF64D311450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF64D311494
                                                      • Part of subcall function 00007FF64D311450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF64D3114B3
                                                      • Part of subcall function 00007FF64D311450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF64D3114BE
                                                      • Part of subcall function 00007FF64D311450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF64D3114C7
                                                    • K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64D312466
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64D312470
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64D312487
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF64D3125F3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
                                                    • String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
                                                    • API String ID: 3971781330-1292085346
                                                    • Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                    • Instruction ID: e724c626cd69d300347047547de7a8282c9bf1c8a85167c78a30900503fb1e6c
                                                    • Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                    • Instruction Fuzzy Hash: F0615335E0CA4392E611FB15E45166EFBA1FB8A794F500134EE9D83AA9EF3DE445C700
                                                    Function 00007FF64D3149A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 177 7ff64d3149a4-7ff64d314a07 call 7ff64d314518 180 7ff64d314a09-7ff64d314a12 call 7ff64d3143d0 177->180 181 7ff64d314a20-7ff64d314a29 call 7ff64d3143d0 177->181 186 7ff64d314a18-7ff64d314a1e 180->186 187 7ff64d314e99-7ff64d314e9f abort 180->187 188 7ff64d314a2b-7ff64d314a38 call 7ff64d3143d0 * 2 181->188 189 7ff64d314a3f-7ff64d314a42 181->189 186->189 188->189 189->187 191 7ff64d314a48-7ff64d314a54 189->191 193 7ff64d314a56-7ff64d314a7d 191->193 194 7ff64d314a7f 191->194 195 7ff64d314a81-7ff64d314a83 193->195 194->195 195->187 197 7ff64d314a89-7ff64d314a8f 195->197 199 7ff64d314b59-7ff64d314b6f call 7ff64d315724 197->199 200 7ff64d314a95-7ff64d314a99 197->200 205 7ff64d314def-7ff64d314df3 199->205 206 7ff64d314b75-7ff64d314b79 199->206 200->199 202 7ff64d314a9f-7ff64d314aaa 200->202 202->199 204 7ff64d314ab0-7ff64d314ab5 202->204 204->199 207 7ff64d314abb-7ff64d314ac5 call 7ff64d3143d0 204->207 210 7ff64d314e2b-7ff64d314e35 call 7ff64d3143d0 205->210 211 7ff64d314df5-7ff64d314dfc 205->211 206->205 208 7ff64d314b7f-7ff64d314b8a 206->208 218 7ff64d314e37-7ff64d314e56 call 7ff64d312660 207->218 219 7ff64d314acb-7ff64d314af1 call 7ff64d3143d0 * 2 call 7ff64d313be8 207->219 208->205 212 7ff64d314b90-7ff64d314b94 208->212 210->187 210->218 211->187 214 7ff64d314e02-7ff64d314e26 call 7ff64d314ea0 211->214 216 7ff64d314b9a-7ff64d314bd1 call 7ff64d3136d0 212->216 217 7ff64d314dd4-7ff64d314dd8 212->217 214->210 216->217 231 7ff64d314bd7-7ff64d314be2 216->231 217->210 223 7ff64d314dda-7ff64d314de7 call 7ff64d313670 217->223 246 7ff64d314b11-7ff64d314b1b call 7ff64d3143d0 219->246 247 7ff64d314af3-7ff64d314af7 219->247 233 7ff64d314ded 223->233 234 7ff64d314e81-7ff64d314e98 call 7ff64d3143d0 * 2 terminate 223->234 235 7ff64d314be6-7ff64d314bf6 231->235 233->210 234->187 238 7ff64d314bfc-7ff64d314c02 235->238 239 7ff64d314d2f-7ff64d314dce 235->239 238->239 242 7ff64d314c08-7ff64d314c31 call 7ff64d3156a8 238->242 239->217 239->235 242->239 252 7ff64d314c37-7ff64d314c7e call 7ff64d313bbc * 2 242->252 246->199 256 7ff64d314b1d-7ff64d314b3d call 7ff64d3143d0 * 2 call 7ff64d315fd8 246->256 247->246 248 7ff64d314af9-7ff64d314b04 247->248 248->246 253 7ff64d314b06-7ff64d314b0b 248->253 263 7ff64d314cba-7ff64d314cd0 call 7ff64d315ab0 252->263 264 7ff64d314c80-7ff64d314ca5 call 7ff64d313bbc call 7ff64d3152d0 252->264 253->187 253->246 273 7ff64d314b3f-7ff64d314b49 call 7ff64d3160c8 256->273 274 7ff64d314b54 256->274 275 7ff64d314d2b 263->275 276 7ff64d314cd2 263->276 279 7ff64d314cd7-7ff64d314d26 call 7ff64d3148d0 264->279 280 7ff64d314ca7-7ff64d314cb3 264->280 284 7ff64d314e7b-7ff64d314e80 terminate 273->284 285 7ff64d314b4f-7ff64d314e7a call 7ff64d314090 call 7ff64d315838 call 7ff64d313f84 273->285 274->199 275->239 276->252 279->275 280->264 283 7ff64d314cb5 280->283 283->263 284->234 285->284
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                    • String ID: csm$csm$csm
                                                    • API String ID: 695522112-393685449
                                                    • Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                    • Instruction ID: 89c471cc80c1f528af3a69c66c7405f107789a5346bbdfab2815c1c189c21960
                                                    • Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                    • Instruction Fuzzy Hash: 5CE18072D0C6878AEB12BF24D4803ADBBA0FB46798F144135DA8D87796EF38E595C700
                                                    Function 00007FF64D3113C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                    • String ID: [createdump]
                                                    • API String ID: 3735572767-2657508301
                                                    • Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                    • Instruction ID: 1bcd34ff3ade77b42472efc79fa6a1f31a58a34b8bb389b413de1e591f740117
                                                    • Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                    • Instruction Fuzzy Hash: 79012C71E0CB4292E702BB50F8141AEAB60EB86BD1F004135DE8D43765AF7CD496C744
                                                    Function 00007FF64D311800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • WSAStartup.WS2_32 ref: 00007FF64D31186C
                                                      • Part of subcall function 00007FF64D311450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF64D311475
                                                      • Part of subcall function 00007FF64D311450: fprintf.MSPDB140-MSVCRT ref: 00007FF64D311485
                                                      • Part of subcall function 00007FF64D311450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF64D311494
                                                      • Part of subcall function 00007FF64D311450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF64D3114B3
