Edit tour

Windows Analysis Report
setup.msi

Overview

General Information

Sample name:	setup.msi
Analysis ID:	1580907
MD5:	0c7afa785117afdb85ab29b0a12edc51
SHA1:	3b685880e7ec090ab3ead12d591b2aca1ac3dcfe
SHA256:	d14acce52061baa353ffd5698c16dd07a9cca9d86b28c1de64d51e21c3c3c6ac
Tags:	LegionLoadermsiRobotDroppersuccessroadway-comuser-aachum
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

AI detected suspicious sample

Bypasses PowerShell execution policy

Query firmware table information (likely to detect VMs)

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Msiexec Initiated Connection

Sigma detected: Suspicious MsiExec Embedding Parent

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 6648 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6748 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7084 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding AB445A69D981EDB4D15E6FBD975892FD MD5: 9D09DC1EDA745A5F87553048E57620CF)

powershell.exe (PID: 3636 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB0A6.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB093.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB094.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB095.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3192 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ImporterREDServer.exe (PID: 2200 cmdline: "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe" MD5: F67792E08586EA936EBCAE43AAB0388D)

conhost.exe (PID: 5676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

createdump.exe (PID: 3052 cmdline: "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)

conhost.exe (PID: 1188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB0A6.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB093.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB094.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB095.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB0A6.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB093.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB094.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB095.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding AB445A69D981EDB4D15E6FBD975892FD, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7084, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB0A6.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB093.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB094.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB095.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 3636, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB0A6.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB093.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB094.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB095.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB0A6.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB093.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB094.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB095.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding AB445A69D981EDB4D15E6FBD975892FD, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7084, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB0A6.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB093.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB094.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB095.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 3636, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB0A6.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB093.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB094.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB095.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB0A6.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB093.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB094.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB095.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding AB445A69D981EDB4D15E6FBD975892FD, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7084, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB0A6.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB093.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB094.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB095.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 3636, ProcessName: powershell.exe

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 104.21.6.3, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7084, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Sigma detected: Suspicious MsiExec Embedding Parent

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB0A6.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB093.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB094.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB095.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB0A6.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB093.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB094.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB095.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding AB445A69D981EDB4D15E6FBD975892FD, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7084, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB0A6.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB093.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB094.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB095.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 3636, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T13:03:31.023601+0100	2829202	1	A Network Trojan was detected	192.168.2.4	49730	104.21.6.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.0% probability

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.21.6.3:443 -> 192.168.2.4:49730 version: TLS 1.2

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000009.00000000.1913196730.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000C.00000000.1915384529.0000000140013000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: ucrtbase.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1920631684.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: setup.msi, 5c7c35.msi.1.dr, MSIAFE1.tmp.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source:	Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000C.00000002.1919043933.00000001802BD000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.msi, 5c7c35.msi.1.dr, MSIAFE1.tmp.1.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000C.00000000.1915384529.0000000140013000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000009.00000000.1913196730.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: Microsoft.Web.WebView2.Core.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: ucrtbase.pdbUGP source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.msi, 5c7c35.msi.1.dr, MSI8718.tmp.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.msi, 5c7c35.msi.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe

Code function: 12_2_00007FFE0EBEA330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,

12_2_00007FFE0EBEA330

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49730 -> 104.21.6.3:443

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: successroadway.com

Source: unknown

HTTP traffic detected: POST /updater.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: successroadway.comContent-Length: 71Cache-Control: no-cache

Source: setup.msi, 5c7c35.msi.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: setup.msi, 5c7c35.msi.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: setup.msi, 5c7c35.msi.1.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: setup.msi, 5c7c35.msi.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: setup.msi, 5c7c35.msi.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: setup.msi, 5c7c35.msi.1.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: setup.msi, 5c7c35.msi.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: setup.msi, 5c7c35.msi.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: setup.msi, 5c7c35.msi.1.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
Source: setup.msi, 5c7c35.msi.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000003.00000002.1870716587.0000000005F97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: setup.msi, 5c7c35.msi.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: setup.msi, 5c7c35.msi.1.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: setup.msi, 5c7c35.msi.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: setup.msi, 5c7c35.msi.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000003.00000002.1864019626.0000000005087000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: setup.msi, 5c7c35.msi.1.dr	String found in binary or memory: http://schemas.mick
Source: powershell.exe, 00000003.00000002.1864019626.0000000004F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1864019626.0000000005087000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: setup.msi, 5c7c35.msi.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ImporterREDServer.exe, 0000000C.00000002.1919043933.00000001802BD000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-
Source: powershell.exe, 00000003.00000002.1864019626.0000000004F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: setup.msi, 5c7c35.msi.1.dr	String found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
Source: powershell.exe, 00000003.00000002.1870716587.0000000005F97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1870716587.0000000005F97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1870716587.0000000005F97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.1864019626.0000000005087000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1864019626.000000000539D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.1870716587.0000000005F97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: setup.msi, 5c7c35.msi.1.dr	String found in binary or memory: https://successroadway.com/updater.phpx
Source: powershell.exe, 00000003.00000002.1872051184.000000000751B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wdcp.micros
Source: setup.msi, 5c7c35.msi.1.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.21.6.3:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5c7c35.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI852E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI85BB.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI861A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI864A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8699.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI86D9.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8718.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA3C9.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAFC0.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAFE1.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5c7c38.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5c7c38.msi	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI852E.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_0000000140012220	12_2_0000000140012220
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_0000000140008390	12_2_0000000140008390
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_0000000140007FC0	12_2_0000000140007FC0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EC03F00	12_2_00007FFE0EC03F00
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EBFDF10	12_2_00007FFE0EBFDF10
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EC00710	12_2_00007FFE0EC00710
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EC1B698	12_2_00007FFE0EC1B698
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EBED810	12_2_00007FFE0EBED810
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EBEC780	12_2_00007FFE0EBEC780
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EC04780	12_2_00007FFE0EC04780
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EBF8FB0	12_2_00007FFE0EBF8FB0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EBFBCD0	12_2_00007FFE0EBFBCD0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EC144E0	12_2_00007FFE0EC144E0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EC06C84	12_2_00007FFE0EC06C84
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EBF6440	12_2_00007FFE0EBF6440
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EBF9460	12_2_00007FFE0EBF9460
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EC00C60	12_2_00007FFE0EC00C60
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EC05470	12_2_00007FFE0EC05470
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EBFCDF0	12_2_00007FFE0EBFCDF0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EC1BDA0	12_2_00007FFE0EC1BDA0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EC195A8	12_2_00007FFE0EC195A8
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EC12D70	12_2_00007FFE0EC12D70
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EC06338	12_2_00007FFE0EC06338
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EC1A27C	12_2_00007FFE0EC1A27C
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EBFABB0	12_2_00007FFE0EBFABB0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EC04340	12_2_00007FFE0EC04340
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EBF60D0	12_2_00007FFE0EBF60D0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EC12880	12_2_00007FFE0EC12880
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EBEE8B0	12_2_00007FFE0EBEE8B0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EC02208	12_2_00007FFE0EC02208
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EC1F9DA	12_2_00007FFE0EC1F9DA
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EBEF9B0	12_2_00007FFE0EBEF9B0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE13307508	12_2_00007FFE13307508

Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe

Code function: String function: 000000014000BC30 appears 53 times

Source: api-ms-win-core-handle-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found

Source: setup.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs setup.msi
Source: setup.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs setup.msi
Source: setup.msi	Binary or memory string: OriginalFilenameDataUploader.dllF vs setup.msi
Source: setup.msi	Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs setup.msi
Source: setup.msi	Binary or memory string: OriginalFilenameucrtbase.dllj% vs setup.msi
Source: setup.msi	Binary or memory string: OriginalFilenamevcruntime140.dllT vs setup.msi
Source: setup.msi	Binary or memory string: OriginalFilenamemsvcp140.dllT vs setup.msi
Source: setup.msi	Binary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs setup.msi
Source: setup.msi	Binary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs setup.msi
Source: setup.msi	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs setup.msi

Source: classification engine

Classification label: mal68.evad.winMSI@17/91@1/1

Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe

Code function: 12_2_0000000140010BE0 GetLastError,FormatMessageA,

12_2_0000000140010BE0

Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe

Code function: 12_2_00007FFE0EBEA7B0 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn,

12_2_00007FFE0EBEA7B0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CMLB97C.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4820:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1188:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF28110E50532DE64C.TMP

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""

Source: C:\Windows\SysWOW64\msiexec.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AB445A69D981EDB4D15E6FBD975892FD
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB0A6.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB093.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB094.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB095.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AB445A69D981EDB4D15E6FBD975892FD	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB0A6.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB093.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB094.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB095.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Section loaded: dvacore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Section loaded: libzip.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Section loaded: boost_system.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Section loaded: boost_date_time.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Section loaded: boost_threads.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Section loaded: boost_filesystem.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Section loaded: dvaunittesting.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Section loaded: utest.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}

Jump to behavior

Source: setup.msi

Static file information: File size 60336401 > 1048576

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000009.00000000.1913196730.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000C.00000000.1915384529.0000000140013000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: ucrtbase.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1920631684.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: setup.msi, 5c7c35.msi.1.dr, MSIAFE1.tmp.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source:	Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000C.00000002.1919043933.00000001802BD000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.msi, 5c7c35.msi.1.dr, MSIAFE1.tmp.1.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000C.00000000.1915384529.0000000140013000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000009.00000000.1913196730.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: Microsoft.Web.WebView2.Core.pdb source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: ucrtbase.pdbUGP source: setup.msi, 5c7c35.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.msi, 5c7c35.msi.1.dr, MSI8718.tmp.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.msi, 5c7c35.msi.1.dr

Source: api-ms-win-core-synch-l1-2-0.dll.1.dr

Static PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]

Source: vcruntime140.dll.1.dr	Static PE information: section name: _RDATA
Source: UnRar.exe.1.dr	Static PE information: section name: _RDATA
Source: BCUninstaller.exe.1.dr	Static PE information: section name: _RDATA
Source: createdump.exe.1.dr	Static PE information: section name: _RDATA
Source: MSIAFE1.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI852E.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI85BB.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI861A.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI864A.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI8699.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI86D9.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI8718.tmp.1.dr	Static PE information: section name: .fptable
Source: MSIA3C9.tmp.1.dr	Static PE information: section name: .fptable

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_049D329C pushfd ; ret		3_2_049D32A9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_049DBDA2 push esp; ret		3_2_049DBDB3

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_threads.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI852E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8718.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA3C9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI86D9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\utest.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAFE1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8699.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_system.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI864A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_date_time.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_filesystem.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI85BB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI861A.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAFE1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI864A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8699.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA3C9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI852E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI85BB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI86D9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8718.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI861A.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe

Code function: 12_2_00007FFE0EC1C0C0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

12_2_00007FFE0EC1C0C0

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\msiexec.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4107			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1072			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIAFE1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8699.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI852E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8718.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI864A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA3C9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI85BB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI86D9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI861A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe

API coverage: 8.2 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7020	Thread sleep count: 4107 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7096	Thread sleep count: 1072 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5660	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2104	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe

Code function: 12_2_00007FFE0EBEA330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,

12_2_00007FFE0EBEA330

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: 5c7c35.msi.1.dr

Binary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe

Code function: 9_2_00007FF71FBA2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_00007FF71FBA2ECC

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe	Code function: 9_2_00007FF71FBA2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00007FF71FBA2ECC
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe	Code function: 9_2_00007FF71FBA3074 SetUnhandledExceptionFilter,	9_2_00007FF71FBA3074
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe	Code function: 9_2_00007FF71FBA2984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00007FF71FBA2984
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_0000000140011004 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_0000000140011004
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_0000000140011D78 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0000000140011D78
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_0000000140011F24 SetUnhandledExceptionFilter,	12_2_0000000140011F24
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE0EC32CDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00007FFE0EC32CDC
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE1331004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00007FFE1331004C
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	Code function: 12_2_00007FFE1A454568 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00007FFE1A454568

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB0A6.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB093.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB094.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB095.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB0A6.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB093.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB094.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB095.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssb0a6.ps1" -propfile "c:\users\user\appdata\local\temp\msib093.txt" -scriptfile "c:\users\user\appdata\local\temp\scrb094.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrb095.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssb0a6.ps1" -propfile "c:\users\user\appdata\local\temp\msib093.txt" -scriptfile "c:\users\user\appdata\local\temp\scrb094.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrb095.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe

Code function: ___lc_locale_name_func,GetLocaleInfoEx,

12_2_00007FFE0EC0EFC0

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe

Code function: 9_2_00007FF71FBA2DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

9_2_00007FF71FBA2DA0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Replication Through Removable Media	1 Command and Scripting Interpreter	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 DLL Side-Loading	1 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Windows Service	11 Process Injection	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	24 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	111 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Masquerading	DCSync	121 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	121 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
setup.msi	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_date_time.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_filesystem.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_system.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_threads.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\msvcp140.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\utest.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140_1.dll	0%	ReversingLabs
C:\Windows\Installer\MSI852E.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI85BB.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI861A.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI864A.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI8699.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI86D9.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI8718.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA3C9.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIAFE1.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://successroadway.com/updater.phpx	0%	Avira URL Cloud	safe
https://successroadway.com/updater.php	0%	Avira URL Cloud	safe
https://wdcp.micros	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
successroadway.com	104.21.6.3	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://successroadway.com/updater.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.1870716587.0000000005F97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://successroadway.com/updater.phpx	setup.msi, 5c7c35.msi.1.dr	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.1864019626.0000000005087000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000003.00000002.1864019626.0000000004F31000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.1864019626.0000000005087000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000003.00000002.1864019626.000000000539D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000003.00000002.1870716587.0000000005F97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.1870716587.0000000005F97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000003.00000002.1870716587.0000000005F97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000003.00000002.1870716587.0000000005F97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wdcp.micros	powershell.exe, 00000003.00000002.1872051184.000000000751B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.mick	setup.msi, 5c7c35.msi.1.dr	false		high
http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-	ImporterREDServer.exe, 0000000C.00000002.1919043933.00000001802BD000.00000002.00000001.01000000.00000008.sdmp	false		high
https://aka.ms/winui2/webview2download/Reload():	setup.msi, 5c7c35.msi.1.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.1864019626.0000000004F31000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.1864019626.0000000005087000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.6.3	successroadway.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580907
Start date and time:	2024-12-26 13:02:23 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setup.msi
Detection:	MAL
Classification:	mal68.evad.winMSI@17/91@1/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 14 Number of non-executed functions: 206
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ImporterREDServer.exe, PID 2200 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 3636 because it is empty
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
07:03:32	API Interceptor	5x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.6.3	Remittance Advice.eml	Get hash	malicious	ReCaptcha Phish	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	z3IxCpcpg4.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	GtEVo1eO2p.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	SPFFah2O2q.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	ZBbOXn0a3R.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.165.185
	4KDKJjRzm8.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	P0SJULJxI0.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	b0ho5YYSdo.exe	Get hash	malicious	LummaC	Browse	104.21.66.113
	C8QT9HkXEb.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	r06aMlvVyM.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	i8Vwc7iOaG.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar	Browse	172.67.150.49

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	HVlonDQpuI.exe	Get hash	malicious	Vidar	Browse	104.21.6.3
	00000.ps1	Get hash	malicious	LummaC	Browse	104.21.6.3
	123.ps1	Get hash	malicious	LummaC	Browse	104.21.6.3
	Purchase Order No. G02873362-Docx.vbs	Get hash	malicious	LodaRAT, XRed	Browse	104.21.6.3
	blq.exe	Get hash	malicious	Gh0stCringe, RunningRAT, XRed	Browse	104.21.6.3
	PodcastsTries.exe	Get hash	malicious	Vidar	Browse	104.21.6.3
	New PO - Supplier 0202AW-PER2.exe	Get hash	malicious	LodaRAT, XRed	Browse	104.21.6.3
	RNEQTT.exe	Get hash	malicious	LodaRAT, XRed	Browse	104.21.6.3
	installer.msi	Get hash	malicious	Unknown	Browse	104.21.6.3

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exe	installer.msi	Get hash	malicious	Unknown	Browse
	E8vC8KRIp1.msi	Get hash	malicious	Unknown	Browse
	installer.msi	Get hash	malicious	Unknown	Browse
	3gPZmVbozD.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	installer.msi	Get hash	malicious	Unknown	Browse
	setup.msi	Get hash	malicious	Unknown	Browse
	Setup.msi	Get hash	malicious	Unknown	Browse
	q9bzWO2X1r.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\5c7c37.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	20594
Entropy (8bit):	5.811314891218374
Encrypted:	false
SSDEEP:	384:9+O9KXgTF1bfRqYUtX+/F9ir3VPQHCCQIQNV8cP6wmJFgopdLV7mF5dSsPXUXj2s:9+O9KXgTF1bfRqYUtX+/F9ir3VPQHCCB
MD5:	127933023A7F4E54E1113199DEF27A44
SHA1:	8D95BA28E00DF7B41242C8C9CF79DD77CBB48B87
SHA-256:	ADED64557DD2FAD7391E945FCE14EC01C951C84E9FA7D756E6753739B3B415E9
SHA-512:	F24E4C815866112A5FB69169FDDB80FBA5F996EDE7CFC606DFE84C9D6E41EBEC71259EEAC670DDB4BEC0E64AECD728EBD88F34442D8FAA9F1BEC2C7ED7CBB641
Malicious:	false
Preview:	...@IXOS.@.....@q8.Y.@.....@.....@.....@.....@.....@......&.{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}..Cave App..setup.msi.@.....@.....@.....@......icon_22.exe..&.{394343F4-E39C-409D-BD57-1C70A6E4B89C}.....@.....@.....@.....@.......@.....@.....@.......@......Cave App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}.@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}&.{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}.@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}&.{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}.@......&.{DE28A560-E5E1-4035-8CA3-44934686A249}&.{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}.@......&.{03D39B98-E7BB-4062-BD92-307D642A5CF1}&.{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{1C4A5FBA-760B-4754-A

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	5.415059038751397
Encrypted:	false
SSDEEP:	24:3Uyt3WSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NK3R82r6SVbu:ky9WSU4y4RQmFoUeWmfmZ9tK8NWR823Q
MD5:	C9FCDEDA736FE17312D6972E2794F6C0
SHA1:	577B74490A15625AA1F5EB1C3FDC1CEF6CC08826
SHA-256:	B9903D16E49921FE437EC4C8DA74163F9369C519B8E3F3DC763B73AF2B40422A
SHA-512:	96A1C2ADBE659F8D15BE35B342DA7479A2F196F64D9DA82F22E618391C12E37E413F25E539EC17AF3F7FD2DAAF656D2EA509E022BF00BD88A91681484FC98A44
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4s5rklwc.h3c.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hsul1pbm.ex4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\msiB093.txt

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	96
Entropy (8bit):	2.99798449505456
Encrypted:	false
SSDEEP:	3:QmalTuOIAlSRYplflbPRYplf955:Qmalt9lLZiLN
MD5:	F26BF481CA203C7D611850139ACBEF41
SHA1:	EA86C45B436D1B8F5F42F87AE5034332A5BCFEC4
SHA-256:	A6AE6BBFC3486BA26A9A3C67B127D6972D16B8B925BDE4AF20880EE1B1D997CB
SHA-512:	D1D2AE7C30A146AC1A85BDC133CE1F105AFC6F4EC8C5BD21A8EAACD0910929D3A9FCB540AB533A253C296C51DC71D1AE58749F7449DAB1C530E82D78D3544E4E
Malicious:	true
Preview:	..C.e.v.e.r.a.l.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .T.r.i.a.l.N.o.w. .:.<.-.>.:. .0. .<.<.:.>.>. .