                                                      • Part of subcall function 00007FF64D311450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF64D3114BE
                                                      • Part of subcall function 00007FF64D311450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF64D3114C7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
                                                    • String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
                                                    • API String ID: 3378602911-3973674938
                                                    • Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                    • Instruction ID: 798c0b3d477707b4d3ace2c872365dfab37991f55efb4eef673efc1897aa75f9
                                                    • Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                    • Instruction Fuzzy Hash: FC31D262E0CA8286E75ABF1598557FDABA1BB477C4F444032EE4D83396EE3CE545C300
                                                    Function 00007FF64D316498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF64D31669F,?,?,?,00007FF64D31441E,?,?,?,00007FF64D3143D9), ref: 00007FF64D31651D
                                                    • GetLastError.KERNEL32(?,00000000,00007FF64D31669F,?,?,?,00007FF64D31441E,?,?,?,00007FF64D3143D9,?,?,?,?,00007FF64D313524), ref: 00007FF64D31652B
                                                    • LoadLibraryExW.KERNEL32(?,00000000,00007FF64D31669F,?,?,?,00007FF64D31441E,?,?,?,00007FF64D3143D9,?,?,?,?,00007FF64D313524), ref: 00007FF64D316555
                                                    • FreeLibrary.KERNEL32(?,00000000,00007FF64D31669F,?,?,?,00007FF64D31441E,?,?,?,00007FF64D3143D9,?,?,?,?,00007FF64D313524), ref: 00007FF64D31659B
                                                    • GetProcAddress.KERNEL32(?,00000000,00007FF64D31669F,?,?,?,00007FF64D31441E,?,?,?,00007FF64D3143D9,?,?,?,?,00007FF64D313524), ref: 00007FF64D3165A7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID: Library$Load$AddressErrorFreeLastProc
                                                    • String ID: api-ms-
                                                    • API String ID: 2559590344-2084034818
                                                    • Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                    • Instruction ID: 2e06a3c14bd73546a27c46715e16aef4c4e93f7a1d0e14ae6e8ed680cabfac0c
                                                    • Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                    • Instruction Fuzzy Hash: D3318F21F1EA4391EE23BB52980057DAA94FF4ABA0F594634DD1D8A388FF3CE8448300
                                                    Function 00007FF64D311B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 360 7ff64d311b18-7ff64d311b32 _time64 361 7ff64d311b80-7ff64d311ba8 360->361 362 7ff64d311b34-7ff64d311b37 360->362 361->361 364 7ff64d311baa-7ff64d311bd8 361->364 363 7ff64d311b40-7ff64d311b68 362->363 363->363 365 7ff64d311b6a-7ff64d311b71 363->365 366 7ff64d311bfa-7ff64d311c32 364->366 367 7ff64d311bda-7ff64d311bf5 call 7ff64d311ee0 364->367 365->364 368 7ff64d311c64-7ff64d311c78 call 7ff64d312230 366->368 369 7ff64d311c34-7ff64d311c43 366->369 367->366 378 7ff64d311c7d-7ff64d311c88 368->378 371 7ff64d311c48-7ff64d311c62 call 7ff64d3168c0 369->371 372 7ff64d311c45 369->372 371->378 372->371 379 7ff64d311c8a-7ff64d311c98 378->379 380 7ff64d311cbb-7ff64d311cde 378->380 381 7ff64d311c9a-7ff64d311cad 379->381 382 7ff64d311cb3-7ff64d311cb6 call 7ff64d312680 379->382 383 7ff64d311d55-7ff64d311d70 380->383 381->382 384 7ff64d311da2-7ff64d311dce _invalid_parameter_noinfo_noreturn WSAGetLastError call 7ff64d311450 call 7ff64d312680 381->384 382->380 387 7ff64d311d76 383->387 388 7ff64d3118a0-7ff64d3118a3 383->388 390 7ff64d311d78-7ff64d311da1 call 7ff64d312660 384->390 387->390 392 7ff64d3118f3-7ff64d3118fe 388->392 393 7ff64d3118a5-7ff64d3118b7 388->393 398 7ff64d311dd0-7ff64d311dde call 7ff64d311450 392->398 399 7ff64d311904-7ff64d311915 392->399 396 7ff64d3118b9-7ff64d3118c8 393->396 397 7ff64d3118e2-7ff64d3118ee call 7ff64d3120c0 393->397 403 7ff64d3118ca 396->403 404 7ff64d3118cd-7ff64d3118dd 396->404 397->383 398->390 399->383 403->404 404->383
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID: _time64
                                                    • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                    • API String ID: 1670930206-4114407318
                                                    • Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                    • Instruction ID: f8a9cd174659ca23798eac2f022aa01ac0081e783eeca064f6ba11932dc85c21
                                                    • Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                    • Instruction Fuzzy Hash: A651D462E1CB8246EB02EB28E4403EEABA1FB467D0F404135DA5D57BAAEF3CD441D740
                                                    Function 00007FF64D314EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID: EncodePointerabort
                                                    • String ID: MOC$RCC
                                                    • API String ID: 1188231555-2084237596
                                                    • Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                    • Instruction ID: b64c36aee0eebf2be55eca5f95246d926f9f377c7bcc1d632eb8909e31dc5b2b
                                                    • Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                    • Instruction Fuzzy Hash: A091A173E08B838AE712EF65D8842ADBBB0F746788F144129EA8D97755EF38D155C700
                                                    Function 00007FF64D315414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 459 7ff64d315414-7ff64d315461 call 7ff64d3163f4 call 7ff64d3143d0 464 7ff64d31548e-7ff64d315492 459->464 465 7ff64d315463-7ff64d315469 459->465 467 7ff64d315498-7ff64d31549b 464->467 468 7ff64d3155b2-7ff64d3155c7 call 7ff64d315724 464->468 465->464 466 7ff64d31546b-7ff64d31546e 465->466 470 7ff64d315480-7ff64d315483 466->470 471 7ff64d315470-7ff64d315474 466->471 472 7ff64d315680 467->472 473 7ff64d3154a1-7ff64d3154d1 467->473 480 7ff64d3155c9-7ff64d3155cc 468->480 481 7ff64d3155d2-7ff64d3155d8 468->481 470->464 477 7ff64d315485-7ff64d315488 470->477 476 7ff64d315476-7ff64d31547e 471->476 471->477 474 7ff64d315685-7ff64d3156a1 472->474 473->472 478 7ff64d3154d7-7ff64d3154de 473->478 476->464 476->470 477->464 477->472 478->472 479 7ff64d3154e4-7ff64d3154e8 478->479 482 7ff64d3154ee-7ff64d3154f1 479->482 483 7ff64d31559f-7ff64d3155ad call 7ff64d313678 479->483 480->472 480->481 484 7ff64d315647-7ff64d31567b call 7ff64d3149a4 481->484 485 7ff64d3155da-7ff64d3155de 481->485 487 7ff64d315556-7ff64d315559 482->487 488 7ff64d3154f3-7ff64d315508 call 7ff64d314520 482->488 483->472 484->472 485->484 490 7ff64d3155e0-7ff64d3155e7 485->490 487->483 494 7ff64d31555b-7ff64d315563 487->494 498 7ff64d3156a2-7ff64d3156a7 abort 488->498 499 7ff64d31550e-7ff64d315511 488->499 490->484 493 7ff64d3155e9-7ff64d3155f0 490->493 493->484 496 7ff64d3155f2-7ff64d315605 call 7ff64d313bbc 493->496 497 7ff64d315569-7ff64d315593 494->497 494->498 496->484 508 7ff64d315607-7ff64d315645 496->508 497->498 501 7ff64d315599-7ff64d31559d 497->501 503 7ff64d31553a-7ff64d31553d 499->503 504 7ff64d315513-7ff64d315538 499->504 502 7ff64d315546-7ff64d315551 call 7ff64d315cf0 501->502 502->472 503->498 506 7ff64d315543 503->506 504->503 506->502 508->474
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID: __except_validate_context_recordabort
                                                    • String ID: csm$csm
                                                    • API String ID: 746414643-3733052814
                                                    • Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                    • Instruction ID: e3bf3e15af3d60cd6d4abd6fd4af78020dbdf0ac1c6e72affbe3e37c31db9314
                                                    • Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                    • Instruction Fuzzy Hash: F271CF32A0C6938ADB22BF21944877DBFA0FB42B89F049131DA8D87A85EF3CD451C740
                                                    Function 00007FF64D31195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                    • API String ID: 0-4114407318
                                                    • Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                    • Instruction ID: 4f051363d90220dd63e49b3adb339767620dd18d18ff925d78c71796f1231fd2
                                                    • Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                    • Instruction Fuzzy Hash: 0C51C522E1CB8646D711EB29E4407AEABA1EB827D0F400135EA9D53BDADF3DD441D740
                                                    Function 00007FF64D315860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID: CreateFrameInfo__except_validate_context_record
                                                    • String ID: csm
                                                    • API String ID: 2558813199-1018135373
                                                    • Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                    • Instruction ID: 402dcf4eee8559771842e46ac16eed07f2f029879e3c5bfa21c187a384b40ae5
                                                    • Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                    • Instruction Fuzzy Hash: 63517D72A1D74686D661BF16E44026EBBB4FB8AB90F040534DB8D87B55EF78E460CB00
                                                    Function 00007FF64D3117E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Xinvalid_argument.LIBCPMT ref: 00007FF64D3117EB
                                                    • WSAStartup.WS2_32 ref: 00007FF64D31186C
                                                      • Part of subcall function 00007FF64D311450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF64D311475
                                                      • Part of subcall function 00007FF64D311450: fprintf.MSPDB140-MSVCRT ref: 00007FF64D311485
                                                      • Part of subcall function 00007FF64D311450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF64D311494
                                                      • Part of subcall function 00007FF64D311450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF64D3114B3
                                                      • Part of subcall function 00007FF64D311450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF64D3114BE
                                                      • Part of subcall function 00007FF64D311450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF64D3114C7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
                                                    • String ID: --name$Pipe syntax in dump name not supported$string too long
                                                    • API String ID: 1412700758-3183687674
                                                    • Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                    • Instruction ID: d05ddd9094528937aa89bade4ea10c976e1562ac7e01ebcd74aedc69281b5881
                                                    • Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                    • Instruction Fuzzy Hash: 3D017522E1C98695F762BF52EC427FEAB60BB4A798F400035EE4D46655DE3CD496C700
                                                    Function 00007FF64D311CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastgethostname
                                                    • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                    • API String ID: 3782448640-4114407318
                                                    • Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                    • Instruction ID: cdbb0c99d66e9f7d127a7658179816e7b7b1a83ac49335073b59b6b5fcf09846
                                                    • Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                    • Instruction Fuzzy Hash: 3F11E321E0D24345EA4AFB21B8513FEAA919F877A4F001235EE5F972D6FD3CD4428340
                                                    Function 00007FF64D314158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID: terminate
                                                    • String ID: MOC$RCC$csm
                                                    • API String ID: 1821763600-2671469338
                                                    • Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                    • Instruction ID: cb506c820f9e7369ab1f04731cb3ebde9fcf62b5ef11aee6ff08dd8f5079d3d1
                                                    • Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                    • Instruction Fuzzy Hash: 8EF08C36D0C24B81E7267F51E5410ACBA64EF59B84F185431D70986292EF7CE4A0C602