C:\Users\user\AppData\Local\Temp\pssB0A6.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6668
Entropy (8bit):	3.5127462716425657
Encrypted:	false
SSDEEP:	96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
MD5:	30C30EF2CB47E35101D13402B5661179
SHA1:	25696B2AAB86A9233F19017539E2DD83B2F75D4E
SHA-256:	53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
SHA-512:	882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
Malicious:	true
Preview:	..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\scrB094.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	250
Entropy (8bit):	3.576902729499699
Encrypted:	false
SSDEEP:	6:QfFok79idK3fclQ9zgltHN+KiVmMXFVrMTlp1LlG7JidK3fpdInO:QfF3IugM/XFVrMTWNvn
MD5:	479FAC6E0C05C5A57698619AFE51DEF2
SHA1:	1AF4A4DB75ACE8324ED7BFF59D711E80A7BDB821
SHA-256:	700080D274E5629A2BFA0D47B9BAF53AD69E67A64A2B04D84115D5851AB3DDBD
SHA-512:	B0B5065C216EBC1124B985F3FF86EE7C7E7E9B994190D1103C454EDD602E0242B7160BFFB202538470254675DFACAC6159F1A459B979DAD563BDED84FCED193E
Malicious:	true
Preview:	..$.o.i.g.n.q.p. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".C.e.v.e.r.a.l.S.e.s.".....$.a.v.o.i.j.g. .=. .[.u.i.n.t.3.2.].(.$.o.i.g.n.q.p. .-.r.e.p.l.a.c.e. .'.b.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".T.r.i.a.l.N.o.w.". .$.a.v.o.i.j.g.

C:\Users\user\AppData\Roaming\Microsoft\Installer\{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}\icon_22.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 7 icons, 256x256, 32 bits/pixel, -128x-128, 32 bits/pixel
Category:	dropped
Size (bytes):	372526
Entropy (8bit):	4.467275942115759
Encrypted:	false
SSDEEP:	3072:aAVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOzzCIhZ:LCANx6xPZX9mBW
MD5:	B52B2D1D4C9E56CA24AB0CD0730CC5AD
SHA1:	C70A3683DF57DE3096CA58F314C0B649035392CC
SHA-256:	73CDA59B9158F5DCA967A6EC24A3608C672DCA63F714BFD7B7B5F81C1303F457
SHA-512:	CDCAB1C415B87948AD45C967D6C50EA24935D7E58CFC30717E2943D9CE9F5DDEFCB5E60BCE58F9F387635EA30E1A0399DBA644316CC53F1802BAE73B76CB1BFA
Malicious:	false
Preview:	............ .( ..v......... .(.... ..@@.... .(B...(..00.... ..%...j.. .... ............... .....>......... .h......(............. ...... ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	310928
Entropy (8bit):	6.001677789306043
Encrypted:	false
SSDEEP:	3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
MD5:	147B71C906F421AC77F534821F80A0C6
SHA1:	3381128CA482A62333E20D0293FDA50DC5893323
SHA-256:	7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
SHA-512:	2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: installer.msi, Detection: malicious, Browse Filename: E8vC8KRIp1.msi, Detection: malicious, Browse Filename: installer.msi, Detection: malicious, Browse Filename: 3gPZmVbozD.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: installer.msi, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: Setup.msi, Detection: malicious, Browse Filename: q9bzWO2X1r.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}\|...\|...\|....../p....../v....../1...u.a.l....../u...\|........./v....../}...Rich\|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	117496
Entropy (8bit):	6.136079902481222
Encrypted:	false
SSDEEP:	1536:P4ynPKh5ilvitpOeRZBMZTWTKnSU3hGe+K8b9Ate83CtyxZMPXR0qmOi4:PjoiaUDahe+B92e9tiMPXR0qmOX
MD5:	F67792E08586EA936EBCAE43AAB0388D
SHA1:	4A5B4009DE72DB003D57F8A4416D17F95B3539A8
SHA-256:	4D434BB99C771524C35222E5C65EBEE87FD2F16DDA05BF6191F9723EECE2434D
SHA-512:	F9E69377201E2DC577792F01B71ED3C9AF6C8AD52DD9E139C99EF1D9096F3EB7796F89642242BE8CEE4030EA9CF60EF1AA93D1B0890326A83CB9063E919F1E4A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,\|..B/..B/..B/.../..B/.G...B/.F...B/.A...B/.C...B/.C...B/..G...B/<.C...B/..C/..B/<.G...B/<../..B/.../..B/<.@...B/Rich..B/................PE..d.....-a..........#............................@.....................................].... .................................................D...,...............`....................]..T...................P_..(...P^...............0..H............................text............................... ..`.rdata...o...0...p..."..............@..@.data...@...........................@....pdata..`...........................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	506008
Entropy (8bit):	6.4284173495366845
Encrypted:	false
SSDEEP:	6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
MD5:	98CCD44353F7BC5BAD1BC6BA9AE0CD68
SHA1:	76A4E5BF8D298800C886D29F85EE629E7726052D
SHA-256:	E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
SHA-512:	D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............\|.&.....\|.$.J...\|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................\|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12224
Entropy (8bit):	6.596101286914553
Encrypted:	false
SSDEEP:	192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
MD5:	919E653868A3D9F0C9865941573025DF
SHA1:	EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
SHA-256:	2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
SHA-512:	6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12224
Entropy (8bit):	6.640081558424349
Encrypted:	false
SSDEEP:	192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
MD5:	7676560D0E9BC1EE9502D2F920D2892F
SHA1:	4A7A7A99900E41FF8A359CA85949ACD828DDB068
SHA-256:	00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
SHA-512:	F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11712
Entropy (8bit):	6.6023398138369505
Encrypted:	false
SSDEEP:	192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
MD5:	AC51E3459E8FCE2A646A6AD4A2E220B9
SHA1:	60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
SHA-256:	77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
SHA-512:	6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.614262942006268
Encrypted:	false
SSDEEP:	192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
MD5:	B0E0678DDC403EFFC7CDC69AE6D641FB
SHA1:	C1A4CE4DED47740D3518CD1FF9E9CE277D959335
SHA-256:	45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
SHA-512:	2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.654155040985372
Encrypted:	false
SSDEEP:	192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
MD5:	94788729C9E7B9C888F4E323A27AB548
SHA1:	B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
SHA-256:	ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
SHA-512:	AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15304
Entropy (8bit):	6.548897063441128
Encrypted:	false
SSDEEP:	192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
MD5:	580D9EA2308FC2D2D2054A79EA63227C
SHA1:	04B3F21CBBA6D59A61CD839AE3192EA111856F65
SHA-256:	7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
SHA-512:	97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11712
Entropy (8bit):	6.622041192039296
Encrypted:	false
SSDEEP:	192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
MD5:	35BC1F1C6FBCCEC7EB8819178EF67664
SHA1:	BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
SHA-256:	7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
SHA-512:	9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.730719514840594
Encrypted:	false
SSDEEP:	192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
MD5:	3BF4406DE02AA148F460E5D709F4F67D
SHA1:	89B28107C39BB216DA00507FFD8ADB7838D883F6
SHA-256:	349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
SHA-512:	5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.626458901834476
Encrypted:	false
SSDEEP:	192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
MD5:	BBAFA10627AF6DFAE5ED6E4AEAE57B2A
SHA1:	3094832B393416F212DB9107ADD80A6E93A37947
SHA-256:	C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
SHA-512:	D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.577869728469469
Encrypted:	false
SSDEEP:	192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
MD5:	3A4B6B36470BAD66621542F6D0D153AB
SHA1:	5005454BA8E13BAC64189C7A8416ECC1E3834DC6
SHA-256:	2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
SHA-512:	84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11712
Entropy (8bit):	6.6496318655699795
Encrypted:	false
SSDEEP:	192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
MD5:	A038716D7BBD490378B26642C0C18E94
SHA1:	29CD67219B65339B637A1716A78221915CEB4370
SHA-256:	B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
SHA-512:	43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12736
Entropy (8bit):	6.587452239016064
Encrypted:	false
SSDEEP:	192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
MD5:	D75144FCB3897425A855A270331E38C9
SHA1:	132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
SHA-256:	08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
SHA-512:	295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14280
Entropy (8bit):	6.658205945107734
Encrypted:	false
SSDEEP:	384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
MD5:	8ACB83D102DABD9A5017A94239A2B0C6
SHA1:	9B43A40A7B498E02F96107E1524FE2F4112D36AE
SHA-256:	059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
SHA-512:	B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12224
Entropy (8bit):	6.621310788423453
Encrypted:	false
SSDEEP:	96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
MD5:	808F1CB8F155E871A33D85510A360E9E
SHA1:	C6251ABFF887789F1F4FC6B9D85705788379D149
SHA-256:	DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
SHA-512:	441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.7263193693903345
Encrypted:	false
SSDEEP:	192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
MD5:	CFF476BB11CC50C41D8D3BF5183D07EC
SHA1:	71E0036364FD49E3E535093E665F15E05A3BDE8F
SHA-256:	B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
SHA-512:	7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12744
Entropy (8bit):	6.601327134572443
Encrypted:	false
SSDEEP:	192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
MD5:	F43286B695326FC0C20704F0EEBFDEA6
SHA1:	3E0189D2A1968D7F54E721B1C8949487EF11B871
SHA-256:	AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
SHA-512:	6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14272
Entropy (8bit):	6.519411559704781
Encrypted:	false
SSDEEP:	192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
MD5:	E173F3AB46096482C4361378F6DCB261
SHA1:	7922932D87D3E32CE708F071C02FB86D33562530
SHA-256:	C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
SHA-512:	3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.659079053710614
Encrypted:	false
SSDEEP:	192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
MD5:	9C9B50B204FCB84265810EF1F3C5D70A
SHA1:	0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
SHA-256:	25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
SHA-512:	EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11200
Entropy (8bit):	6.7627840671368835
Encrypted:	false
SSDEEP:	192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
MD5:	0233F97324AAAA048F705D999244BC71
SHA1:	5427D57D0354A103D4BB8B655C31E3189192FC6A
SHA-256:	42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
SHA-512:	8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12224
Entropy (8bit):	6.590253878523919
Encrypted:	false
SSDEEP:	192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
MD5:	E1BA66696901CF9B456559861F92786E
SHA1:	D28266C7EDE971DC875360EB1F5EA8571693603E
SHA-256:	02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
SHA-512:	08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.672720452347989
Encrypted:	false
SSDEEP:	192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
MD5:	7A15B909B6B11A3BE6458604B2FF6F5E
SHA1:	0FEB824D22B6BEEB97BCE58225688CB84AC809C7
SHA-256:	9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
SHA-512:	D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13760
Entropy (8bit):	6.575688560984027
Encrypted:	false
SSDEEP:	192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
MD5:	6C3FCD71A6A1A39EAB3E5C2FD72172CD
SHA1:	15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
SHA-256:	A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
SHA-512:	EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..\|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.70261983917014
Encrypted:	false
SSDEEP:	192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
MD5:	D175430EFF058838CEE2E334951F6C9C
SHA1:	7F17FBDCEF12042D215828C1D6675E483A4C62B1
SHA-256:	1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
SHA-512:	6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12744
Entropy (8bit):	6.599515320379107
Encrypted:	false
SSDEEP:	192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
MD5:	9D43B5E3C7C529425EDF1183511C29E4
SHA1:	07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
SHA-256:	19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
SHA-512:	C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.690164913578267
Encrypted:	false
SSDEEP:	192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
MD5:	43E1AE2E432EB99AA4427BB68F8826BB
SHA1:	EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
SHA-256:	3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
SHA-512:	40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.615761482304143
Encrypted:	false
SSDEEP:	192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
MD5:	735636096B86B761DA49EF26A1C7F779
SHA1:	E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
SHA-256:	5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
SHA-512:	3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12744
Entropy (8bit):	6.627282858694643
Encrypted:	false
SSDEEP:	192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
MD5:	031DC390780AC08F498E82A5604EF1EB
SHA1:	CF23D59674286D3DC7A3B10CD8689490F583F15F
SHA-256:	B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
SHA-512:	1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15816
Entropy (8bit):	6.435326465651674
Encrypted:	false
SSDEEP:	192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
MD5:	285DCD72D73559678CFD3ED39F81DDAD
SHA1:	DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
SHA-256:	6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
SHA-512:	84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.5874576656353145
Encrypted:	false
SSDEEP:	192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
MD5:	5CCE7A5ED4C2EBAF9243B324F6618C0E
SHA1:	FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
SHA-256:	AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
SHA-512:	FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13768
Entropy (8bit):	6.645869978118917
Encrypted:	false
SSDEEP:	192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
MD5:	41FBBB054AF69F0141E8FC7480D7F122
SHA1:	3613A572B462845D6478A92A94769885DA0843AF
SHA-256:	974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
SHA-512:	97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_date_time.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	61176
Entropy (8bit):	5.850944458899023
Encrypted:	false
SSDEEP:	1536:8dAqjxlblBAeX9cMPqnLQmnSPFCCBXuk9:8d1l59cJbSNZBXuO
MD5:	3B02A4FCAAC283D3C5E082B62F88BE25
SHA1:	C230237FA2BEF46A4C9649871EE46BBA89958C4E
SHA-256:	D02FB06775ED21CE1124C5A9BA42D7E00872C4CAF3933F0852FFD98591EE9790
SHA-512:	9FE3ACDC6CDC51F56AB205A669F3865FB18DA79750A62E896615AF98F4D37B4A5DADB898126B421133CBD86805A1A84D1C92A429F88AA2152D07939BEBEB93B0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.X.F...F...F...>O..F.......F.......F.......F.......F.......F...F...F..-/...F..-/...F..-/#..F...FK..F..-/...F..Rich.F..........PE..d.....-a.........." .....X...\|.......Y.................................................... .....................................................x.......h.......................0...P...T.......................(....................p..X............................text....V.......X.................. ..`.rdata...X...p...Z...\..............@..@.data...............................@....pdata..............................@..@.rsrc...h...........................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_filesystem.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	127224
Entropy (8bit):	6.217127607919178
Encrypted:	false
SSDEEP:	1536:KOMFt1bvZ+4WYoIW9YAlqlEO/NiuE0PJmISN10ZpzdUAsSAl9/mEzuEVvHV7Gvru:fMFZ+4azlqlEO/0d0PkIxPYGX6
MD5:	ABDA3CF0D286D6CC5EC2CB1B49DBC180
SHA1:	85CA9C24AD7CF07830E86607723770645D724C28
SHA-256:	5549E8D3C90AFC8A90558529FE0127CE8A36805D853ED2BBD2A832E497D07405
SHA-512:	AF813D4529C7971C6427E84C21275F2D703495E8BCDE72112ED400FCF2BFD64D1E3754E7A8D95A4D1953472C3C9821EF0444CD844F02AE31FA2C5FA8D93E66CF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'y.fI.fI.fI....fI..M+.fI..J+.fI..L+.fI..H+.fI..H+.fI..H+.fI.fH.fI..L+.fI..I+.fI....fI.f..fI..K+.fIRich.fI*................PE..d.....-a.........." ......................................................... ............ ..........................................x..\|B..............p.......@...............D....>..T...................0@..(...0?............... ...............................text...p........................... ..`.rdata....... ......................@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc..D...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	418040
Entropy (8bit):	6.1735291180760505
Encrypted:	false
SSDEEP:	6144:vJXvKtM+eZLmd2Mht6hBj2+1J3Hw2iojntPqbmdv0Pz:vJXvcMRZLmd2Mht6hBj3A2iW8WO
MD5:	1CC74B77B1A0B6F14B19F45412D62227
SHA1:	25C8D5B1DD13C826AC97995E2265E7960877A869
SHA-256:	1314E7F48DCFAA9ED62AD80C19D4EAD856C6D216D6F80B8EFA1A3803087C506A
SHA-512:	CA88D9DB167FEE11DCF88FD365DBAEF9E2704996E622F1523943C5AF54D6AE2546D860DB86B20757C89FA52E4140D474EB0EA4A69042AA4CAAF6125E0D5381D9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+ ..Es..Es..Es...s..Es..Ar..Es..Fr..Es..@r..Es..Dr..Es..Dr..Es..Ds(.Es..@r..Es..Er..Es..s..Es...s..Es..Gr..EsRich..Es........PE..d.....-a.........." .........:.......................................................4.... .........................................`n...T...........p.......0..d2...D.................T...................0...(...0................ ...............................text...\........................... ..`.rdata..h.... ......................@..@.data....7.......0..................@....pdata..d2...0...4..................@..@.rsrc........p.......8..............@..@.reloc...............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	698104
Entropy (8bit):	6.463466021766765
Encrypted:	false
SSDEEP:	12288:rtCgw2rHcLfk4heNe39mSOWE64h/5+JLkxBdmmVaSV:JCglHsfb9vzE64h/CAxBdmmVaSV
MD5:	087DAF44CD13B79E4D59068B3A1C6250
SHA1:	653FB242A44C7742764C77D8249D00DDDC1C867E
SHA-256:	7AAFC98B0189C4DB66E03EC69B0DA58E59F5728FA9C37F7A61D1531E4D146FD6
SHA-512:	3BB7494191EDDA18416B425762EA35B1C614CA420E6D0A8BBA5B9749C453F2552435FC97CF4532E088BBEC2B57A7DC9F782F7C7CEC67F96A33511C367F6A5052
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>.B.P.B.P.B.P.K...N.P...T.J.P...S.@.P...U.Z.P...Q.F.P...Q.G.P.B.Q...P..U.P.P..P.C.P...C.P.B...C.P..R.C.P.RichB.P.........................PE..d.....-a.........." ................l................................................s.... ..........................................7..T...4...........X....`...D...................Q..T...................@S..(...@R..................H............................text............................... ..`.rdata...V.......X..................@..@.data...`(...0..."..................@....pdata...D...`...F...6..............@..@.rsrc...X............\|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_system.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31480
Entropy (8bit):	5.969706735107452
Encrypted:	false
SSDEEP:	384:rTnmLAtoAmXkI4WW9jLU7gJX5ZGz/5UtxcNPMUyZJKSm/dAgZsHL4DhAm:noxXzI5Z05uqlyEiRUhR
MD5:	CC2C7E9435E8F818F3114AEFCC84E053
SHA1:	F106C5EEAA3545CB85BA1217F40E4AE8F047E69E
SHA-256:	59415F12FF688B58C9180A545F4836A4C2DDF472C232B3BE9FAB7965F9980924
SHA-512:	316D0F0374DA2818CC1A83A6F8BE8E70CCCC2D9F37DB54DF9322FF26FF436EB18532CEB549F286E569E1A6B82BA1345FFE4A7ADC678AE450FC5C3C637F24259D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{...{...{...r.e.....)...h...)...s...)...y...)....... ...x...{...E......y......z......z...{.a.z......z...Rich{...........PE..d.....-a.........." .....,...4......@0................................................... ..........................................T......tU..x.......`....p.......^..............0F..T....................G..(....F...............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...h....`.......N..............@....pdata.......p.......R..............@..@.rsrc...`............V..............@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_threads.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	103672
Entropy (8bit):	5.851546804507911
Encrypted:	false
SSDEEP:	1536:DkEZwX0tTbIIJdLJABqKSimO9K64vaO4WpgXyhchiUKcvKXMnVOlVS:QErbXvAxO41yhcBvKXwaVS
MD5:	129051E3B7B8D3CC55559BEDBED09486
SHA1:	E257D69C91594C623A8649AC3F76DC4B0C4D8EDF
SHA-256:	73BFA0700A1C1631483D1ADC79A5225066A28A5CA94D70267DE6B0573BF11BDF
SHA-512:	6DCF486B58A0C8E16CB0A2A0B7C53812275DF7E55CEBE94B645517D2A061A67CA3B9CFDDA4F94E89BE57D3B629540C4A45DD153EF84DB90E46D06257A936831A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X..............&........................................&.............&......&......&.J.......".....&......Rich............................PE..d.....-a.........." ................4...............................................:..... ..........................................J.......[..........`............x..............`...T.......................(....................................................text............................... ..`.rdata.............................@..@.data........p.......N..............@....pdata...............\..............@..@.rsrc...`............n..............@..@.reloc...............t..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57488
Entropy (8bit):	6.382541157520703
Encrypted:	false
SSDEEP:	768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
MD5:	71F796B486C7FAF25B9B16233A7CE0CD
SHA1:	21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
SHA-256:	B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
SHA-512:	A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4664568
Entropy (8bit):	6.259383987199329
Encrypted:	false
SSDEEP:	49152:AroFmAk9nrwChDI061WcO0ABWmIex2MvOGL//VCsHqwApmqamnBObTETCAtdB8n:0tI0OWiVmIek+QpmqtB+9
MD5:	A6A89F55416DB79D9E13B82685A04D60
SHA1:	EDE6DE1377BBE28E1F0D0DEF095367F1E788FE3B
SHA-256:	22D7C730C0092CDE5E339276F45882ACF4E172269153C6A328D83314DBACEF4B
SHA-512:	D2A734AE3ACC3033C050634839E32F90AE29862D77EC28B87945D62D44562ED56AC2A4266BC70F0F42CACCC0A7D93B07E2B42D7FFCEFE2F599A6A9DC2F26C583
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........$n..J=..J=..J=...=..J=..N<..J=..I<..J=..O<..J=..K<..J=..N<..J=..L<..J=..K<..J=..K<..J=..K=i.J=..N<..J=..O<U.J=..J<..J=..=..J=...=..J=..H<..J=Rich..J=................PE..d.....-a.........." ......+..........f(.......................................I.......H... ..........................................7>.8.....A......@I.......G......G......PI..F....1.T...................0.1.(...0.1...............+..............................text.....+.......+................. ..`.rdata.......+.......+.............@..@.data....'...`B......DB.............@....pdata.......G.......E.............@..@.rsrc........@I.......F.............@..@.reloc...F...PI..H....F.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	215288
Entropy (8bit):	6.050529290720027
Encrypted:	false
SSDEEP:	3072:emvBIfdYtwUTAgsHW0Akz0dMtTWYUQ4TyjEXv8pQxI88hw:ekBIATA1z7tTzovXv8Kxzj
MD5:	BF5EE5008353BB5C52DCF8821082CE6B
SHA1:	F85B517F96FE87D953925D05238345A03594C8F8
SHA-256:	9273A49CAC32ACA5358A77D41DE00FEB589ED3285B2B2E07E9CE9CEBF80BAA31
SHA-512:	B5862D1679AB4F44B228C3E52F5CB98616BF089BAD5EC3BBB63ABDCABDDB55C71C36628E2945C7460AA33F836D85A1A320BF2C704072B307A3B719CD3C6A8549
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[..5...5...5......5...1...5...6...5...0...5...4...5...4...5.#.4...5...4.-.5.#.0...5.#.5...5.#....5.......5.#.7...5.Rich..5.........PE..d.....-a.........." .........j...............................................p............ ..............................................!...........P..h....0.......,.......`..........T...........................@................................................text............................... ..`.rdata..............................@..@.data....$..........................@....pdata.......0... ..................@..@.rsrc...h....P......."..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ghiuoqfj.rar