                                                    Function 00007FF64D3120C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF64D3118EE), ref: 00007FF64D3121E0
                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF64D31221E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                    • String ID: Invalid process id '%d' error %d
                                                    • API String ID: 73155330-4244389950
                                                    • Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                    • Instruction ID: 67adae46dc52613c46231948c1fe62f83a32c4ad9e4b22a1385ec7ddf316aba0
                                                    • Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                    • Instruction Fuzzy Hash: 9E31DD26F0D78385EA12FB2299052ADEAA1AB06BD0F080631DB5D47BD5EE7CE091C300
                                                    Function 00007FF64D313F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF64D31173F), ref: 00007FF64D313FC8
                                                    • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF64D31173F), ref: 00007FF64D31400E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1865356434.00007FF64D311000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF64D310000, based on PE: true
                                                    • Associated: 00000007.00000002.1865295172.00007FF64D310000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865384805.00007FF64D318000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865414743.00007FF64D31C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000007.00000002.1865434147.00007FF64D31D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff64d310000_createdump.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFileHeaderRaise
                                                    • String ID: csm
                                                    • API String ID: 2573137834-1018135373
                                                    • Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                    • Instruction ID: 4cc26a78c7dd94d619dce4f21817a538ebdfec157e0eb0b2e6977d7c6cdd8600
                                                    • Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                    • Instruction Fuzzy Hash: 42113D32A1CB4692EB12AB15F44026DBBA0FB89B84F184230EECD47B58EF3DD555C700

                                                    Non-executed Functions

                                                    Function 00007FF640A02A10 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 209stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1866477017.00007FF640A01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF640A00000, based on PE: true
                                                    • Associated: 0000000A.00000002.1866452831.00007FF640A00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866501854.00007FF640A05000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866521843.00007FF640A06000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866543593.00007FF640A09000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ff640a00000_obs-ffmpeg-mux.jbxd
                                                    Similarity
                                                    • API ID: strncmp$__acrt_iob_func$av_dict_freeav_strerrorfprintfprintf$av_dict_getos_event_init$__stdio_common_vfprintf_errnoav_dict_countav_dict_parse_stringav_mallocavformat_write_headeravio_alloc_contextavio_openbreallocmemmovepthread_createpthread_mutex_initstrerror
                                                    • String ID: %s=%s$Couldn't open '%s', %s$Error opening '%s': %s$Failed to parse muxer settings: %s%s$Using muxer settings:
                                                    • API String ID: 2783795328-2826353358
                                                    • Opcode ID: 0ced714b6d2bafb841ab697dc7cb68e417ab27a254e86fbca716fd3c82a395c5
                                                    • Instruction ID: 78cd8282fa92bbeb1cb89d73c9b57d26375162269faa75ddfcbeec7412ec1c24
                                                    • Opcode Fuzzy Hash: 0ced714b6d2bafb841ab697dc7cb68e417ab27a254e86fbca716fd3c82a395c5
                                                    • Instruction Fuzzy Hash: B6A15033A1CA9AA2E714FF21D4503F96360FB9A788F408136EA4D87757EF28E5D48350
                                                    Function 00007FF640A02EE0 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 313COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1866477017.00007FF640A01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF640A00000, based on PE: true
                                                    • Associated: 0000000A.00000002.1866452831.00007FF640A00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866501854.00007FF640A05000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866521843.00007FF640A06000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866543593.00007FF640A09000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ff640a00000_obs-ffmpeg-mux.jbxd
                                                    Similarity
                                                    • API ID: __acrt_iob_func$freemalloc$fprintf$ByteCharMultiWideav_rescale_q_rndrealloc$ErrorMode__stdio_common_vfprintf_fileno_setmodeav_interleaved_write_frameav_strerrormemsetsetvbuf
                                                    • String ID: Couldn't initialize muxer$av_interleaved_write_frame failed: %d: %s
                                                    • API String ID: 4192084208-164389310
                                                    • Opcode ID: 90e4d641eae2122b72088982d14054dbbcc6ef952270b6c02c8a2abd6878b3b9
                                                    • Instruction ID: b221bdff960c3dc0a06215dedeae9737a9e0c0949b1cc2c46ac91cbb9e30d12f
                                                    • Opcode Fuzzy Hash: 90e4d641eae2122b72088982d14054dbbcc6ef952270b6c02c8a2abd6878b3b9
                                                    • Instruction Fuzzy Hash: F7E19F33A0CA9A96EB20FF61D8543AE67A4FB8AB84F404235DE0D97756DF3CD1858710
                                                    Function 00007FF640A03C5C Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1866477017.00007FF640A01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF640A00000, based on PE: true