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	410286
Entropy (8bit):	7.999439739918456
Encrypted:	true
SSDEEP:	12288:qiy7UWJmwWAmkIvMa3ImNtPteTG7/3Ynu+nOuYVjwwaeQ:wPJvJB2jtVeTe3YuxuYd3Q
MD5:	29CD433EC8BDEB8FE60F170DE69E5DE0
SHA1:	029D95777CB78F874A8751CDEFDACE492B79FACC
SHA-256:	97A47BF9786944D2A4CE9F15E0DD2DC84CD3E447E9B382E7F9F29BB2B367EA92
SHA-512:	A4A4A4CBAE0C046BA9E55824672151F3CF4F4E7006C7B011E982580F91E5DC1B5B8381349AACF665F100044CBF86601B15080FF51A2FC082E37E33DCDF3A88B6
Malicious:	false
Preview:	Rar!.....:q.!......T......H?..&\|N%o..H.vz.r.@\|\..].O...fS.}..s"R.......v....Yz.`.!.S.<P..Qt....yn....hp...O.`.......n9..yR.#]......)c.s.......s...G....nD..y..E..W{..,.\J.....W..........N.......!Pv0.f^..).."........q.rG.. ...!1.....n...=.C.T.#g..n.."..G.z...T...x..m.~.B.....45 ..z.... .......%u1:...V5zk*B......\.n.Y..~h...@....h..[.=...i....x...!.Nq.....W.jG.Q%..k...l.#.....j.W.\!...%....w.A.......Mk.......4......3..N..j(...IA?.~Ko.0..0E.(..%..n+.5....;.~.....l..os..`.....Tl..,.N.Cr..F.ZV._....P0.(I.S...,3..A..)tZ_)..n.y,....G.Vx.8g...x..>.........^./%s.=.I0......!}x.7...iT...?!...W.x@`?V.oe..2.`M.+...k.,n........y...^L..p...!..Jo....2\<.LKuW.E[B.v......v.).....&.....\EE".2F..FI5m9..{..C.>..........C.%C.]...].%..>.V....r.#G.D..V.Q..jA_.P..'[..q.!..X..@.....xJ....b....W.....C...d.I(K....wQAx...n.w..........8PH..0...V......G.....e....M.a...sP....p.e."...Y....G.4v..>.M...M-/uM..@y..;~........O.C...L..H..3'...'.w.(. g...Q.S....k.M...R..P..o.

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\msvcp140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	566704
Entropy (8bit):	6.494428734965787
Encrypted:	false
SSDEEP:	12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
MD5:	6DA7F4530EDB350CF9D967D969CCECF8
SHA1:	3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
SHA-256:	9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
SHA-512:	1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%\|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	3.879664004902594
Encrypted:	false
SSDEEP:	3:mKDDlR+7H6U:hOD6U
MD5:	D9324699E54DC12B3B207C7433E1711C
SHA1:	864EB0A68C2979DCFF624118C9C0618FF76FA76C
SHA-256:	EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
SHA-512:	E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
Malicious:	false
Preview:	@echo off..Start "" %1

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\classes.jsa

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	12124160
Entropy (8bit):	4.1175508751036585
Encrypted:	false
SSDEEP:	49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
MD5:	8A13CBE402E0BBF3DA56315F0EBA7F8E
SHA1:	EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
SHA-256:	7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
SHA-512:	46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
Malicious:	false
Preview:	.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\classes_nocoops.jsa

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	12124160
Entropy (8bit):	4.117842215789484
Encrypted:	false
SSDEEP:	49152:lIsY5NLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8v:lYNDUK7k59
MD5:	8DD2CDF8B1702DEE25F4BC2DCE10DA8F
SHA1:	7AE8D142C41159D65C7AB9598C90EC1DF33138D1
SHA-256:	B19E92D742D8989D275BB34FB7828211969997D38FF9250D9561F432D5C5F62C
SHA-512:	6CEBD788559543623A3F54154F6C84E31A9716CFFA19D199087F0704CC9016F54CF0B3CFF6D8DB65428138EEB12553B23EBA7EDAF5B64A050A077DD2951286B0
Malicious:	false
Preview:	....j..L.........*.\.....................................+..............................j..-.....................................!>.............................\|<:.......................A.......@...... t...............................".....................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.datatransfer.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	51389
Entropy (8bit):	7.916683616123071
Encrypted:	false
SSDEEP:	768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
MD5:	8F4C0388762CD566EAE3261FF8E55D14
SHA1:	B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
SHA-256:	AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
SHA-512:	1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^#.j...R.A..qV.1o...p.....\|._.-N$.!.;X....\|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be..eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N......r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.desktop.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	12133334
Entropy (8bit):	7.944474086295981
Encrypted:	false
SSDEEP:	196608:h6fa1BzmQR9sZTGVq8B4ISiOCC0SabOyigGRA7OtuPZIWeXB:6a1gk+8B4IS8S2OyiJRA7OtYZaB
MD5:	E3705B15388EC3BDFE799AD5DB80B172
SHA1:	0B9B77F028727C73265393A68F37FC69C30205BD
SHA-256:	BE59AC0E673827B731CF5616B41DA11581A5863285FEA1A0696AA4F93796BCC3
SHA-512:	CA44B3E7658232FCC19C9AD223455F326D34B17384E566B8CAF0F7409D71B2B86F4089BF4A35128EC6CFFE080DF84C69C72C22B230FB0F2F8CB345442318F737
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.X...e../.l.!..!.#..M..."..g..#.B.........0;{.AAD.EE..QQQ.aG....{.]....7......~.{....k...{....<HD...4.......x%?G.4_St.Z...\..].+c..t.t........iC./...gZ..].8C..D'M...\3.+~5......z.<.f1..2.v./.As.Lv.....`2.M%...d.h..S`....YC.....D.u0-l.V#.5.,.e..)[..[.v..............d.I...A........A+&."..8g.)"..E..1!.Z.]....Ak..5.......<'..L8bC..V4.U2.~$...i....)."I...O...d:......@..S...w0m...-....2..x....z.....O....k.8.}....P.....=..I/...<../.d..k....43VL.i...........C.S\|`..!b.8....3.Ey..S..e..+.../T..j...g..B.@q9.."..>.LU..2-i....-.!....Z....g.BGl.j..R...Z.D.YJ.Kd...9 l.FN4.Rk.22..b..Rn...u..x.,...j.I.aZ.....X[{L.e..Z#..`.Z...8..[.p..0.(...j..W..-M...V..H7.c.KN...5e.."...t[um..R...UF.c..1.....z\|z.EeO..j..k.V..\x.8.....et;.9.^.Pa..+......U....Iu.q.t....HY.g...q.......omK...FKr1.F..F?.i.d../.]....68..L.........W..s.CU.\|y.....zE..Q\...82..W.i[.#Q..xm......P..u.<.#...yC...,........~B..\|sF.

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.instrument.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	41127
Entropy (8bit):	7.961466748192397
Encrypted:	false
SSDEEP:	768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
MD5:	D039093C051B1D555C8F9B245B3D7FA0
SHA1:	C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
SHA-256:	4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
SHA-512:	334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..\|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z\|.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......\|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.logging.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	113725
Entropy (8bit):	7.928841651831531
Encrypted:	false
SSDEEP:	3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
MD5:	3A03EF8F05A2D0472AE865D9457DAB32
SHA1:	7204170A08115A16A50D5A06C3DE7B0ADB6113B1
SHA-256:	584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
SHA-512:	1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm........Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h..^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz\|..^.........8q..{...}.G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH\|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.management.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	896846
Entropy (8bit):	7.923431656723031
Encrypted:	false
SSDEEP:	12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
MD5:	C6FBB7D49CAA027010C2A817D80CA77C
SHA1:	4191E275E1154271ABF1E54E85A4FF94F59E7223
SHA-256:	1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
SHA-512:	FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..\|..]{.........S\|...(cu/..i.d.z...[....'.M\|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.\|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..\|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\utest.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	639224
Entropy (8bit):	6.219852228773659
Encrypted:	false
SSDEEP:	12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
MD5:	01DACEA3CBE5F2557D0816FC64FAE363
SHA1:	566064A9CB1E33DB10681189A45B105CDD504FD4
SHA-256:	B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
SHA-512:	C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98224
Entropy (8bit):	6.452201564717313
Encrypted:	false
SSDEEP:	1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
MD5:	F34EB034AA4A9735218686590CBA2E8B
SHA1:	2BC20ACDCB201676B77A66FA7EC6B53FA2644713
SHA-256:	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
SHA-512:	D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%\|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140_1.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37256
Entropy (8bit):	6.297533243519742
Encrypted:	false
SSDEEP:	384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
MD5:	135359D350F72AD4BF716B764D39E749
SHA1:	2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
SHA-256:	34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
SHA-512:	CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)\|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

C:\Windows\Installer\5c7c35.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {394343F4-E39C-409D-BD57-1C70A6E4B89C}, Number of Words: 10, Subject: Cave App, Author: Weqos Apps Industries, Name of Creating Application: Cave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Cave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 26 06:52:15 2024, Last Saved Time/Date: Thu Dec 26 06:52:15 2024, Last Printed: Thu Dec 26 06:52:15 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	60336401
Entropy (8bit):	7.202440545009856
Encrypted:	false
SSDEEP:	786432:zGZojVmrjV7eIAtehOTZ0oZ4sdUuzt/NCaY2ksCo:zGcVmrjV7eIvhOTZ5RjVCa1tP
MD5:	0C7AFA785117AFDB85AB29B0A12EDC51
SHA1:	3B685880E7EC090AB3EAD12D591B2ACA1AC3DCFE
SHA-256:	D14ACCE52061BAA353FFD5698C16DD07A9CCA9D86B28C1DE64D51E21C3C3C6AC
SHA-512:	276AE21DAEFF60CDCE52ADE7ADA801D89D642092160B1CBD91BEC80F5F3E4FB339D79F4871C8EAFA07D15763CA59F0B1BD04CB6B95F0F64A132674AE24FCC37D
Malicious:	false
Preview:	......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)......................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-...7.../...0...1...2...3...4...5...6.......9...N...:...;...<...=...>...?...@...A...D...C...K...E...F...G...H...I...J...""..L...M...e...O...P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

C:\Windows\Installer\5c7c38.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {394343F4-E39C-409D-BD57-1C70A6E4B89C}, Number of Words: 10, Subject: Cave App, Author: Weqos Apps Industries, Name of Creating Application: Cave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Cave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 26 06:52:15 2024, Last Saved Time/Date: Thu Dec 26 06:52:15 2024, Last Printed: Thu Dec 26 06:52:15 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	60336401
Entropy (8bit):	7.202440545009856
Encrypted:	false
SSDEEP:	786432:zGZojVmrjV7eIAtehOTZ0oZ4sdUuzt/NCaY2ksCo:zGcVmrjV7eIvhOTZ5RjVCa1tP
MD5:	0C7AFA785117AFDB85AB29B0A12EDC51
SHA1:	3B685880E7EC090AB3EAD12D591B2ACA1AC3DCFE
SHA-256:	D14ACCE52061BAA353FFD5698C16DD07A9CCA9D86B28C1DE64D51E21C3C3C6AC
SHA-512:	276AE21DAEFF60CDCE52ADE7ADA801D89D642092160B1CBD91BEC80F5F3E4FB339D79F4871C8EAFA07D15763CA59F0B1BD04CB6B95F0F64A132674AE24FCC37D
Malicious:	false
Preview:	......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)......................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-...7.../...0...1...2...3...4...5...6.......9...N...:...;...<...=...>...?...@...A...D...C...K...E...F...G...H...I...J...""..L...M...e...O...P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

C:\Windows\Installer\MSI852E.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI85BB.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI861A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI864A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI8699.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1201504
Entropy (8bit):	6.4557937684843365
Encrypted:	false
SSDEEP:	24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
MD5:	E83D774F643972B8ECCDB3A34DA135C5
SHA1:	A58ECCFB12D723C3460563C5191D604DEF235D15
SHA-256:	D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
SHA-512:	CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.\|CF..@G.\|DF..@G.\|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI86D9.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI8718.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA3C9.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	380520
Entropy (8bit):	6.512348002260683
Encrypted:	false
SSDEEP:	6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
MD5:	FFDAACB43C074A8CB9A608C612D7540B
SHA1:	8F054A7F77853DE365A7763D93933660E6E1A890
SHA-256:	7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
SHA-512:	A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIAFC0.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	392783
Entropy (8bit):	4.732388420203725
Encrypted:	false
SSDEEP:	3072:7t29vAVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOzk:7t29oCANx6xPZX9mB/
MD5:	726D8B46EA68C6DD48E95746319D8DA5
SHA1:	959B117193807AFC56A3ADCE0DD37956F8029C32
SHA-256:	F8BEEF26B430C20CD13ADEB3F90ED9034F67B369DFB2C9B3EF2FB385A5F16397
SHA-512:	635C45F084345456D255F4326903D1E54A163AE77E283AA3BB0EEDC0D2C66EF10AC1FF834B62392C52A176CE683FED18A48697B7F24601AC3179F0A90D301499
Malicious:	false
Preview:	...@IXOS.@.....@p8.Y.@.....@.....@.....@.....@.....@......&.{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}..Cave App..setup.msi.@.....@.....@.....@......icon_22.exe..&.{394343F4-E39C-409D-BD57-1C70A6E4B89C}.....@.....@.....@.....@.......@.....@.....@.......@......Cave App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@4....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F}>.C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}3.21:\Software\Weqos Apps Industries\Cave App\Version.@.......@.....@.....@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}I.C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll.@.......@.....@.....@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}P.C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll.@.......@.....@.....@......&.{DE28A5

C:\Windows\Installer\MSIAFE1.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	787808
Entropy (8bit):	6.693392695195763
Encrypted:	false
SSDEEP:	24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
MD5:	8CF47242B5DF6A7F6D2D7AF9CC3A7921
SHA1:	B51595A8A113CF889B0D1DD4B04DF16B3E18F318
SHA-256:	CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
SHA-512:	748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1618503272477452
Encrypted:	false
SSDEEP:	12:JSbX72FjFaAGiLIlHVRpMh/7777777777777777777777777vDHFakf+BLp3Xl0G:J/aQI5cnf+Bl6F
MD5:	5FAB291BECE0B6AC2691F4B7DE0F2623
SHA1:	A098835B47677CBB91E2CA7C34A4329DBD54B60D
SHA-256:	31CC7877A9135DCB251EBE14B38E557D5C40E06E11C2DB4F4AF1ED14DEA2B3A1
SHA-512:	48945CFA32B8E0F8FD711B3CD0EDBC72EFDCB3314185BB8676249E3170B9DF63F066BE740722FA4CDBD141949DF49219AB53C7B27870B6992CFBFE3B5061D65B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5692392899058982
Encrypted:	false
SSDEEP:	48:C8PhluRc06WXOCFT5xGL4SZYJcSAECiCyISCJcZoSMUXeJcwSCJcoT:thl1UFTQZv5ECnSpX9wS
MD5:	A15CF3CBD45B2877AE85F8D16CDD2A10
SHA1:	83E42AF461E9D49C7F3EAB75D2CEF91428FF7CAD
SHA-256:	4601802FD9C355F15ED0E3614B741FFC5E0CBF4FE2A49D0FD6DDC9446CA275AD
SHA-512:	4E15EF150C0760F7ED3739F8FD88A1FC898664F6C63433343F18628E9F6BF2DA767D77E1A49CC0F8AE27DAA64D57ED5535AFABC6A902007722B23C17E84DF9D8
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375175674230122
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau0:zTtbmkExhMJCIpErB
MD5:	EB3557A9D0463FD9CAFB0CF974A3F112
SHA1:	211E5777FC898A297F4171FF491553DA0AEF0D96
SHA-256:	58FB2D2F4F19883938BEA99ED1E03745E93AB00B825FB1C04F57D000B2D9F53C
SHA-512:	70481C454593DC01DD12C1841D357464776505D7EE27AEB4F9EB55E6852B925F9B7CA0C0979CF2B3A8F3EC6DF6E33C04AEC780343CDCF639A8C5EDAE1B60248B
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF1CBDAB3F5AC0A66A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2575606802715282
Encrypted:	false
SSDEEP:	48:ekduFPvcFXOTT5mGL4SZYJcSAECiCyISCJcZoSMUXeJcwSCJcoT:jdFOT3Zv5ECnSpX9wS
MD5:	F80E484A58F6679103AF8A78820F5DF5
SHA1:	1E374E51929E6523886C08ABC490B8C947B75418
SHA-256:	BF51F013D2C5A739FE526ACD05CC988866E9088B506CE41E377FCD5F4B7B4C4F
SHA-512:	B0C78D6B1D7C013128BA866AA306650A14D4D08A0E3C89E7B33514FCE366614166B119872C2E37EBBFFBE0F3FB8311BCB91C74EEFA9E294CAD6849C42C25776B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF28110E50532DE64C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.1392020454032706
Encrypted:	false
SSDEEP:	48:jTeJcwSCJcFJcSAECiCyISCJcZoSMUXqZm4cG:FwSY5ECnSpXqZ
MD5:	D05C3585E5148A0C4AC209BF8A45A433
SHA1:	6450ACE515015205F53F1EE8868CA893686EA427
SHA-256:	58AC7F5A3CDD1799347EFFE23D0B1B785781096CCAFEFAE3A001076AFBA2B0A3
SHA-512:	DBD1C9DA867125264EBFD83E3A48E1D80EFF0F857270A502D706238172BDAD14F2204BA9A53E031E655414CFC494B9200384335EEA948FD5084E8E5D9D139EBE
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF362DA61E540904A1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06902564718218489
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOaSVf+suEyVky6l3X:2F0i8n0itFzDHFakf+B23X
MD5:	9FD9ADC713647FD3B9A4DCE591A86311
SHA1:	A06F4D201B78F599933353D8BF8DA312C5D7C648
SHA-256:	422F276D09C99C5156AA9C3AFC46B17D6E76048F93A24A5E141CAC026655A45D
SHA-512:	EB7F38AB3038C9619B402E71E5D0AD3B67A39430A652783C20437DF8A9039A7C26B80E40572D2B6A1CC815EE6C904D6325B461DFB725EDA8F3BEA43E0F3700D9
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3BBEC92244292159.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF402EFA267EF256E2.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF439291FFD077EDE6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2575606802715282
Encrypted:	false
SSDEEP:	48:ekduFPvcFXOTT5mGL4SZYJcSAECiCyISCJcZoSMUXeJcwSCJcoT:jdFOT3Zv5ECnSpX9wS
MD5:	F80E484A58F6679103AF8A78820F5DF5
SHA1:	1E374E51929E6523886C08ABC490B8C947B75418
SHA-256:	BF51F013D2C5A739FE526ACD05CC988866E9088B506CE41E377FCD5F4B7B4C4F
SHA-512:	B0C78D6B1D7C013128BA866AA306650A14D4D08A0E3C89E7B33514FCE366614166B119872C2E37EBBFFBE0F3FB8311BCB91C74EEFA9E294CAD6849C42C25776B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4E3E65EF000B04D6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6E6136072E6F8FFB.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA29E4B10CDA11C22.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC51B7AB9E75F8C29.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5692392899058982
Encrypted:	false
SSDEEP:	48:C8PhluRc06WXOCFT5xGL4SZYJcSAECiCyISCJcZoSMUXeJcwSCJcoT:thl1UFTQZv5ECnSpX9wS
MD5:	A15CF3CBD45B2877AE85F8D16CDD2A10
SHA1:	83E42AF461E9D49C7F3EAB75D2CEF91428FF7CAD
SHA-256:	4601802FD9C355F15ED0E3614B741FFC5E0CBF4FE2A49D0FD6DDC9446CA275AD
SHA-512:	4E15EF150C0760F7ED3739F8FD88A1FC898664F6C63433343F18628E9F6BF2DA767D77E1A49CC0F8AE27DAA64D57ED5535AFABC6A902007722B23C17E84DF9D8
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE587387B172C03A3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5692392899058982
Encrypted:	false
SSDEEP:	48:C8PhluRc06WXOCFT5xGL4SZYJcSAECiCyISCJcZoSMUXeJcwSCJcoT:thl1UFTQZv5ECnSpX9wS
MD5:	A15CF3CBD45B2877AE85F8D16CDD2A10
SHA1:	83E42AF461E9D49C7F3EAB75D2CEF91428FF7CAD
SHA-256:	4601802FD9C355F15ED0E3614B741FFC5E0CBF4FE2A49D0FD6DDC9446CA275AD
SHA-512:	4E15EF150C0760F7ED3739F8FD88A1FC898664F6C63433343F18628E9F6BF2DA767D77E1A49CC0F8AE27DAA64D57ED5535AFABC6A902007722B23C17E84DF9D8
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFFFEE9586C5C8C6B5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2575606802715282
Encrypted:	false
SSDEEP:	48:ekduFPvcFXOTT5mGL4SZYJcSAECiCyISCJcZoSMUXeJcwSCJcoT:jdFOT3Zv5ECnSpX9wS
MD5:	F80E484A58F6679103AF8A78820F5DF5
SHA1:	1E374E51929E6523886C08ABC490B8C947B75418
SHA-256:	BF51F013D2C5A739FE526ACD05CC988866E9088B506CE41E377FCD5F4B7B4C4F
SHA-512:	B0C78D6B1D7C013128BA866AA306650A14D4D08A0E3C89E7B33514FCE366614166B119872C2E37EBBFFBE0F3FB8311BCB91C74EEFA9E294CAD6849C42C25776B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	638
Entropy (8bit):	4.751962275036146
Encrypted:	false
SSDEEP:	12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
MD5:	15CA959638E74EEC47E0830B90D0696E
SHA1:	E836936738DCB6C551B6B76054F834CFB8CC53E5
SHA-256:	57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
SHA-512:	101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
Malicious:	false
Preview:	[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {394343F4-E39C-409D-BD57-1C70A6E4B89C}, Number of Words: 10, Subject: Cave App, Author: Weqos Apps Industries, Name of Creating Application: Cave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Cave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 26 06:52:15 2024, Last Saved Time/Date: Thu Dec 26 06:52:15 2024, Last Printed: Thu Dec 26 06:52:15 2024, Number of Pages: 450
Entropy (8bit):	7.202440545009856
TrID:	Windows SDK Setup Transform Script (63028/2) 88.73% Generic OLE2 / Multistream Compound File (8008/1) 11.27%
File name:	setup.msi
File size:	60'336'401 bytes
MD5:	0c7afa785117afdb85ab29b0a12edc51
SHA1:	3b685880e7ec090ab3ead12d591b2aca1ac3dcfe
SHA256:	d14acce52061baa353ffd5698c16dd07a9cca9d86b28c1de64d51e21c3c3c6ac
SHA512:	276ae21daeff60cdce52ade7ada801d89d642092160b1cbd91bec80f5f3e4fb339d79f4871c8eafa07d15763ca59f0b1bd04cb6b95f0f64a132674ae24fcc37d
SSDEEP:	786432:zGZojVmrjV7eIAtehOTZ0oZ4sdUuzt/NCaY2ksCo:zGcVmrjV7eIvhOTZ5RjVCa1tP
TLSH:	FFD76C01B3FA4148F2F75EB17EBA45A594BABD521B30C0EF1204A60E1B71BC25BB5763
File Content Preview:	........................>............................................2..................................................................x......................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-26T13:03:31.023601+0100	2829202	ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA	1	192.168.2.4	49730	104.21.6.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 13:03:29.494788885 CET	49730	443	192.168.2.4	104.21.6.3
Dec 26, 2024 13:03:29.494832993 CET	443	49730	104.21.6.3	192.168.2.4
Dec 26, 2024 13:03:29.494999886 CET	49730	443	192.168.2.4	104.21.6.3
Dec 26, 2024 13:03:29.510262012 CET	49730	443	192.168.2.4	104.21.6.3
Dec 26, 2024 13:03:29.510274887 CET	443	49730	104.21.6.3	192.168.2.4
Dec 26, 2024 13:03:30.823327065 CET	443	49730	104.21.6.3	192.168.2.4
Dec 26, 2024 13:03:30.823446035 CET	49730	443	192.168.2.4	104.21.6.3
Dec 26, 2024 13:03:31.016684055 CET	49730	443	192.168.2.4	104.21.6.3
Dec 26, 2024 13:03:31.016721964 CET	443	49730	104.21.6.3	192.168.2.4
Dec 26, 2024 13:03:31.017096996 CET	443	49730	104.21.6.3	192.168.2.4
Dec 26, 2024 13:03:31.017180920 CET	49730	443	192.168.2.4	104.21.6.3
Dec 26, 2024 13:03:31.023427963 CET	49730	443	192.168.2.4	104.21.6.3
Dec 26, 2024 13:03:31.023509026 CET	49730	443	192.168.2.4	104.21.6.3
Dec 26, 2024 13:03:31.023556948 CET	443	49730	104.21.6.3	192.168.2.4
Dec 26, 2024 13:03:31.797503948 CET	443	49730	104.21.6.3	192.168.2.4
Dec 26, 2024 13:03:31.797569990 CET	443	49730	104.21.6.3	192.168.2.4
Dec 26, 2024 13:03:31.797570944 CET	49730	443	192.168.2.4	104.21.6.3
Dec 26, 2024 13:03:31.797662020 CET	49730	443	192.168.2.4	104.21.6.3
Dec 26, 2024 13:03:31.798254967 CET	49730	443	192.168.2.4	104.21.6.3
Dec 26, 2024 13:03:31.798274040 CET	443	49730	104.21.6.3	192.168.2.4
Dec 26, 2024 13:03:31.798286915 CET	49730	443	192.168.2.4	104.21.6.3
Dec 26, 2024 13:03:31.798342943 CET	49730	443	192.168.2.4	104.21.6.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 13:03:29.180581093 CET	54013	53	192.168.2.4	1.1.1.1
Dec 26, 2024 13:03:29.487155914 CET	53	54013	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 26, 2024 13:03:29.180581093 CET	192.168.2.4	1.1.1.1	0x4cb6	Standard query (0)	successroadway.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 26, 2024 13:03:29.487155914 CET	1.1.1.1	192.168.2.4	0x4cb6	No error (0)	successroadway.com		104.21.6.3	A (IP address)	IN (0x0001)	false
Dec 26, 2024 13:03:29.487155914 CET	1.1.1.1	192.168.2.4	0x4cb6	No error (0)	successroadway.com		172.67.134.27	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

successroadway.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.6.3	443	7084	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-26 12:03:31 UTC	196	OUT	POST /updater.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvancedInstaller Host: successroadway.com Content-Length: 71 Cache-Control: no-cache
2024-12-26 12:03:31 UTC	71	OUT	Data Raw: 44 61 74 65 3d 32 36 25 32 46 31 32 25 32 46 32 30 32 34 26 54 69 6d 65 3d 30 37 25 33 41 30 33 25 33 41 32 38 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 38 2e 39 2e 39 26 53 6f 72 6f 71 56 69 6e 73 3d 54 72 75 65 Data Ascii: Date=26%2F12%2F2024&Time=07%3A03%3A28&BuildVersion=8.9.9&SoroqVins=True
2024-12-26 12:03:31 UTC	839	IN	HTTP/1.1 500 Internal Server Error Date: Thu, 26 Dec 2024 12:03:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-store cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wr0l7a54uaJ%2BgGlSU38OGUXxKXezxtuv%2BoePb9zBRndEeW%2BGkHn2fgWhdIx8JMDgRexF5jfEVgY8%2BKs8MWLqYHie9Nr7RbQUX6fsriZdBiY3zMRipiESUU8TA%2BI5CbtG4B5adVg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f80ed97fcec8c1e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1905&min_rtt=1897&rtt_var=727&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=927&delivery_rate=1488277&cwnd=212&unsent_bytes=0&cid=f1140c874d142bdb&ts=987&x=0"
2024-12-26 12:03:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	07:03:17
Start date:	26/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
Imagebase:	0x7ff6795b0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:03:17
Start date:	26/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff6795b0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	07:03:20
Start date:	26/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding AB445A69D981EDB4D15E6FBD975892FD
Imagebase:	0xf90000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:03:31
Start date:	26/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB0A6.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB093.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB094.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB095.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Imagebase:	0xe00000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:03:31
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:03:37
Start date:	26/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""
Imagebase:	0x7ff7c7c10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:03:37
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe"
Imagebase:	0x7ff71fba0000
File size:	57'488 bytes
MD5 hash:	71F796B486C7FAF25B9B16233A7CE0CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:03:37
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:03:37
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:03:37
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"
Imagebase:	0x7ff72bec0000
File size:	117'496 bytes
MD5 hash:	F67792E08586EA936EBCAE43AAB0388D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:03:38
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 076C1B77 Relevance: 4.2, Strings: 3, Instructions: 485COMMON

Download Yara Rule

Strings

$^q, xrefs: 076C1BEB
$^q, xrefs: 076C1C3E
$^q, xrefs: 076C1C32

Memory Dump Source

Source File: 00000003.00000002.1872526697.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_76c0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 946b5f10405a1c5212168fd92990c8a90f008169cf8de83fd677b2905a9a60fa
Instruction ID: 151eb66fafae9ad222a76946109403c5aabb01d03193845cc29eca65c3793c27
Opcode Fuzzy Hash: 946b5f10405a1c5212168fd92990c8a90f008169cf8de83fd677b2905a9a60fa
Instruction Fuzzy Hash: FF6106F560828D9FCB19DB7894546B57FE1EF43220F1484AEE4428F293DA39C945CB61

Function 049D8BC8 Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

U, xrefs: 049D8FFD

Memory Dump Source

Source File: 00000003.00000002.1863601664.00000000049D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_49d0000_powershell.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: bf28e4b97a97126f3595be568e75047770b971286707f14bc4e5aae985d5383d
Instruction ID: a547337766af105f7781674134622268e2b3fe5e461ac656976b92400882dde1
Opcode Fuzzy Hash: bf28e4b97a97126f3595be568e75047770b971286707f14bc4e5aae985d5383d
Instruction Fuzzy Hash: DA71BE30A00249CFCB14EF68D884A9EBBF6AF85304F14C579E455DB656EB75EC46CB80

Function 049D36B0 Relevance: .6, Instructions: 626COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1863601664.00000000049D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_49d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88091b45069e3856eb4cb07b7de782e8c46ef2f265d0baf8d382f257e526d08f
Instruction ID: 6f1ae7dae32e3b2b87ec938ca7a244528fc4eaafc2bda289cde732c64559bb74
Opcode Fuzzy Hash: 88091b45069e3856eb4cb07b7de782e8c46ef2f265d0baf8d382f257e526d08f
Instruction Fuzzy Hash: 8332C174B053419FC725CF28C490AAABBB2FF89304B1489A9D8468F756DB35FC46CB52

Function 049D8478 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1863601664.00000000049D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_49d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f205a1114e56e4b270dba2961ed4cc57e86bda06c0b7411afe3cdff48f926c1
Instruction ID: 1867c94b2efbfabe115a1d6401d27e2e5ea63dae59f69725f8b89a2216a4f609
Opcode Fuzzy Hash: 4f205a1114e56e4b270dba2961ed4cc57e86bda06c0b7411afe3cdff48f926c1
Instruction Fuzzy Hash: 31A18F35A002089FDB14EFA5D944A9DBBF6FFC4340F118568E416AF26ADB74AD49CB80

Function 049D8D36 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1863601664.00000000049D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_49d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414cfed16d4a4725d2ec2f7ff5adfde2e712c1bc75c430ecef790533fa500a87
Instruction ID: 793384f1e47a434d9ee9221ca37279b57841d15d4b3e2cf83d2e1614de714004
Opcode Fuzzy Hash: 414cfed16d4a4725d2ec2f7ff5adfde2e712c1bc75c430ecef790533fa500a87
Instruction Fuzzy Hash: ED717D70A01208DFDB18EFA4D494BADBBF6BF88304F148529D416AB2A1DB34AC46CF51

Function 049D8959 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1863601664.00000000049D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_49d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a87bc108ffcc51596dbdfabdd5075088614cf566d0f0bbd8186a3df676de5c70
Instruction ID: e4061414f303c857d3a8fd489e15290c6cf902951151389d069d74d7522ae6be
Opcode Fuzzy Hash: a87bc108ffcc51596dbdfabdd5075088614cf566d0f0bbd8186a3df676de5c70
Instruction Fuzzy Hash: 5E418F756012049FDB14EF24C858AAE7BF6EF89750F188169E406EB3A5DF38EC41CB50