                                                    • Associated: 0000000A.00000002.1866452831.00007FF640A00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866501854.00007FF640A05000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866521843.00007FF640A06000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866543593.00007FF640A09000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ff640a00000_obs-ffmpeg-mux.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                    • String ID:
                                                    • API String ID: 313767242-0
                                                    • Opcode ID: 8e29f9cfb3282d508510f87b074f2afb23630758b427b43b81c2847ae2e7d6a0
                                                    • Instruction ID: ceafa4d4ad5e5fd03e6bb1640e543da362ca378bceb09ee84611cf2bc1cb5c3d
                                                    • Opcode Fuzzy Hash: 8e29f9cfb3282d508510f87b074f2afb23630758b427b43b81c2847ae2e7d6a0
                                                    • Instruction Fuzzy Hash: 9C314D7360DA959AEB60AF60E8403EE6364FB86744F44443ADA4E87B85DF38D188C710
                                                    Function 00007FF640A025C0 Relevance: 51.0, APIs: 6, Strings: 23, Instructions: 206COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00007FF640A02570: printf.MSPDB140-MSVCRT ref: 00007FF640A02587
                                                      • Part of subcall function 00007FF640A02530: atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,00000000,00007FF640A02617,?,?,?,00007FF640A01BD6,?,?,?,00007FF640A01A02), ref: 00007FF640A02552
                                                    • puts.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF640A01BD6,?,?,?,00007FF640A01A02), ref: 00007FF640A028DF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1866477017.00007FF640A01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF640A00000, based on PE: true
                                                    • Associated: 0000000A.00000002.1866452831.00007FF640A00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866501854.00007FF640A05000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866521843.00007FF640A06000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866543593.00007FF640A09000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ff640a00000_obs-ffmpeg-mux.jbxd
                                                    Similarity
                                                    • API ID: atoiprintfputs
                                                    • String ID: Invalid number of audio tracks$Invalid number of video tracks$Must have at least 1 audio track or 1 video track$audio codec$audio track count$file name$muxer settings$stream key$video bitrate$video chroma sample location$video codec$video codec tag$video color primaries$video color range$video color trc$video colorspace$video fps den$video fps num$video height$video max luminance$video track count$video width${stream_key}
                                                    • API String ID: 3402752964-4246942696
                                                    • Opcode ID: bbb72588bee9787a683502761444138c14bf0f1375247d53f9cdc5c5b4da8170
                                                    • Instruction ID: 28978684c86a8ac26b04075b18faae634567110a243075ae9b90c9bb662da69b
                                                    • Opcode Fuzzy Hash: bbb72588bee9787a683502761444138c14bf0f1375247d53f9cdc5c5b4da8170
                                                    • Instruction Fuzzy Hash: 84813D7690C76AB1FA14FF51AA144F91391AB0BB98F854072DD0D877979F3CE18AC324
                                                    Function 00007FF640A01C50 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 215COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1866477017.00007FF640A01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF640A00000, based on PE: true
                                                    • Associated: 0000000A.00000002.1866452831.00007FF640A00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866501854.00007FF640A05000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866521843.00007FF640A06000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866543593.00007FF640A09000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ff640a00000_obs-ffmpeg-mux.jbxd
                                                    Similarity
                                                    • API ID: memcpy$__acrt_iob_func__stdio_common_vfprintffclosefprintfmallocos_event_signalos_event_waitpthread_mutex_lock
                                                    • String ID: Error allocating memory for output$Error writing to '%s', %s
                                                    • API String ID: 2637689336-4070097938
                                                    • Opcode ID: a31c7b85b8c0d82d0157cb35a6e72543ed071c06804e902690462ed57beb3fc0
                                                    • Instruction ID: 9c167dc7a50a7f150fffecdc33e5a1226b3c6638a1a7dd2b981ab6f947aca9f0
                                                    • Opcode Fuzzy Hash: a31c7b85b8c0d82d0157cb35a6e72543ed071c06804e902690462ed57beb3fc0
                                                    • Instruction Fuzzy Hash: EAA15D33A0CA9A95E711BF21E4443FE6360FB8AB88F440131DE8D8B75ADF78D1948720
                                                    Function 00007FF640A01A40 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 87stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF640A01A6D
                                                      • Part of subcall function 00007FF640A02030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF640A023A2), ref: 00007FF640A0204A
                                                      • Part of subcall function 00007FF640A02030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF640A023A2), ref: 00007FF640A02065
                                                      • Part of subcall function 00007FF640A02030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF640A023A2), ref: 00007FF640A02080
                                                      • Part of subcall function 00007FF640A02030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF640A023A2), ref: 00007FF640A0209B
                                                      • Part of subcall function 00007FF640A02030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF640A023A2), ref: 00007FF640A020B6
                                                    • avformat_network_init.AVFORMAT-60 ref: 00007FF640A01A85