Function 049D8BB3 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1863601664.00000000049D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_49d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165f65c7eb06e1cd3b5d0f44a046636f874ee304d0d51d78899ab5e44e7e9fc8
Instruction ID: 260640ce01234fb130bfb02b13ecdffd6da1fc065a54b7cd389a150b5149088a
Opcode Fuzzy Hash: 165f65c7eb06e1cd3b5d0f44a046636f874ee304d0d51d78899ab5e44e7e9fc8
Instruction Fuzzy Hash: 89419070A00209CFDB18EFA9C89469EBBF6BF85300F148579D056AB795EB74AC45CF80

Function 049D3D10 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1863601664.00000000049D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_49d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1852c6a9a9278f952f0cbe4f927eca090039043c106aedc44207f39afb3f58aa
Instruction ID: cd52f4112b4f64269a9f68982281d82f3ce4b44712291a7c7ffc9f5c5e8b96c8
Opcode Fuzzy Hash: 1852c6a9a9278f952f0cbe4f927eca090039043c106aedc44207f39afb3f58aa
Instruction Fuzzy Hash: 324146B4A005059FCB1ACF58C5989AEFBB1FF48310B1586A9D801AB3A4C736FC50CFA1

Function 0308D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1862979352.000000000308D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0308D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_308d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95cec5d7272650f581a1365430d93c37f73a3fd1825c819ffb35da40a7dc40fd
Instruction ID: 8ab7fe401b2e85e9eb4ec4c825d688733ab5d6d30d1cd7f1a45b5a2e6626106c
Opcode Fuzzy Hash: 95cec5d7272650f581a1365430d93c37f73a3fd1825c819ffb35da40a7dc40fd
Instruction Fuzzy Hash: 3A01F73140A3049AE710EB25CD84B6BFFD8DF41324F0CC669ED884A286C679D841CAB1

Function 0308D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1862979352.000000000308D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0308D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_308d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd85c6216757587c2fc09a35b23d6c9f65cefd80b1a15d0f98a16156779fdea
Instruction ID: 47210190dd51e482da06b1750c6da55a6d1c9ca9491199e18059b678dcf17441
Opcode Fuzzy Hash: 4cd85c6216757587c2fc09a35b23d6c9f65cefd80b1a15d0f98a16156779fdea
Instruction Fuzzy Hash: 2D01407140E3C09ED7128B25CC94B52BFB4EF47224F1D81DBD8888F1A3C2699844CB72

Function 049D88ED Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1863601664.00000000049D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_49d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acbf384bdca56af1ca5c89db5f3202695e0be183633ac4dc86e3be512f8ecea0
Instruction ID: b47865b63a2ec54034b1e9c545a46a219d034e76591150e20752f8caec088a55
Opcode Fuzzy Hash: acbf384bdca56af1ca5c89db5f3202695e0be183633ac4dc86e3be512f8ecea0
Instruction Fuzzy Hash: C5F03774640306CFDB04EBA4C555B6E77B2EF80340F108964D1419F369DB789D49CBC0

Non-executed Functions

Function 076C1658 Relevance: 15.3, Strings: 12, Instructions: 321COMMON

Download Yara Rule

Strings

^k, xrefs: 076C173F
$^q, xrefs: 076C1690
tP^q, xrefs: 076C16D5
84fk, xrefs: 076C17E0
tP^q, xrefs: 076C1837
$^q, xrefs: 076C166A
$^q, xrefs: 076C17B4
^k, xrefs: 076C174D
$^q, xrefs: 076C169C
84fk, xrefs: 076C17EA
tP^q, xrefs: 076C16E1
tP^q, xrefs: 076C1843

Memory Dump Source

Source File: 00000003.00000002.1872526697.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_76c0000_powershell.jbxd

Similarity

API ID:
String ID: 84fk$84fk$tP^q$tP^q$tP^q$tP^q$$^q$$^q$$^q$$^q$^k$^k
API String ID: 0-523606296
Opcode ID: 0338cad43cf4cd06fb923b70b9857aa5bae9cb721ac86443cf9eaa67d77e5931
Instruction ID: 26b23e0c5cd96f3782307abf43301722777ae441de13bbfc8147a4367ab1d7bc
Opcode Fuzzy Hash: 0338cad43cf4cd06fb923b70b9857aa5bae9cb721ac86443cf9eaa67d77e5931
Instruction Fuzzy Hash: 55A127F17083598FD719DB79941467ABFA6EF83220B1880AFD446CB352CA31DC46C7A1

Function 076C0898 Relevance: 10.2, Strings: 8, Instructions: 182COMMON

Download Yara Rule

Strings

$^q, xrefs: 076C091D
$^q, xrefs: 076C08EF
$^q, xrefs: 076C0929
$^q, xrefs: 076C0A3E
$^q, xrefs: 076C0A62
4'^q, xrefs: 076C0953
4'^q, xrefs: 076C0947
$^q, xrefs: 076C0A56

Memory Dump Source

Source File: 00000003.00000002.1872526697.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_76c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3732357466
Opcode ID: 0c898860715e1d513f49628376a84cf6394f903fbaa24e19e3eb64147ee3151b
Instruction ID: 95c9065ecb178866db2567ab8b8b27ee148a789be22bfd07996491a5d7fe77c0
Opcode Fuzzy Hash: 0c898860715e1d513f49628376a84cf6394f903fbaa24e19e3eb64147ee3151b
Instruction Fuzzy Hash: C95119B5704306CFDB25CA799D0067ABBB5EFC5220F2484AFD446CB356DA31C946C761

Function 076C0E88 Relevance: 6.3, Strings: 5, Instructions: 79COMMON

Download Yara Rule

Strings

$^q, xrefs: 076C0ECB
4ek, xrefs: 076C0F3E
$^q, xrefs: 076C0F00
$^q, xrefs: 076C0F0C
4ek, xrefs: 076C0F30

Memory Dump Source

Source File: 00000003.00000002.1872526697.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_76c0000_powershell.jbxd

Similarity

API ID:
String ID: 4ek$4ek$$^q$$^q$$^q
API String ID: 0-3211894024
Opcode ID: b4eb5303a4595d9213fb6e8282bafb166a5a58472dd29a16fe1e174acd2eafed
Instruction ID: d3529d32b4f2cc554dbf87b0c186a107955b0450adfb450aeda62d1a0f1e18b2
Opcode Fuzzy Hash: b4eb5303a4595d9213fb6e8282bafb166a5a58472dd29a16fe1e174acd2eafed
Instruction Fuzzy Hash: EA11D8F131020ADBCA24D9395C5063B769ECFC5651B18443ED917DB395DE36C892C271

Function 076C04D1 Relevance: 5.0, Strings: 4, Instructions: 46COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076C053B
$^q, xrefs: 076C0526
$^q, xrefs: 076C051A
4'^q, xrefs: 076C0547

Memory Dump Source

Source File: 00000003.00000002.1872526697.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_76c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 53fbecd6401116fd8c3a320ba28c81cce75268ba8f85772d5d86e7aa3f898b93
Instruction ID: f61c56b329561cdb0eb69932d0bf5e50ca1369f2ad507f68fbc5bf833f11e9e6
Opcode Fuzzy Hash: 53fbecd6401116fd8c3a320ba28c81cce75268ba8f85772d5d86e7aa3f898b93
Instruction Fuzzy Hash: 3901BCA164D3898FC71A92382C200657FB29F8354076901DBC182DF3ABCD6A8C4A83A2

Analysis Process: createdump.exePID: 3052, Parent PID: 6748COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.7%
Total number of Nodes:	701
Total number of Limit Nodes:	1

Executed Functions

Function 00007FF71FBA1060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF71FBA112F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF71FBA115B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF71FBA1187
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF71FBA1230
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF71FBA123C
GetTempPathA.KERNEL32 ref: 00007FF71FBA12C1
GetLastError.KERNEL32 ref: 00007FF71FBA12CB
GetLastError.KERNEL32 ref: 00007FF71FBA12DF
strcat_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF71FBA12F8
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA1350
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA1359
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA1364
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA136D

Strings

GetTempPath failed (0x%08x), xrefs: 00007FF71FBA12D3
Dump successfully written, xrefs: 00007FF71FBA1338
-, xrefs: 00007FF71FBA113C
--verbose, xrefs: 00007FF71FBA1226
--name, xrefs: 00007FF71FBA10B8
--normal, xrefs: 00007FF71FBA1125
-, xrefs: 00007FF71FBA1110
minidump with heap, xrefs: 00007FF71FBA107C, 00007FF71FBA10BF
full dump, xrefs: 00007FF71FBA11C3
-, xrefs: 00007FF71FBA1168
-, xrefs: 00007FF71FBA1194
--withheap, xrefs: 00007FF71FBA1151
dump.%p.dmp, xrefs: 00007FF71FBA12E9
-, xrefs: 00007FF71FBA11D7
strcat_s failed (%d), xrefs: 00007FF71FBA1306
--diag, xrefs: 00007FF71FBA11EF
--triage, xrefs: 00007FF71FBA117D
-, xrefs: 00007FF71FBA10DC
createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn, xrefs: 00007FF71FBA1386
minidump, xrefs: 00007FF71FBA1267
triage minidump, xrefs: 00007FF71FBA1247
--full, xrefs: 00007FF71FBA11A8
v, xrefs: 00007FF71FBA121A
-, xrefs: 00007FF71FBA1215

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
API String ID: 2647627392-2367407095
Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
Instruction ID: 68dff463d56630a0e07c49150bab9312634c45f5b84824aff663faed5502e3f7
Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
Instruction Fuzzy Hash: F8A12B65D0EFC255FBB3BB30A4402F9A6A4AB45FB4F885135C94E46699DE3CE44C8B30

Function 00007FF71FBA27EC Relevance: 13.6, APIs: 9, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF71FBA2800

Part of subcall function 00007FF71FBA2B8C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF71FBA2BAE

__scrt_release_startup_lock.LIBCMT ref: 00007FF71FBA2883
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71FBA28D1
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71FBA28D6
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71FBA28DE
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71FBA28E6
__scrt_is_managed_app.LIBCMT ref: 00007FF71FBA28FA
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71FBA2908
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71FBA2962

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 2308368977-0
Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
Instruction ID: ab9cfa2202326882ec89a86e4030865281b6641edc5d5257efc38e26fa59434f
Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
Instruction Fuzzy Hash: 4C311C21E0FE9341EA36BB3594113F9D291AF45FA4FC85039E94D07697DE6DE84C8270

Function 00007FF71FBA1450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA1475
fprintf.MSPDB140-MSVCRT ref: 00007FF71FBA1485

Part of subcall function 00007FF71FBA1010: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA1047

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA1494
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA14B3
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA14BE
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA14C7

Strings

[createdump] , xrefs: 00007FF71FBA147E

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
String ID: [createdump]
API String ID: 3735572767-2657508301
Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
Instruction ID: 08749cbf41ef03fbccd2211ef3bbf5fd890f22c8cf29220c8b66e55d0d16225d
Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
Instruction Fuzzy Hash: A701EC25A09F8192E631BB61F8151BAE364EB84BE1F804535DA8E03B699F3CD569C710

Non-executed Functions

Function 00007FF71FBA2ECC Relevance: 10.6, APIs: 7, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF71FBA2EE8
RtlCaptureContext.KERNEL32 ref: 00007FF71FBA2F15
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF71FBA2F2F
RtlVirtualUnwind.KERNEL32 ref: 00007FF71FBA2F70
IsDebuggerPresent.KERNEL32 ref: 00007FF71FBA2FC4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF71FBA2FE5
UnhandledExceptionFilter.KERNEL32 ref: 00007FF71FBA2FF0

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
Instruction ID: a8e2c154c4dc3144d4b580fe8cb9d0fa021280c94f4091306173c09b25f7ce25
Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
Instruction Fuzzy Hash: 9D311F7260AEC185EB71EF70E8503EAA365FB44B54F844439DA4D47A94DF38D55CC720

Function 00007FF71FBA3074 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
Instruction ID: 0965b548cdf6cfd71dd46a46aff59fa75fb302d70daca1120042b86f8e4de114
Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
Instruction Fuzzy Hash: D0A0012190EC82D0E676AB60A8642A6A221AB50B20B840431D00D814A09E7DA4688220

Function 00007FF71FBA23C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF71FBA242D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF71FBA243B

Part of subcall function 00007FF71FBA1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA1475
Part of subcall function 00007FF71FBA1450: fprintf.MSPDB140-MSVCRT ref: 00007FF71FBA1485
Part of subcall function 00007FF71FBA1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA1494
Part of subcall function 00007FF71FBA1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA14B3
Part of subcall function 00007FF71FBA1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA14BE
Part of subcall function 00007FF71FBA1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA14C7

K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF71FBA2466
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF71FBA2470
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF71FBA2487
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF71FBA25F3

Strings

Get process name FAILED %d, xrefs: 00007FF71FBA2478
Write dump FAILED 0x%08x, xrefs: 00007FF71FBA258E
Invalid process id '%d' error %d, xrefs: 00007FF71FBA2447
Writing %s to file %s, xrefs: 00007FF71FBA24C3
Invalid dump path '%s' error %d, xrefs: 00007FF71FBA252C

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
API String ID: 3971781330-1292085346
Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
Instruction ID: 49b9a5cac7a257ac3df12b01255aa5340047f8adbb0140952d941b22ece2063d
Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
Instruction Fuzzy Hash: 17616435A0AE8181E631EB25E4506BEB761FB85BB0F900135DE9E07AA5DF3CE449D710

Function 00007FF71FBA49A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF71FBA4B42
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF71FBA4E65
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71FBA4E7B
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71FBA4E93
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71FBA4E99

Strings

csm, xrefs: 00007FF71FBA4B69
csm, xrefs: 00007FF71FBA4AEB
csm, xrefs: 00007FF71FBA4A89

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 695522112-393685449
Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
Instruction ID: 18894b64b4d6229aaf9e00f471aadf8da8bb671f9480194c95596fe0952031c3
Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
Instruction Fuzzy Hash: C9E16F72A09AC2CAE732AB34D4402EDB7A0FB44B68F944135DA9D47666DF3CE589C710

Function 00007FF71FBA13C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA13E5
fprintf.MSPDB140-MSVCRT ref: 00007FF71FBA13F5

Part of subcall function 00007FF71FBA1010: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA1047

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA1404
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA1423
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA142E
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA1437

Strings

[createdump] , xrefs: 00007FF71FBA13EE

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
String ID: [createdump]
API String ID: 3735572767-2657508301
Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
Instruction ID: fbcc9b00f32fb12a776b4fa2a2cab9770ec3b91329d2c3e83f025551442fe7fb
Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
Instruction Fuzzy Hash: AA012C35A09F8182E631BB60F8141AAB364EB84BE1F804135DA8D03B698F7CD4A9C750

Function 00007FF71FBA1800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00007FF71FBA186C

Part of subcall function 00007FF71FBA1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA1475
Part of subcall function 00007FF71FBA1450: fprintf.MSPDB140-MSVCRT ref: 00007FF71FBA1485
Part of subcall function 00007FF71FBA1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA1494
Part of subcall function 00007FF71FBA1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA14B3
Part of subcall function 00007FF71FBA1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA14BE
Part of subcall function 00007FF71FBA1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA14C7

Strings

--name, xrefs: 00007FF71FBA180A
%%%%%%%%, xrefs: 00007FF71FBA1890
Pipe syntax in dump name not supported, xrefs: 00007FF71FBA1850
%%%%%%%%, xrefs: 00007FF71FBA1D5C
Invalid dump name format char '%c', xrefs: 00007FF71FBA1DD0

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
API String ID: 3378602911-3973674938
Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
Instruction ID: 102248a58f6fc86489d0bdb0bbf46bac641494d972b7f6f4c9f04c4b674375d2
Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
Instruction Fuzzy Hash: 7E31D562E0AEC156E7BAAF2598547F9A751BB45BE4FC40072DE9D03391CE3CD149CB20

Function 00007FF71FBA6498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF71FBA669F,?,?,?,00007FF71FBA441E,?,?,?,00007FF71FBA43D9), ref: 00007FF71FBA651D
GetLastError.KERNEL32(?,00000000,00007FF71FBA669F,?,?,?,00007FF71FBA441E,?,?,?,00007FF71FBA43D9,?,?,?,?,00007FF71FBA3524), ref: 00007FF71FBA652B
LoadLibraryExW.KERNEL32(?,00000000,00007FF71FBA669F,?,?,?,00007FF71FBA441E,?,?,?,00007FF71FBA43D9,?,?,?,?,00007FF71FBA3524), ref: 00007FF71FBA6555
FreeLibrary.KERNEL32(?,00000000,00007FF71FBA669F,?,?,?,00007FF71FBA441E,?,?,?,00007FF71FBA43D9,?,?,?,?,00007FF71FBA3524), ref: 00007FF71FBA659B
GetProcAddress.KERNEL32(?,00000000,00007FF71FBA669F,?,?,?,00007FF71FBA441E,?,?,?,00007FF71FBA43D9,?,?,?,?,00007FF71FBA3524), ref: 00007FF71FBA65A7

Strings

api-ms-, xrefs: 00007FF71FBA653D

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
Instruction ID: 4f2b3361f4aef35bb3af2a89113e844cc62de111ecefba536ba336a7d879b448
Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
Instruction Fuzzy Hash: 8D3162A1A1BE8691EE33AB21D8005F5A295FF48FB0F994535DD1D46784EF3CE4488320

Function 00007FF71FBA1B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF71FBA1B1D

Strings

%%%%%%%%, xrefs: 00007FF71FBA1D5C
Could not get the host name for dump name: %d, xrefs: 00007FF71FBA1DB2

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID: _time64
String ID: %%%%%%%%$Could not get the host name for dump name: %d
API String ID: 1670930206-4114407318
Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
Instruction ID: 83816e0e316af2f33c8ee16155545f87f33f01080592d4b06f7b6952402afc92
Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
Instruction Fuzzy Hash: ED51E376A19FC186EB62DB38E4403E9A7A5EB45BE0F800131DA9D17BA9DF3CD049D710

Function 00007FF71FBA4EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EncodePointer.KERNEL32 ref: 00007FF71FBA4F10
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71FBA5189

Strings

MOC, xrefs: 00007FF71FBA4F24
RCC, xrefs: 00007FF71FBA4F2C

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID: EncodePointerabort
String ID: MOC$RCC
API String ID: 1188231555-2084237596
Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
Instruction ID: 7b75c8625886560b8208d24a8b7bab00de4d34c5516145bd6142209a9243b3f4
Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
Instruction Fuzzy Hash: 3F91A173A09BC28AE7329B75E8402EDB7A0FB44B98F54412AEA8D17B55DF3CD159C700