                                                    • av_guess_format.AVFORMAT-60 ref: 00007FF640A01AAF
                                                    • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF640A01ABC
                                                    • fprintf.MSPDB140-MSVCRT ref: 00007FF640A01AD0
                                                    • avformat_alloc_output_context2.AVFORMAT-60 ref: 00007FF640A01AEC
                                                    • av_strerror.AVUTIL-58 ref: 00007FF640A01B19
                                                    • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF640A01B23
                                                    • fprintf.MSPDB140-MSVCRT ref: 00007FF640A01B38
                                                      • Part of subcall function 00007FF640A02910: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF640A01B4C), ref: 00007FF640A02939
                                                      • Part of subcall function 00007FF640A02370: avcodec_free_context.AVCODEC-60 ref: 00007FF640A02388
                                                      • Part of subcall function 00007FF640A02370: av_free.AVUTIL-58 ref: 00007FF640A023B1
                                                      • Part of subcall function 00007FF640A02370: avio_context_free.AVFORMAT-60 ref: 00007FF640A023BD
                                                      • Part of subcall function 00007FF640A02370: avformat_free_context.AVFORMAT-60 ref: 00007FF640A023CC
                                                      • Part of subcall function 00007FF640A02370: avcodec_free_context.AVCODEC-60 ref: 00007FF640A02402
                                                      • Part of subcall function 00007FF640A02370: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF640A02415
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1866477017.00007FF640A01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF640A00000, based on PE: true
                                                    • Associated: 0000000A.00000002.1866452831.00007FF640A00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866501854.00007FF640A05000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866521843.00007FF640A06000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866543593.00007FF640A09000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ff640a00000_obs-ffmpeg-mux.jbxd
                                                    Similarity
                                                    • API ID: strncmp$__acrt_iob_funcavcodec_free_contextfprintf$av_freeav_guess_formatav_strerroravformat_alloc_output_context2avformat_free_contextavformat_network_initavio_context_freecallocfree
                                                    • String ID: Couldn't find an appropriate muxer for '%s'$Couldn't initialize output context: %s$http$mpegts$video/M2PT
                                                    • API String ID: 3777911973-2524251934
                                                    • Opcode ID: 078559d49e555ef7517477361438487f95b7fa6d5945ffa6822e70d97715306d
                                                    • Instruction ID: 7fc5fefa285fc3bc7fb96f61acf664ae855e36c603714b457d802cd8b250c881
                                                    • Opcode Fuzzy Hash: 078559d49e555ef7517477361438487f95b7fa6d5945ffa6822e70d97715306d
                                                    • Instruction Fuzzy Hash: 6A31A223E1C66A62FA24BF2594142FA2350AF8B798F505235ED5D87397EF2CE4C48720
                                                    Function 00007FF640A014B0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 164COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1866477017.00007FF640A01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF640A00000, based on PE: true
                                                    • Associated: 0000000A.00000002.1866452831.00007FF640A00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866501854.00007FF640A05000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866521843.00007FF640A06000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866543593.00007FF640A09000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ff640a00000_obs-ffmpeg-mux.jbxd
                                                    Similarity
                                                    • API ID: __acrt_iob_funcav_content_light_metadata_allocav_mastering_display_metadata_allocav_memdupav_stream_add_side_dataavcodec_alloc_context3avcodec_descriptor_get_by_name
                                                    • String ID: 2$Couldn't find codec '%s'$E
                                                    • API String ID: 3726879996-2734579634
                                                    • Opcode ID: 984bf621481a9a25f05ee9f8f0874bf5fd16c3df77fd558344dbfddc274f0f6a
                                                    • Instruction ID: c0b80732805c12c4b81e88444748371186d60d771edd244fa2e07c2ed517b57f
                                                    • Opcode Fuzzy Hash: 984bf621481a9a25f05ee9f8f0874bf5fd16c3df77fd558344dbfddc274f0f6a
                                                    • Instruction Fuzzy Hash: 1581E4776087848BD754EF25E54435EBBB0F78AB88F10402AEB8C87B59DB7AD854CB00
                                                    Function 00007FF640A01250 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 144COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1866477017.00007FF640A01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF640A00000, based on PE: true
                                                    • Associated: 0000000A.00000002.1866452831.00007FF640A00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866501854.00007FF640A05000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866521843.00007FF640A06000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866543593.00007FF640A09000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ff640a00000_obs-ffmpeg-mux.jbxd
                                                    Similarity
                                                    • API ID: __acrt_iob_func$avcodec_descriptor_get_by_nameavcodec_find_encoder
                                                    • String ID: Couldn't find codec '%s'$Couldn't find codec descriptor '%s'$title
                                                    • API String ID: 3715327632-3279048111
                                                    • Opcode ID: c9720edbb9d548ebec2452977bce4eb4d803eed367fb80ba86fd3ea18017a218