Function 00007FF71FBA5414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF71FBA543E
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71FBA56A2

Strings

csm, xrefs: 00007FF71FBA55D2
csm, xrefs: 00007FF71FBA5463

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
Instruction ID: eafd80165c7b22a6c96fcccb0aef2f319590da9ec1fa7872d9c701ca2edc652b
Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
Instruction Fuzzy Hash: BC71B13250AAC28AD732AF3594507F9BBA1FB80FA9F849135DA8D07A85CF3CD559C710

Function 00007FF71FBA195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%%%%%%%%, xrefs: 00007FF71FBA1D5C
Could not get the host name for dump name: %d, xrefs: 00007FF71FBA1DB2

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID:
String ID: %%%%%%%%$Could not get the host name for dump name: %d
API String ID: 0-4114407318
Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
Instruction ID: 89e490a60b0ebaac25abe66e9595a16e9922d885adeb8b14a60d21b44e17c0cb
Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
Instruction Fuzzy Hash: C451D322A19FC546D771DB39E4407EAA761EB81BE0F800136EAAD07BA9DF3DD045DB10

Function 00007FF71FBA5860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF71FBA590A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF71FBA5936

Strings

csm, xrefs: 00007FF71FBA5A36

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
Instruction ID: 3e126c206869837bddde13906304eb9d90a96ffb49d4b2400a03123feb52856c
Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
Instruction Fuzzy Hash: 9A517D7261AB8286D631AB25E0402AEB7F4FB88FA4F541135EB8D07B55DF7CE064CB10

Function 00007FF71FBA17E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00007FF71FBA17EB
WSAStartup.WS2_32 ref: 00007FF71FBA186C

Part of subcall function 00007FF71FBA1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA1475
Part of subcall function 00007FF71FBA1450: fprintf.MSPDB140-MSVCRT ref: 00007FF71FBA1485
Part of subcall function 00007FF71FBA1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA1494
Part of subcall function 00007FF71FBA1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA14B3
Part of subcall function 00007FF71FBA1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA14BE
Part of subcall function 00007FF71FBA1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF71FBA14C7

Strings

--name, xrefs: 00007FF71FBA180A
string too long, xrefs: 00007FF71FBA17E4
Pipe syntax in dump name not supported, xrefs: 00007FF71FBA1850

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
String ID: --name$Pipe syntax in dump name not supported$string too long
API String ID: 1412700758-3183687674
Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
Instruction ID: 6b3dc695e60e766f5edfa3549497b90456fd915f6d409f0375f0976ae9ac98e3
Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
Instruction Fuzzy Hash: FE01B522A19DC195F772AF22EC417EAA750BB48BE4F800035EE4D06651CE3CD49ACB10

Function 00007FF71FBA1CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32 ref: 00007FF71FBA1CFA
WSAGetLastError.WS2_32 ref: 00007FF71FBA1DA9

Strings

%%%%%%%%, xrefs: 00007FF71FBA1D5C
Could not get the host name for dump name: %d, xrefs: 00007FF71FBA1DB2

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID: ErrorLastgethostname
String ID: %%%%%%%%$Could not get the host name for dump name: %d
API String ID: 3782448640-4114407318
Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
Instruction ID: 8fb3cf8e381b9d690e31301df28175cdec39c2bb6cf2d3088165aa3d7c5e7766
Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
Instruction Fuzzy Hash: 7311EB11A0B9C245E6B7BB31A8503FAA2409F85FF0F801135D96F176D5DD3CD04A8760

Function 00007FF71FBA4158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF71FBA41B8

Strings

csm, xrefs: 00007FF71FBA4178
RCC, xrefs: 00007FF71FBA4168
MOC, xrefs: 00007FF71FBA4170

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID: terminate
String ID: MOC$RCC$csm
API String ID: 1821763600-2671469338
Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
Instruction ID: 5b7eb1a331feef44040860fe3e4408f05e7e0c1547176f5fc865177b6163f68a
Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
Instruction Fuzzy Hash: 36F0A436909E86C1E3767B71A1410ECB7B4EF58F58F885431D70806262CF7CE4A8C611

Function 00007FF71FBA20C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF71FBA18EE), ref: 00007FF71FBA21E0
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF71FBA221E

Strings

Invalid process id '%d' error %d, xrefs: 00007FF71FBA2447

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: Invalid process id '%d' error %d
API String ID: 73155330-4244389950
Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
Instruction ID: 4a02fbabdb6281b30cede89eb78d457e781abdf46e79c32348343fdbf5d9b4ee
Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
Instruction Fuzzy Hash: D831D46270ABD185EA32AF35D5442F9E3A1AB05FE0F940632DB5D07BD5DE7CE0588320

Function 00007FF71FBA3F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF71FBA173F), ref: 00007FF71FBA3FC8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF71FBA173F), ref: 00007FF71FBA400E

Strings

csm, xrefs: 00007FF71FBA3FFB

Memory Dump Source

Source File: 00000009.00000002.1915744010.00007FF71FBA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF71FBA0000, based on PE: true

Associated: 00000009.00000002.1915709826.00007FF71FBA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915810304.00007FF71FBA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915858559.00007FF71FBAC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.1915899945.00007FF71FBAD000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff71fba0000_createdump.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
Instruction ID: 11905ae256864316afad79e496d6f13bfd5e42c2d2603b7bf134a48990de17d9
Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
Instruction Fuzzy Hash: 8611FB3261AF8182EB319B25F4402A9B7A5FB88F94F584231EE8D07B58DF7ED5598700

Analysis Process: ImporterREDServer.exePID: 2200, Parent PID: 3192COMMON

Non-executed Functions

Function 00007FFE0EC1C0C0 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFE0EC1C0CD
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C0E0
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C0F7
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C10E
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C125
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C13C
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C153
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C16A
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C181
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C198
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C1AF
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C1C6
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C1DD
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C1F4
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C20B
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C222
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C239
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C250
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C267
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C27E
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C295
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C2AC
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C2C3
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C2DA
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C2F1
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C308
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C31F
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C336
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C34D
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C364
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C37B
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C392
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C3A9
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C3C0
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C3D7
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C3EE
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C405
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C41C
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C433
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C44A
GetProcAddress.KERNEL32 ref: 00007FFE0EC1C461

Strings

CloseThreadpoolTimer, xrefs: 00007FFE0EC1C1E3
WakeConditionVariable, xrefs: 00007FFE0EC1C325
SleepConditionVariableCS, xrefs: 00007FFE0EC1C353
SetFileInformationByHandle, xrefs: 00007FFE0EC1C2E0
LCMapStringEx, xrefs: 00007FFE0EC1C450
InitializeCriticalSectionEx, xrefs: 00007FFE0EC1C12B
SleepConditionVariableSRW, xrefs: 00007FFE0EC1C3C6
CreateEventExW, xrefs: 00007FFE0EC1C159
WaitForThreadpoolTimerCallbacks, xrefs: 00007FFE0EC1C1CC
CompareStringEx, xrefs: 00007FFE0EC1C422
CreateSymbolicLinkW, xrefs: 00007FFE0EC1C28B
CloseThreadpoolWait, xrefs: 00007FFE0EC1C228
CreateThreadpoolWork, xrefs: 00007FFE0EC1C3DD
TryAcquireSRWLockExclusive, xrefs: 00007FFE0EC1C398
GetTickCount64, xrefs: 00007FFE0EC1C2B2
GetCurrentProcessorNumber, xrefs: 00007FFE0EC1C26D
FlsGetValue, xrefs: 00007FFE0EC1C0FD
FreeLibraryWhenCallbackReturns, xrefs: 00007FFE0EC1C256
InitializeConditionVariable, xrefs: 00007FFE0EC1C30E
kernel32.dll, xrefs: 00007FFE0EC1C0C6
CreateThreadpoolTimer, xrefs: 00007FFE0EC1C19E
GetCurrentPackageId, xrefs: 00007FFE0EC1C29B
FlushProcessWriteBuffers, xrefs: 00007FFE0EC1C23F
AcquireSRWLockExclusive, xrefs: 00007FFE0EC1C381
FlsSetValue, xrefs: 00007FFE0EC1C114
WakeAllConditionVariable, xrefs: 00007FFE0EC1C33C
FlsAlloc, xrefs: 00007FFE0EC1C0D6
InitializeSRWLock, xrefs: 00007FFE0EC1C36A
InitOnceExecuteOnce, xrefs: 00007FFE0EC1C142
FlsFree, xrefs: 00007FFE0EC1C0E6
CloseThreadpoolWork, xrefs: 00007FFE0EC1C40B
GetSystemTimePreciseAsFileTime, xrefs: 00007FFE0EC1C2F7
SetThreadpoolWait, xrefs: 00007FFE0EC1C211
CreateSemaphoreExW, xrefs: 00007FFE0EC1C187
CreateSemaphoreW, xrefs: 00007FFE0EC1C170
GetFileInformationByHandleEx, xrefs: 00007FFE0EC1C2C9
GetLocaleInfoEx, xrefs: 00007FFE0EC1C439
SubmitThreadpoolWork, xrefs: 00007FFE0EC1C3F4
CreateThreadpoolWait, xrefs: 00007FFE0EC1C1FA
SetThreadpoolTimer, xrefs: 00007FFE0EC1C1B5
ReleaseSRWLockExclusive, xrefs: 00007FFE0EC1C3AF

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
Instruction ID: 62b0500c91cef9523f7e102630275d3c99b0958e5ec6421ca41b1519452e4013
Opcode Fuzzy Hash: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
Instruction Fuzzy Hash: EFA1A064A09F87B1EA04DB21BDE417533A4BF49B85B948035C8DE43330EF7EA169C392

Function 00007FFE13307508 Relevance: 90.2, APIs: 36, Strings: 15, Instructions: 913COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE133075A4
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330768B
DName::operator+.LIBVCRUNTIME ref: 00007FFE133076D6
DName::operator+.LIBVCRUNTIME ref: 00007FFE133076F7
DName::operator+.LIBVCRUNTIME ref: 00007FFE13307767
DName::operator+.LIBVCRUNTIME ref: 00007FFE13307779

Strings

static , xrefs: 00007FFE13308122
/, xrefs: 00007FFE1330801E
public: , xrefs: 00007FFE1330826F
`template static data member destructor helper', xrefs: 00007FFE13308017
`local static destructor helper', xrefs: 00007FFE13307F96
`vtordispex{, xrefs: 00007FFE13307B08
protected: , xrefs: 00007FFE13308248
`template static data member constructor helper', xrefs: 00007FFE13307FD4
`adjustor{, xrefs: 00007FFE13307C3C
extern "C" , xrefs: 00007FFE13308336
[thunk]:, xrefs: 00007FFE133082E1
`vtordisp{, xrefs: 00007FFE13307BDD
}' , xrefs: 00007FFE13307726, 00007FFE13307C67
virtual , xrefs: 00007FFE13308199
private: , xrefs: 00007FFE13308216

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: Name::operator+
String ID: /$[thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
API String ID: 2943138195-2884338863
Opcode ID: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
Instruction ID: 8bb84b336eadb214fb28bd72770f730e18e602d571b4429fb8f9e26dd6833653
Opcode Fuzzy Hash: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
Instruction Fuzzy Hash: 1E92E772A1CF828AEB41CB25E4802BEB7A0FB94364F101175FA9E576A9DF7CD544CB04

Function 00007FFE0EC1F9DA Relevance: 34.3, APIs: 16, Strings: 3, Instructions: 1065COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFE0EC1FB8D
_CxxThrowException.VCRUNTIME140 ref: 00007FFE0EC1FBA1

Strings

ios_base::failbit set, xrefs: 00007FFE0EC1FB5B, 00007FFE0EC1FD6F, 00007FFE0EC1FDC3, 00007FFE0EC1FF72, 00007FFE0EC20187, 00007FFE0EC2039B, 00007FFE0EC203EF, 00007FFE0EC2059E, 00007FFE0EC207B3, 00007FFE0EC209C7, 00007FFE0EC20A20
ios_base::badbit set, xrefs: 00007FFE0EC1FB4E, 00007FFE0EC1FD62, 00007FFE0EC1FF65, 00007FFE0EC2017A, 00007FFE0EC2038E, 00007FFE0EC20591, 00007FFE0EC207A6, 00007FFE0EC209BA
ios_base::eofbit set, xrefs: 00007FFE0EC1FB62, 00007FFE0EC1FD76, 00007FFE0EC1FF79, 00007FFE0EC2018E, 00007FFE0EC203A2, 00007FFE0EC205A5, 00007FFE0EC207BA, 00007FFE0EC209CE

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
Instruction ID: c604c86731b511c0f6de686cab7c34257f050e3ca09c1ab399d1348ac1ee9f00
Opcode Fuzzy Hash: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
Instruction Fuzzy Hash: 72A24962619BC991EB24CF2AE4903ADA760FB89F80F548036DA8D43B75DF7ED845C701

Function 00007FFE0EC12D70 Relevance: 27.7, APIs: 14, Strings: 1, Instructions: 1490COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FFE0EC130AA
memchr.VCRUNTIME140 ref: 00007FFE0EC13470
memchr.VCRUNTIME140 ref: 00007FFE0EC136A5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC1410D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC14114
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC1411B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC14122
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC14129
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC14130
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC14137
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC1413E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC14145
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC1414C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC142D3

Part of subcall function 00007FFE0EBF1DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0EBEC320), ref: 00007FFE0EBF1DFB
Part of subcall function 00007FFE0EBF1DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE0EBEC320), ref: 00007FFE0EBF1E08

Strings

0123456789-, xrefs: 00007FFE0EC12F0B, 00007FFE0EC130CC, 00007FFE0EC1348D, 00007FFE0EC136BC

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memchr$memmovememset
String ID: 0123456789-
API String ID: 3572500260-3850129594
Opcode ID: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
Instruction ID: 055c1b1b1d43312f19a1db49921a62a231c5f9ddc0c5d24bfcb0a41819787e92
Opcode Fuzzy Hash: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
Instruction Fuzzy Hash: 62E2AB22A09AC599EB048F6AC4843BC3761FB46B98F569171DAAE077F5CF3ED481C301

Function 0000000140008390 Relevance: 19.7, APIs: 13, Instructions: 152fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400078C0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
Part of subcall function 00000001400078C0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
Part of subcall function 00000001400078C0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
Part of subcall function 00000001400078C0: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
Part of subcall function 00000001400078C0: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C

OpenEventA.KERNEL32 ref: 00000001400083D0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008411
OpenEventA.KERNEL32 ref: 0000000140008454
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008495
CloseHandle.KERNEL32 ref: 00000001400084B4

Part of subcall function 0000000140007A80: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
Part of subcall function 0000000140007A80: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
Part of subcall function 0000000140007A80: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
Part of subcall function 0000000140007A80: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
Part of subcall function 0000000140007A80: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C

OpenFileMappingA.KERNEL32 ref: 00000001400084F4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008535
CloseHandle.KERNEL32 ref: 0000000140008554
CloseHandle.KERNEL32 ref: 0000000140008561
MapViewOfFile.KERNEL32 ref: 0000000140008592
CloseHandle.KERNEL32 ref: 00000001400085AB
CloseHandle.KERNEL32 ref: 00000001400085B8
CloseHandle.KERNEL32 ref: 00000001400085C5

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$CloseHandle$??6?$basic_ostream@V01@$Open_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@D@std@@@1@_EventFileV?$basic_streambuf@$MappingView
String ID:
API String ID: 1089015687-0
Opcode ID: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
Instruction ID: fd742db5588232a2ef73a73be7c7ffe6f8b637fdc8693f60d02eba1a373aa13c
Opcode Fuzzy Hash: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
Instruction Fuzzy Hash: 93613DB1210A4482FB17DB27F85539963A2BB8EBE4F404215FB9E4B7B6DE3DC1818700

Function 0000000140007FC0 Relevance: 18.2, APIs: 12, Instructions: 159fileCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,00000007,0000000140003664,?), ref: 0000000140008044
memset.VCRUNTIME140(?,?,00000007,0000000140003664,?), ref: 0000000140008061
memcpy.VCRUNTIME140(?,?,00000007,0000000140003664,?), ref: 000000014000807C
UnmapViewOfFile.KERNEL32(?,?,00000007,0000000140003664,?), ref: 0000000140008084
CloseHandle.KERNEL32(?,?,00000007,0000000140003664,?), ref: 0000000140008099
CreateFileMappingA.KERNEL32 ref: 00000001400080F3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000007,0000000140003664,?), ref: 000000014000814D
CreateFileMappingA.KERNEL32 ref: 00000001400081A9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000007,0000000140003664,?), ref: 00000001400081F3
MapViewOfFile.KERNEL32(?,?,00000007,0000000140003664,?), ref: 0000000140008228
CloseHandle.KERNEL32(?,?,00000007,0000000140003664,?), ref: 000000014000823D
memcpy.VCRUNTIME140(?,?,00000007,0000000140003664,?), ref: 0000000140008263

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: File$CloseCreateHandleMappingView_invalid_parameter_noinfo_noreturnmemcpymemset$Unmap
String ID:
API String ID: 2074253140-0
Opcode ID: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
Instruction ID: c383ff2e5a2ae1bd4c41fba5bb50c967b221784ccd91ddafc61d096c64d59825
Opcode Fuzzy Hash: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
Instruction Fuzzy Hash: F471AA71305A4185FB22CB56F8907E973A2FB8DBD4F404225ABAD4B7B9DE3DC0818704

Function 00007FFE0EC1B698 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EC1B70C
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EC1B739
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EC1B743
btowc.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFE0EC1B74F
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EC1B77B
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EC1B7A9
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EC1B8C1
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EC1B8EA

Strings

0, xrefs: 00007FFE0EC1B772
0, xrefs: 00007FFE0EC1B762

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: iswdigit$btowclocaleconv
String ID: 0$0
API String ID: 240710166-203156872
Opcode ID: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
Instruction ID: 0cf34c49b4ff4ef1ace22fbb64950a036aef525a663be84b61e71c431e3f401b
Opcode Fuzzy Hash: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
Instruction Fuzzy Hash: 82813772A186C2D6E7218F25D89027A73A1FF91B48F084135DBCA462A0EF3DED45CB41

Function 00007FFE0EBEC780 Relevance: 17.0, APIs: 8, Strings: 1, Instructions: 1257COMMON

Download Yara Rule

Strings

0123456789-+Ee, xrefs: 00007FFE0EBEC8DB, 00007FFE0EBECBC8, 00007FFE0EBECF2A, 00007FFE0EBED209, 00007FFE0EBED711

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID:
String ID: 0123456789-+Ee
API String ID: 0-1347306980
Opcode ID: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
Instruction ID: 58f53bee569a98abf6e75aafdc6e98e2c7fe1a086cffca97f1095d3c7a549310
Opcode Fuzzy Hash: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
Instruction Fuzzy Hash: ECC2B226A09A8189EB658F29C19027C7BB1FB51B84F549031DF9E077B9CF3DE865CB00