                                                    • Instruction ID: 77efa7aaec5b399eebcd299cade5ab946edbddd33068ae8f7c72a287771cae3d
                                                    • Opcode Fuzzy Hash: c9720edbb9d548ebec2452977bce4eb4d803eed367fb80ba86fd3ea18017a218
                                                    • Instruction Fuzzy Hash: AD619B73608B8996DB08EF16E4943A977A0FB8AB98F054035DF4E877A5DF38E095C710
                                                    Function 00007FF640A017A0 Relevance: 19.6, APIs: 13, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1866477017.00007FF640A01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF640A00000, based on PE: true
                                                    • Associated: 0000000A.00000002.1866452831.00007FF640A00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866501854.00007FF640A05000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866521843.00007FF640A06000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866543593.00007FF640A09000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ff640a00000_obs-ffmpeg-mux.jbxd
                                                    Similarity
                                                    • API ID: bfreefreeos_event_destroy$av_packet_freeav_write_traileros_event_signalpthread_joinpthread_mutex_destroypthread_mutex_lockpthread_mutex_unlock
                                                    • String ID:
                                                    • API String ID: 3736584056-0
                                                    • Opcode ID: 8bdf6fd2e92e54ef71616242ce810bf52dd6c25259264d2bdbef31b8de60417c
                                                    • Instruction ID: 5137f8ace3f72e5c1f766848ce4dbe25cda2f2ea576d637d8dd8fd15b435bfb8
                                                    • Opcode Fuzzy Hash: 8bdf6fd2e92e54ef71616242ce810bf52dd6c25259264d2bdbef31b8de60417c
                                                    • Instruction Fuzzy Hash: 75313923A1CA96A1E751FF30C4653FC2364FF86B48F484131DA4E8A29BDF29A5C58360
                                                    Function 00007FF640A02030 Relevance: 15.0, APIs: 5, Strings: 5, Instructions: 41stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF640A023A2), ref: 00007FF640A0204A
                                                    • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF640A023A2), ref: 00007FF640A02065
                                                    • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF640A023A2), ref: 00007FF640A02080
                                                    • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF640A023A2), ref: 00007FF640A0209B
                                                    • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF640A023A2), ref: 00007FF640A020B6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1866477017.00007FF640A01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF640A00000, based on PE: true
                                                    • Associated: 0000000A.00000002.1866452831.00007FF640A00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866501854.00007FF640A05000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866521843.00007FF640A06000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866543593.00007FF640A09000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ff640a00000_obs-ffmpeg-mux.jbxd
                                                    Similarity
                                                    • API ID: strncmp
                                                    • String ID: http$rist$srt$tcp$udp
                                                    • API String ID: 1114863663-504309389
                                                    • Opcode ID: d2521f5543573ed7a9b47c763349208ce3ea302e6d5c14a99d4cb2250db2cd2e
                                                    • Instruction ID: ea8fe64e1d5aabf8986e9f055e4cd8de845157b8b4d7e8b27d4f206cc34c4985
                                                    • Opcode Fuzzy Hash: d2521f5543573ed7a9b47c763349208ce3ea302e6d5c14a99d4cb2250db2cd2e
                                                    • Instruction Fuzzy Hash: B0013CA2B1C62BA1FB217F22E4442A51360AF4BB99F909035C90CC7352DF2DE9C9C330
                                                    Function 00007FF640A02160 Relevance: 13.6, APIs: 9, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1866477017.00007FF640A01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF640A00000, based on PE: true
                                                    • Associated: 0000000A.00000002.1866452831.00007FF640A00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866501854.00007FF640A05000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866521843.00007FF640A06000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866543593.00007FF640A09000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ff640a00000_obs-ffmpeg-mux.jbxd
                                                    Similarity
                                                    • API ID: memcpypthread_mutex_lockpthread_mutex_unlock$os_event_resetos_event_signalos_event_wait
                                                    • String ID:
                                                    • API String ID: 2918620995-0
                                                    • Opcode ID: 2ecd02ec26d4cc9ba7addf2ffba6d2c38598a6939d4a4f97ceb40f02c73610ba
                                                    • Instruction ID: ee91d1f9ecdc5b7d8892eb2604a751e826afe0138129bb79a5cc2ad46a5f1ff8
                                                    • Opcode Fuzzy Hash: 2ecd02ec26d4cc9ba7addf2ffba6d2c38598a6939d4a4f97ceb40f02c73610ba
                                                    • Instruction Fuzzy Hash: F2414F3361CB9591D610FF61E4503A96764FB8AB98F440132EF8D8BB5BCF39D1A48720
                                                    Function 00007FF640A035E4 Relevance: 13.6, APIs: 9, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1866477017.00007FF640A01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF640A00000, based on PE: true
                                                    • Associated: 0000000A.00000002.1866452831.00007FF640A00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866501854.00007FF640A05000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866521843.00007FF640A06000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866543593.00007FF640A09000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ff640a00000_obs-ffmpeg-mux.jbxd