Function 00007FFE0EC1A27C Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 247COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FFE0EC1A2FE
memchr.VCRUNTIME140 ref: 00007FFE0EC1A349
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EC1A362
memchr.VCRUNTIME140 ref: 00007FFE0EC1A39D
memchr.VCRUNTIME140 ref: 00007FFE0EC1A3E5
isdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EC1A4FA
isdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EC1A522

Strings

0, xrefs: 00007FFE0EC1A38C
0123456789abcdefABCDEF, xrefs: 00007FFE0EC1A2EB, 00007FFE0EC1A30E, 00007FFE0EC1A358, 00007FFE0EC1A3AA

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: memchr$isdigit$localeconv
String ID: 0$0123456789abcdefABCDEF
API String ID: 1981154758-1185640306
Opcode ID: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
Instruction ID: ec5a6114cd85f67ba6311bd3ef53c4848000ef0419e0a41a0cf966c5a88a22c0
Opcode Fuzzy Hash: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
Instruction Fuzzy Hash: 14917A22A0D5D666F725CB24E49037E3B90FB46B48F48A075CECE47761DA3EE806C742

Function 00007FFE0EBED810 Relevance: 15.3, APIs: 7, Strings: 1, Instructions: 1307COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FFE0EBEDD6B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBEDFCE
memchr.VCRUNTIME140 ref: 00007FFE0EBEE0B4
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EBEE19E
memchr.VCRUNTIME140 ref: 00007FFE0EBEE354
memchr.VCRUNTIME140 ref: 00007FFE0EBEE796
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBEE872

Strings

0123456789ABCDEFabcdef-+XxPp, xrefs: 00007FFE0EBED933, 00007FFE0EBEDDA6, 00007FFE0EBEE0E8, 00007FFE0EBEE376, 00007FFE0EBEE7B8

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: memchr$_invalid_parameter_noinfo_noreturn$localeconv
String ID: 0123456789ABCDEFabcdef-+XxPp
API String ID: 2141594249-3606100449
Opcode ID: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
Instruction ID: 420975753395b678e0799f0439ed99b716319c0615e0fda48b73c5888f8155d6
Opcode Fuzzy Hash: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
Instruction Fuzzy Hash: 12D27A36A09A8689EB658F2AD19017C37A1EB40F84F549531DBDE077B9DF3DE852CB00

Function 00007FFE0EC00C60 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1497COMMON

Download Yara Rule

APIs

_Find_elem.LIBCPMT ref: 00007FFE0EC01660
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC02011
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC02018
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC0201F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC021CE

Part of subcall function 00007FFE0EBF1DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0EBEC320), ref: 00007FFE0EBF1DFB
Part of subcall function 00007FFE0EBF1DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE0EBEC320), ref: 00007FFE0EBF1E08

Strings

0123456789-, xrefs: 00007FFE0EC00DFA, 00007FFE0EC01041, 00007FFE0EC01415, 00007FFE0EC0166B

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
String ID: 0123456789-
API String ID: 2779821303-3850129594
Opcode ID: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
Instruction ID: 5c36912fc2b2daf7130adbaf45c9b521f73a0b91dd0cf5f38a87433db8818382
Opcode Fuzzy Hash: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
Instruction Fuzzy Hash: 4CE29E22A1AAD599EB50CFA9D09027D77B4FB44B84F589035EA8E077B5CF3ED881C701

Function 00007FFE0EC02208 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1497COMMON

Download Yara Rule

APIs

_Find_elem.LIBCPMT ref: 00007FFE0EC02C08
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC035B9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC035C0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC035C7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC03776

Part of subcall function 00007FFE0EBF1DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0EBEC320), ref: 00007FFE0EBF1DFB
Part of subcall function 00007FFE0EBF1DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE0EBEC320), ref: 00007FFE0EBF1E08

Strings

0123456789-, xrefs: 00007FFE0EC023A2, 00007FFE0EC025E9, 00007FFE0EC029BD, 00007FFE0EC02C13

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
String ID: 0123456789-
API String ID: 2779821303-3850129594
Opcode ID: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
Instruction ID: a28ad79ec5ff19ed2a7034dc8e37191083934a5c42d3ebf4c138b06064e8eefc
Opcode Fuzzy Hash: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
Instruction Fuzzy Hash: E4E2AB22A09AD599EB54CFA9D09427D3BB4FB44B84F549036EA8E077B5CF3ED881C701

Function 00007FFE0EC1BDA0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 239COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EC1BE3E
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EC1C022
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EC1C04B

Strings

0, xrefs: 00007FFE0EC1BE6E
0123456789abcdefABCDEF, xrefs: 00007FFE0EC1BE11, 00007FFE0EC1BE74
0, xrefs: 00007FFE0EC1BE08

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: iswdigit$localeconv
String ID: 0$0$0123456789abcdefABCDEF
API String ID: 2634821343-613610638
Opcode ID: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
Instruction ID: a9d5266705fa8499155b36466b77e992c510d045ec3dbf71cb64fd6e6b551ab2
Opcode Fuzzy Hash: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
Instruction Fuzzy Hash: 6B814A62E085D6A7EB248F24D89067976A0FF55B44F088035DFCA477A0DB3DEC55CB82

Function 00007FFE0EBEA330 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EBE9E60: memmove.VCRUNTIME140 ref: 00007FFE0EBE9EAE

FindFirstFileExW.KERNEL32 ref: 00007FFE0EBEA3C6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBEA48A

Part of subcall function 00007FFE0EBE9DE4: memmove.VCRUNTIME140 ref: 00007FFE0EBE9E25

FindClose.KERNEL32 ref: 00007FFE0EBEA417
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EBEA42C

Strings

., xrefs: 00007FFE0EBEA3F3
., xrefs: 00007FFE0EBEA3E4

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: Findmemmove$CloseFileFirst_invalid_parameter_noinfo_noreturnwcscpy_s
String ID: .$.
API String ID: 479945582-3769392785
Opcode ID: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
Instruction ID: bde6e903b567d659c7babf47ba3993df4f84ec54ac83d66f680ef495daec1e09
Opcode Fuzzy Hash: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
Instruction Fuzzy Hash: 2C418462A1878195EA20DF65E4842B963B5FB857A4F404235EBED037F8DF7CD485CB01

Function 00007FFE0EBFBCD0 Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1289COMMON

Download Yara Rule

Strings

0123456789-+Ee, xrefs: 00007FFE0EBFBE2C, 00007FFE0EBFC128, 00007FFE0EBFC48A, 00007FFE0EBFC79D, 00007FFE0EBFCCE9

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID:
String ID: 0123456789-+Ee
API String ID: 0-1347306980
Opcode ID: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
Instruction ID: 691d74be0b4b5c6bf7329c2332c2f47e43a5dfca4cc241e7cd1537857fa6003a
Opcode Fuzzy Hash: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
Instruction Fuzzy Hash: ACC28036A0968A95EB688F1AD19017C7B60FB40F84B549431DF8E277B1CF3DE8A5DB04

Function 00007FFE0EBFABB0 Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1289COMMON

Download Yara Rule

Strings

0123456789-+Ee, xrefs: 00007FFE0EBFAD0C, 00007FFE0EBFB008, 00007FFE0EBFB36A, 00007FFE0EBFB67D, 00007FFE0EBFBBC9

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID:
String ID: 0123456789-+Ee
API String ID: 0-1347306980
Opcode ID: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
Instruction ID: aea19fc51c621f145693431ad97397198d9a598eb65f7efa4b2c18adb7f18223
Opcode Fuzzy Hash: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
Instruction Fuzzy Hash: 63C27E26A09A8695EB688F1AD19017D37A1FF44F84B549031DF8E277B1CF3DE8A5CB00

Function 00007FFE0EC06C84 Relevance: 9.6, APIs: 6, Instructions: 626COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC06EF7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC06F89
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC0702C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC074E8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC0753A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC07581

Part of subcall function 00007FFE0EC0EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0EBF923E), ref: 00007FFE0EC0EC08

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove
String ID:
API String ID: 15630516-0
Opcode ID: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
Instruction ID: e3368b72e9bdd8b51eced72b33b911d766660cd9b45d164c42401e872f23ab09
Opcode Fuzzy Hash: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
Instruction Fuzzy Hash: 4C52B022A08BC595EB14DF69D4841BD6761FB84B98F509132EF8D03BA9EF3EE580C341

Function 00007FFE0EC06338 Relevance: 9.6, APIs: 6, Instructions: 626COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC065AB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC0663D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC066E0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC06B9C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC06BEE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC06C35

Part of subcall function 00007FFE0EC0EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0EBF923E), ref: 00007FFE0EC0EC08

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove
String ID:
API String ID: 15630516-0
Opcode ID: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
Instruction ID: c71a2c67148321cb837ff63b370f06dd373e5b2f124ec3d33cad340044352e28
Opcode Fuzzy Hash: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
Instruction Fuzzy Hash: 7352A062A18BC595EB10CF69D4841BD6761FB84B98F509132EBCD03BA9EF3EE590C341

Function 0000000140012220 Relevance: 8.9, APIs: 7, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140006440: ?Recycle@MemoryRecycler@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140006455

_CxxThrowException.VCRUNTIME140 ref: 000000014001223E
_CxxThrowException.VCRUNTIME140 ref: 000000014001226E
_CxxThrowException.VCRUNTIME140 ref: 000000014001229E

Part of subcall function 0000000140005ED0: ?Recycle@MemoryRecycler@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140005F35

_CxxThrowException.VCRUNTIME140 ref: 00000001400122D1

Part of subcall function 0000000140005ED0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140005F42

_CxxThrowException.VCRUNTIME140 ref: 0000000140012301
_CxxThrowException.VCRUNTIME140 ref: 0000000140012321
_CxxThrowException.VCRUNTIME140 ref: 000000014001235A

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: ExceptionThrow$MemoryRecycle@Recycler@allocator@dvacore@@$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1799700165-0
Opcode ID: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
Instruction ID: 3a6b280c2881091f38a62e61b74d670a019ca3ad59059a788fa850ef2ffa55ac
Opcode Fuzzy Hash: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
Instruction Fuzzy Hash: D52112B5611A80CAE71DEE37A8523EA1362E79C7C4F149536BF594FAAEDE31C4218340

Function 00007FFE0EBFDF10 Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 1331COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBFE6F4
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EBFE8DF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBFEFF4

Strings

0123456789ABCDEFabcdef-+XxPp, xrefs: 00007FFE0EBFE03A, 00007FFE0EBFE4DA, 00007FFE0EBFE818, 00007FFE0EBFEACB, 00007FFE0EBFEF3A

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$localeconv
String ID: 0123456789ABCDEFabcdef-+XxPp
API String ID: 1825414929-3606100449
Opcode ID: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
Instruction ID: 4edc3e932ebfee51526f36f2a41407961192feb236b49a5696ea529f4c9d7dbc
Opcode Fuzzy Hash: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
Instruction Fuzzy Hash: 59D26B36A09A8685EB698F1AD19017C3761FB40F94B549032DF9E277B0DF3DE896CB10

Function 00007FFE0EBFCDF0 Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 1331COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBFD5D4
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EBFD7BF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBFDED4

Strings

0123456789ABCDEFabcdef-+XxPp, xrefs: 00007FFE0EBFCF1A, 00007FFE0EBFD3BA, 00007FFE0EBFD6F8, 00007FFE0EBFD9AB, 00007FFE0EBFDE1A

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$localeconv
String ID: 0123456789ABCDEFabcdef-+XxPp
API String ID: 1825414929-3606100449
Opcode ID: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
Instruction ID: ba72172dba698f3ef60ff09daf110de04f9b9b0c079666358528f64d98933c21
Opcode Fuzzy Hash: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
Instruction Fuzzy Hash: 55D25A36A09A8685EB698F1AD19027C3361FB50F84B549431DF9E277B0CF3DE896DB10

Function 00007FFE0EBF8FB0 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON

Download Yara Rule

APIs

strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EBF904E
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EBF9061
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EBF9076
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBF93D4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBF9422

Part of subcall function 00007FFE0EC0EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0EBF923E), ref: 00007FFE0EC0EC08

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
String ID:
API String ID: 1326169664-0
Opcode ID: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
Instruction ID: 478ed9857509161e29e84452208940da86f70842e14ad09ae97ee72bf3a36d90
Opcode Fuzzy Hash: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
Instruction Fuzzy Hash: B6E15B22B09B8695FB14CFB9D5402AC7371FB88B88B514136DE8D27BA8DF38D55AC700

Function 00007FFE0EBF9460 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON

Download Yara Rule

APIs

strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EBF94FE
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EBF9511
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EBF9526
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBF9884
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBF98D2

Part of subcall function 00007FFE0EC0EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0EBF923E), ref: 00007FFE0EC0EC08

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
String ID:
API String ID: 1326169664-0
Opcode ID: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
Instruction ID: acf3f9aee38aade5f3de44d869de8380a37bb49e73983a37ce676cd2645897e9
Opcode Fuzzy Hash: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
Instruction Fuzzy Hash: EAE15B22F09B8695EB14DFB5D4402AC7371FB88B98B514136DE9D27BA8DF38D45AC700

Function 00007FFE0EBEE8B0 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 634COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FFE0EBEEDC9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBEF051
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBEF08F

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00007FFE0EBEE94E, 00007FFE0EBEEDE9

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memchr
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2740501399-2799312399
Opcode ID: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
Instruction ID: eb3d3993ec534cb4e760a241389e014cc82cdb436486748a23c09c2b0ac279f5
Opcode Fuzzy Hash: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
Instruction Fuzzy Hash: 4652A022B09A8689FB658F29D09017C37B1BB05B98F549431CE9E177B9CF3DE466DB00

Function 00007FFE0EC04780 Relevance: 5.3, APIs: 3, Instructions: 815COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EC17600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE0EBE3887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0EC1760F

Part of subcall function 00007FFE0EBEF6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FFE0EC14C66,?,?,0000003F,00000000,?,0000003F,?,00007FFE0EBEFE66), ref: 00007FFE0EBEF6FC

_W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE0EBEFE88), ref: 00007FFE0EC05245
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE0EBEFE88), ref: 00007FFE0EC0525A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE0EBEFE88), ref: 00007FFE0EC05268

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: free$Gettnames_lock_localesrealloc
String ID:
API String ID: 3705959680-0
Opcode ID: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
Instruction ID: a110829c694084d2504b578a127a4336160f3925e6c0391c720f6a46867d8787
Opcode Fuzzy Hash: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
Instruction Fuzzy Hash: C1827F21A0DA83A5FF55DF65D8C02BA27A0BF45B80F444136EA9E473B6DF3EE4418346

Function 00007FFE0EC05470 Relevance: 5.3, APIs: 3, Instructions: 815COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EC17600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE0EBE3887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0EC1760F

Part of subcall function 00007FFE0EBEF6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FFE0EC14C66,?,?,0000003F,00000000,?,0000003F,?,00007FFE0EBEFE66), ref: 00007FFE0EBEF6FC

_W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE0EBEFE77), ref: 00007FFE0EC05F35
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE0EBEFE77), ref: 00007FFE0EC05F4A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE0EBEFE77), ref: 00007FFE0EC05F58

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: free$Gettnames_lock_localesrealloc
String ID:
API String ID: 3705959680-0
Opcode ID: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
Instruction ID: ca6f2767ec9edaf7c938c6b4e83db0999c28b1924e8615c58d3a7e45a58c26cf
Opcode Fuzzy Hash: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
Instruction Fuzzy Hash: 47826F21E0DA83A6EB65DFA5D8C02BA27A0BF45780F444135EACE473B5DF3EE4418746

Function 0000000140010BE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000000140010C05
FormatMessageA.KERNEL32 ref: 0000000140010C33

Strings

GetLastError() = 0x%X, xrefs: 0000000140010C5D

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID: GetLastError() = 0x%X
API String ID: 3479602957-3384952017
Opcode ID: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
Instruction ID: 03957f339625c86e619908699dc07c15f857aa178ffe48bb474e222578fe156c
Opcode Fuzzy Hash: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
Instruction Fuzzy Hash: 63219032A18BC083E7118B2AE400399B7A4F7D97A4F159315EBE8036E9EB78C545CB40

Function 00007FFE0EC144E0 Relevance: 5.0, APIs: 3, Instructions: 509COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EC11E70: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC11F72

Part of subcall function 00007FFE0EC17600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE0EBE3887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0EC1760F

_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE0EBEFE66,?,?,?,?,?,?,?,00007FFE0EBEF7E7), ref: 00007FFE0EC14BCF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE0EBEFE66,?,?,?,?,?,?,?,00007FFE0EBEF7E7), ref: 00007FFE0EC14BE4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE0EBEFE66,?,?,?,?,?,?,?,00007FFE0EBEF7E7), ref: 00007FFE0EC14BF3

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: free$Gettnames_invalid_parameter_noinfo_noreturn_lock_locales
String ID:
API String ID: 962949324-0
Opcode ID: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
Instruction ID: 4ccb77718fc3d0e90bd5054a7a81fb19a82ddc4b7af65ce2b683d80e74e0063d
Opcode Fuzzy Hash: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
Instruction Fuzzy Hash: 50326D25A09A83B5FB55DF65D8C01BA37A0BF467C4B484075EACE473B6DE3EE4418342

Function 00007FFE0EC03F00 Relevance: 3.3, APIs: 2, Instructions: 297COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC042AD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC042FB

Part of subcall function 00007FFE0EC0EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0EBF923E), ref: 00007FFE0EC0EC08

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove
String ID:
API String ID: 15630516-0
Opcode ID: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
Instruction ID: 9575d5c01ef1b429d1586d558dc32c5cb32d7b0fa80a7df46a0a00489259984b
Opcode Fuzzy Hash: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
Instruction Fuzzy Hash: E9D15B22B09B8295EB04DFA5D5802BD6372FB48B88F444132DF9D27BA9DF39E459C341

Function 00007FFE0EC04340 Relevance: 3.3, APIs: 2, Instructions: 297COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC046ED
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC0473B

Part of subcall function 00007FFE0EC0EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0EBF923E), ref: 00007FFE0EC0EC08

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove
String ID:
API String ID: 15630516-0
Opcode ID: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
Instruction ID: d337d673b02c5b4466f6c79d6fae231a58afdd653d12db5a45e2a484f3e9b512
Opcode Fuzzy Hash: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
Instruction Fuzzy Hash: 3CD16922B09B8599EB04CFA5D4802BD6372FB48B98F444132DF9D27BA9DF39E449C341

Function 00007FFE0EBF6440 Relevance: 3.3, APIs: 2, Instructions: 251COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFE0EBF64C5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBF6591