                                                    Similarity
                                                    • API ID: __p___argc__p___wargv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_release_startup_lock_cexit_exit_get_initial_wide_environment_register_thread_local_exe_atexit_callback
                                                    • String ID:
                                                    • API String ID: 1184979102-0
                                                    • Opcode ID: d1267e791b308d50114738cb6d3fcce0682459912f5f90b2ba963487117e6561
                                                    • Instruction ID: 9448db21672cad445c48e90d50e0bdb02f58fd25e59e8403d00bfec0349d99ba
                                                    • Opcode Fuzzy Hash: d1267e791b308d50114738cb6d3fcce0682459912f5f90b2ba963487117e6561
                                                    • Instruction Fuzzy Hash: C6313963E0C62AB1FA14BF2594513BA2395AF47784F444035EA4ED73E3DE6EE4C48631
                                                    Function 00007FF640A02370 Relevance: 10.6, APIs: 7, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • avcodec_free_context.AVCODEC-60 ref: 00007FF640A02388
                                                    • avformat_free_context.AVFORMAT-60 ref: 00007FF640A023CC
                                                      • Part of subcall function 00007FF640A02030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF640A023A2), ref: 00007FF640A0204A
                                                      • Part of subcall function 00007FF640A02030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF640A023A2), ref: 00007FF640A02065
                                                      • Part of subcall function 00007FF640A02030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF640A023A2), ref: 00007FF640A02080
                                                      • Part of subcall function 00007FF640A02030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF640A023A2), ref: 00007FF640A0209B
                                                      • Part of subcall function 00007FF640A02030: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF640A023A2), ref: 00007FF640A020B6
                                                    • av_free.AVUTIL-58 ref: 00007FF640A023B1
                                                    • avio_context_free.AVFORMAT-60 ref: 00007FF640A023BD
                                                    • avio_close.AVFORMAT-60 ref: 00007FF640A023C4
                                                    • avcodec_free_context.AVCODEC-60 ref: 00007FF640A02402
                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF640A02415
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1866477017.00007FF640A01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF640A00000, based on PE: true
                                                    • Associated: 0000000A.00000002.1866452831.00007FF640A00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866501854.00007FF640A05000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866521843.00007FF640A06000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866543593.00007FF640A09000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ff640a00000_obs-ffmpeg-mux.jbxd
                                                    Similarity
                                                    • API ID: strncmp$avcodec_free_context$av_freeavformat_free_contextavio_closeavio_context_freefree
                                                    • String ID:
                                                    • API String ID: 1086289117-0
                                                    • Opcode ID: 5750c0e3cd2fb8260dfd87b4c22098c1e8e3cbc363b4994d39577057d30215b3
                                                    • Instruction ID: 4968b16e4dfd6c4814c109ff2a143106942b01c9d0d1832aee0116534edb4271
                                                    • Opcode Fuzzy Hash: 5750c0e3cd2fb8260dfd87b4c22098c1e8e3cbc363b4994d39577057d30215b3
                                                    • Instruction Fuzzy Hash: 11213C33A0C66992EB10BF25E4502BC63A4FB86F88F155536DA8D8774BCE28D4928321
                                                    Function 00007FF640A02990 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • avformat_new_stream.AVFORMAT-60(?,?,?,00007FF640A012F1), ref: 00007FF640A029AD
                                                    • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF640A012F1), ref: 00007FF640A029C0
                                                    • fprintf.MSPDB140-MSVCRT ref: 00007FF640A029D3
                                                      • Part of subcall function 00007FF640A02320: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00007FF640A029D8,?,?,?,00007FF640A012F1), ref: 00007FF640A02357
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1866477017.00007FF640A01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF640A00000, based on PE: true
                                                    • Associated: 0000000A.00000002.1866452831.00007FF640A00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866501854.00007FF640A05000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866521843.00007FF640A06000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 0000000A.00000002.1866543593.00007FF640A09000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ff640a00000_obs-ffmpeg-mux.jbxd
                                                    Similarity
                                                    • API ID: __acrt_iob_func__stdio_common_vfprintfavformat_new_streamfprintf
                                                    • String ID: Couldn't create stream for encoder '%s'
                                                    • API String ID: 306180413-3485626053
                                                    • Opcode ID: 97d36ac62344db8522675eb32487dc47749b1acbad2880230df25e82e6eb689d
                                                    • Instruction ID: 4ee8b456a5e2b8f7d9b59a2912e691ce0656b1d586bdf4fae9ca71343185a854
                                                    • Opcode Fuzzy Hash: 97d36ac62344db8522675eb32487dc47749b1acbad2880230df25e82e6eb689d
                                                    • Instruction Fuzzy Hash: 7AF06D32A1DB9491EA48EF16F45106AA7A0FB8DBD0B489035EE5D4371ADE3CD591CB00