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemset
String ID:
API String ID: 1654775311-0
Opcode ID: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
Instruction ID: 81208c40305404a564ce927e5790dae026ceffbcc3814112f315a6049f8e51f1
Opcode Fuzzy Hash: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
Instruction Fuzzy Hash: 8AA1D162F0869295FB28CFA5D4506BC27B1BB05B98F544035DF8E2BBA8DF38D881C740

Function 00007FFE0EBF60D0 Relevance: 3.3, APIs: 2, Instructions: 251COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFE0EBF6155
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBF6221

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemset
String ID:
API String ID: 1654775311-0
Opcode ID: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
Instruction ID: 7a78b65b82b5a41eafa2995403b046b0da6582d4e95f642109ac4ffa8e4fbb02
Opcode Fuzzy Hash: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
Instruction Fuzzy Hash: 65A1EF62F0869295FB28CFA6D5506BC27B1BB15B98F144035DE8D2BBA9CF3CE481C740

Function 00007FFE0EBEA7B0 Relevance: 3.1, APIs: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EBE9E60: memmove.VCRUNTIME140 ref: 00007FFE0EBE9EAE

GetDiskFreeSpaceExW.KERNEL32 ref: 00007FFE0EBEA895
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBEA8FF

Part of subcall function 00007FFE0EBE9BE8: memmove.VCRUNTIME140 ref: 00007FFE0EBE9CC0

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: memmove$DiskFreeSpace_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1915456417-0
Opcode ID: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
Instruction ID: 2ce9fb2a35cb9ed0eac389fee9519137673b7d4ce69dfae1f6cf412d53537fbd
Opcode Fuzzy Hash: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
Instruction Fuzzy Hash: CC414B32B14B8598FB10CFA5D8902AC37B5BB48BA8F545635DE9D63BA8DF38D085C740

Function 00007FFE0EC0EFC0 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EC0EFC9
GetLocaleInfoEx.KERNEL32 ref: 00007FFE0EC0EFE2

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: InfoLocale___lc_locale_name_func
String ID:
API String ID: 3366915261-0
Opcode ID: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
Instruction ID: 6483e57b55896440fbf84679f4833b5189c829954eb3b4eca1008afe356cb637
Opcode Fuzzy Hash: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
Instruction Fuzzy Hash: 73F01C72E2C1C2A2E3B85B69D4D97392260FB44709F40053AE59F426B4CF6EE6849742

Function 00007FFE0EC00710 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
Instruction ID: c28e3439460ad6388362d512bd49534e8b6f16e36c9fc84c85254d7893ac65f1
Opcode Fuzzy Hash: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
Instruction Fuzzy Hash: CC026026A09A8699EB508F69C49137D33A1FB44F88F559431CE8E177B5CF3ED882C312

Function 00007FFE0EC12880 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
Instruction ID: b283811251879ec6dad59e8357d2731b94890059d27cbae888ff0d317c4fbede
Opcode Fuzzy Hash: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
Instruction Fuzzy Hash: A202952AA09AC599EB598F29C49037C37A1FB42F98F549071DA8E473B5CF3ED842D311

Function 00007FFE0EBEF9B0 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _lock_locales
String ID:
API String ID: 3756862740-0
Opcode ID: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
Instruction ID: 1bac12234c2ad9436b55a8523d610e8d8f5bac9fbc58d54fc422a86f06fc7a3e
Opcode Fuzzy Hash: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
Instruction Fuzzy Hash: BAE18F61F09A83A5EB66DF6598801BA23A1FF817C0F644136E9CD437B9DF3DE4428741

Function 0000000140004730 Relevance: 67.0, APIs: 5, Strings: 33, Instructions: 470COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 000000014000475B

Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0

?RationalApproximation@utility@dvacore@@YA?AV?$rational@H@boost@@N@Z.DVACORE ref: 0000000140004866

Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140004A15

Strings

iso, xrefs: 0000000140004D9C
clip_id, xrefs: 0000000140004B7D
sensor_id, xrefs: 0000000140004F4A
camera_firmware_version, xrefs: 0000000140004F0E
channel_mask, xrefs: 0000000140004977
saturation, xrefs: 0000000140004E30
jamsync_setting, xrefs: 0000000140004DC1
framerate_denominator, xrefs: 00000001400048B7
local_time, xrefs: 0000000140004E0B
white_balance_tint, xrefs: 0000000140004EE9
digital_gain_blue, xrefs: 0000000140004C74
contrast, xrefs: 0000000140004C4F
gmt_date, xrefs: 0000000140004D52
framerate_numerator, xrefs: 00000001400048DB
sample_size, xrefs: 0000000140004953
digital_gain_green, xrefs: 0000000140004C99
shutter_degrees, xrefs: 0000000140004E55
genlock_setting, xrefs: 0000000140004D2D
sensor_name, xrefs: 0000000140004F33
exposure_compensation, xrefs: 0000000140004CE3
gmt_time, xrefs: 0000000140004D77
reel_id_full, xrefs: 000000014000499B
pixel_aspect_ratio, xrefs: 000000014000484E
user_timecode_preference, xrefs: 0000000140004A2C
camera_id, xrefs: 0000000140004AF8
local_date, xrefs: 0000000140004DE6
exposure_time, xrefs: 0000000140004D08
shutter_phase_offset, xrefs: 0000000140004E9F
white_balance_kelvin, xrefs: 0000000140004EC4
shutter_fractions, xrefs: 0000000140004E7A
samplerate, xrefs: 000000014000492D
brightness, xrefs: 0000000140004C2A
digital_gain_red, xrefs: 0000000140004CBE

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcmp$Approximation@utility@dvacore@@H@boost@@RationalV?$rational@memset
String ID: brightness$camera_firmware_version$camera_id$channel_mask$clip_id$contrast$digital_gain_blue$digital_gain_green$digital_gain_red$exposure_compensation$exposure_time$framerate_denominator$framerate_numerator$genlock_setting$gmt_date$gmt_time$iso$jamsync_setting$local_date$local_time$pixel_aspect_ratio$reel_id_full$sample_size$samplerate$saturation$sensor_id$sensor_name$shutter_degrees$shutter_fractions$shutter_phase_offset$user_timecode_preference$white_balance_kelvin$white_balance_tint
API String ID: 2423274481-1946953090
Opcode ID: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
Instruction ID: 3df9d643723a61ec3293b9608ef6f05312d7ec0c5a500361e19cd6c4bd00b042
Opcode Fuzzy Hash: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
Instruction Fuzzy Hash: 2C32FAB1204A4091EB07EF27E5913EA2762AB8EBD8F444522FB5D4F7B7EE39C5458340

Function 00007FFE13308C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330913D
DName::operator+.LIBVCRUNTIME ref: 00007FFE13309175
DName::operator+.LIBVCRUNTIME ref: 00007FFE133091AF

Strings

__int32, xrefs: 00007FFE13308EDB
void, xrefs: 00007FFE13308D86
long, xrefs: 00007FFE13308CBC
char, xrefs: 00007FFE13308CF2
__int64, xrefs: 00007FFE13308EC9
volatile, xrefs: 00007FFE13309025
wchar_t, xrefs: 00007FFE133090A8
char32_t, xrefs: 00007FFE133090B7
__int16, xrefs: 00007FFE13308E1C
__int8, xrefs: 00007FFE13308E2E
volatile, xrefs: 00007FFE13308FF8
float, xrefs: 00007FFE13308D74
const, xrefs: 00007FFE13308FDD
auto, xrefs: 00007FFE13308F3F
unsigned , xrefs: 00007FFE133090FA
double, xrefs: 00007FFE13308D48
UNKNOWN, xrefs: 00007FFE1330908D
__w64 , xrefs: 00007FFE13308E3A
short, xrefs: 00007FFE13308CE0
bool, xrefs: 00007FFE13309056
__int128, xrefs: 00007FFE13308EB7
int, xrefs: 00007FFE13308CCE
signed , xrefs: 00007FFE1330910A
decltype(auto), xrefs: 00007FFE133090C6
<unknown>, xrefs: 00007FFE13308F1B
char16_t, xrefs: 00007FFE13309065
long , xrefs: 00007FFE13308D31
char8_t, xrefs: 00007FFE13308F2D

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: Name::operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
API String ID: 2943138195-1388207849
Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
Instruction ID: adb1d51ea4d471613a155b1a50220207a4ac2e5f6f544f9787335b38b441d6a9
Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
Instruction Fuzzy Hash: 23F190B2F18E128CF7148B66C9542BC2BB0BB24364F4045B5DA2D76AB9DF7DE644C348

Function 00007FFE1330C3C8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C459
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C492
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C566
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C577
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C5DA
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C5EA
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C636
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C648
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C7BB
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C83B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C84A

Strings

`anonymous namespace', xrefs: 00007FFE1330C71B

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: Name::operator+
String ID: `anonymous namespace'
API String ID: 2943138195-3062148218
Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
Instruction ID: 44e96f0025a63af91bf83fe82440d8e47277946b5aa61e753f382b76e633f7fe
Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
Instruction Fuzzy Hash: 65E1BD72A08F829DEB11CF66D4801AD77A0FB64764F4040B5EB6D2BBA6DF38E554C704

Function 0000000140002630 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 290COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400026F4
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002732
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 000000014000274E
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002782
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00000001400027D4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400028A8
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00000001400028DE
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 00000001400028FA
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 000000014000292E
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z.MSVCP140 ref: 000000014000295A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002A28
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A68
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A72

Strings

(, xrefs: 0000000140002972

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??6?$basic_ostream@D@std@@@1@@V01@V?$basic_streambuf@$??1?$basic_ios@??1?$basic_iostream@
String ID: (
API String ID: 703713002-3887548279
Opcode ID: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
Instruction ID: baf078011914228b1285121be46ed74d2e86fc5146668a69ad3868f5cbe279a1
Opcode Fuzzy Hash: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
Instruction Fuzzy Hash: 38D18DB2214B8495EB11CF6AE4903EE7761F789BD4F509206EB8E57BA9DF39C085C700

Function 00000001400107F0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 268libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 0000000140010881
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140010916
MultiByteToWideChar.KERNEL32 ref: 0000000140010997
MultiByteToWideChar.KERNEL32 ref: 00000001400109D8
LoadLibraryW.KERNEL32 ref: 00000001400109E6
LoadLibraryA.KERNEL32 ref: 0000000140010A12
GetLastError.KERNEL32 ref: 0000000140010A25
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140010A99
FreeLibrary.KERNEL32 ref: 0000000140010ACF
GetLastError.KERNEL32 ref: 0000000140010ADD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140010B5A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140010B9A

Strings

[NOT FOUND ] %s, xrefs: 00000001400108D5

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Library$ByteCharErrorLastLoadMultiWide$AddressFreeProc
String ID: [NOT FOUND ] %s
API String ID: 2350601386-3340296899
Opcode ID: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
Instruction ID: 89755aee4be5230680617513bdac96f2938001ccf8c1f4c7198f5862e1eb9078
Opcode Fuzzy Hash: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
Instruction Fuzzy Hash: 84B1BE32605B9481FB169B26E54039D6761F788BE4F048615FBE90BBE6DFBAC5D0C340

Function 00007FFE1330A83C Relevance: 22.9, APIs: 15, Instructions: 358COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A88D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A969
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A9B2
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A9C3

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
Instruction ID: b0e19649e05d6378c33ba4604b14863f2ee39d1620a57cacc7a5842a360d4acd
Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
Instruction Fuzzy Hash: BCF18D72B08A829EF711DF66E4901EC37B0EB2435CB4041B5EE6D67AA5DF38D906C348

Function 000000014001189C Relevance: 22.6, APIs: 15, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00000001400118B0
__scrt_acquire_startup_lock.LIBCMT ref: 00000001400118C5
__scrt_release_startup_lock.LIBCMT ref: 0000000140011933
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 0000000140011949
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 0000000140011975
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140011981
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140011986
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014001198E
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140011996
__scrt_is_managed_app.LIBCMT ref: 00000001400119AA
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400119B8
__scrt_uninitialize_crt.LIBCMT ref: 00000001400119C1
__scrt_fastfail.LIBCMT ref: 00000001400119F8
__scrt_fastfail.LIBCMT ref: 0000000140011A03
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140011A12

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__p___argc__p___argv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1818695170-0
Opcode ID: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
Instruction ID: 023b0e87761b9852ca56ff973ea6cc8ec164607202ff5c8f9f76f90c0a7f0558
Opcode Fuzzy Hash: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
Instruction Fuzzy Hash: BA315E3120520192FA5BEB67E5223E927A1AB9D7C4F444025BB994F2F7DE7FC805C351

Function 00007FFE1330D20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330D712

Strings

`generic-class-parameter-, xrefs: 00007FFE1330D6C7
`generic-method-parameter-, xrefs: 00007FFE1330D6B7
nullptr, xrefs: 00007FFE1330D3FA
NULL, xrefs: 00007FFE1330D2D7
`template-type-parameter-, xrefs: 00007FFE1330D6D0

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: Name::operator+
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
API String ID: 2943138195-2309034085
Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
Instruction ID: b2308a5b933c921f35a3c5f6642ebc039545b17a461f419400a242fac59adb50
Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
Instruction Fuzzy Hash: 7FE1A172E08E028CFB14AB6AD9581BC27E4AF65764F4401B5DE2D36AB9DF3CA544C348

Function 0000000140003320 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 422COMMON

Download Yara Rule

APIs

clock.API-MS-WIN-CRT-TIME-L1-1-0 ref: 0000000140003373

Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0

memset.VCRUNTIME140 ref: 00000001400033DB

Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA

memcpy.VCRUNTIME140(?), ref: 00000001400035E1
memcmp.VCRUNTIME140 ref: 00000001400037BC
memcmp.VCRUNTIME140 ref: 0000000140003827
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000392C

Strings

SideCarLut, xrefs: 0000000140003872
flip_horizontal, xrefs: 0000000140003A53, 0000000140003A66
MRDH, xrefs: 0000000140003972
B8RB, xrefs: 00000001400036C2
flip_vertical, xrefs: 0000000140003A87, 0000000140003A9A

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: memcmp$_invalid_parameter_noinfo_noreturn$clockmemcpymemset
String ID: B8RB$MRDH$SideCarLut$flip_horizontal$flip_vertical
API String ID: 140832405-680935841
Opcode ID: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
Instruction ID: 18037ac5236aebefbc83965bda8a7e26ab6d0ca403e2fb1aff30bf3622b6eda0
Opcode Fuzzy Hash: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
Instruction Fuzzy Hash: BD2270B2605BC485EB22DF2AE8413E93364F799798F449215EB9C5B7A6EF35C285C300

Function 00007FFE13302CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFE13302D40

Part of subcall function 00007FFE13305010: _GetEstablisherFrame.LIBVCRUNTIME ref: 00007FFE13305045
Part of subcall function 00007FFE13305010: __GetUnwindTryBlock.LIBCMT ref: 00007FFE13305053
Part of subcall function 00007FFE13305010: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFE13305078

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE13302E18
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302E25
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFE13303060
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330308E
_GetEstablisherFrame.LIBVCRUNTIME ref: 00007FFE133030CC

Part of subcall function 00007FFE13306710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1330239E), ref: 00007FFE1330671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303154
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE13303189

Strings

csm, xrefs: 00007FFE13302D5A
csm, xrefs: 00007FFE13302E3D
csm, xrefs: 00007FFE13302DC1

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3436797354-393685449
Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
Instruction ID: 9f322ceca1445c18d436cd4cfd1ab5055cbc19680d3decd3b1844b37a1ef08d9
Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
Instruction Fuzzy Hash: 48D17432A08F418EEB54DF66D4402AE77A0FB65BA8F100175EE9D67B65CF38E494C704

Function 00007FFE0EBE26E0 Relevance: 18.2, APIs: 12, Instructions: 238COMMON

Download Yara Rule

APIs

__strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EBE2728
__strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EBE274E
GetCPInfo.KERNEL32 ref: 00007FFE0EBE2792
MultiByteToWideChar.KERNEL32 ref: 00007FFE0EBE2838
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBE289F
MultiByteToWideChar.KERNEL32 ref: 00007FFE0EBE28DE
MultiByteToWideChar.KERNEL32 ref: 00007FFE0EBE2909
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBE2970
MultiByteToWideChar.KERNEL32 ref: 00007FFE0EBE29AC
CompareStringEx.KERNEL32 ref: 00007FFE0EBE29DF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBE2A06
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBE2A24

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: ByteCharMultiWide$__strncntfreemalloc$CompareInfoString
String ID:
API String ID: 3420081407-0
Opcode ID: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
Instruction ID: 35388c6ea3636a7bbe4b06e9e88e9ab2cbafc2beb82ba2c13acce3b6df07f368
Opcode Fuzzy Hash: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
Instruction Fuzzy Hash: 58A1D272B0868296FB318F20C4503BA6699EF04BA4F445631CEDD167F8DF7DE8448B81

Function 00007FFE0EBF692C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EC1B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
Part of subcall function 00007FFE0EC1B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
Part of subcall function 00007FFE0EC1B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
Part of subcall function 00007FFE0EC1B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD

_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EBFA87E), ref: 00007FFE0EBF6971
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EBFA87E), ref: 00007FFE0EBF698E
_Maklocstr.LIBCPMT ref: 00007FFE0EBF69AA
_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EBFA87E), ref: 00007FFE0EBF69B3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EBFA87E), ref: 00007FFE0EBF69D0
_Maklocstr.LIBCPMT ref: 00007FFE0EBF69EC
_Maklocstr.LIBCPMT ref: 00007FFE0EBF6A01

Part of subcall function 00007FFE0EBE4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D72
Part of subcall function 00007FFE0EBE4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D98
Part of subcall function 00007FFE0EBE4D50: memmove.VCRUNTIME140(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4DB0

Strings

:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE0EBF69DB
:AM:am:PM:pm, xrefs: 00007FFE0EBF69FA
:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE0EBF6999

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: Maklocstrfree$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 269533641-35662545
Opcode ID: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
Instruction ID: 2bf2c6fbc2b0f9f9efbbdd7e6417a6dd30ccfc433c49134a97159782c60506f6
Opcode Fuzzy Hash: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
Instruction Fuzzy Hash: D2215E32A04B8582EB14DF31E4912A973A1FB98F84F448235DB9D5776AEF3CE581C780

Function 00007FFE0EBE2B20 Relevance: 16.7, APIs: 11, Instructions: 203COMMON

Download Yara Rule

APIs

__strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EBE2B68
MultiByteToWideChar.KERNEL32 ref: 00007FFE0EBE2B94
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBE2C00
MultiByteToWideChar.KERNEL32 ref: 00007FFE0EBE2C3C
LCMapStringEx.KERNEL32 ref: 00007FFE0EBE2C77
LCMapStringEx.KERNEL32 ref: 00007FFE0EBE2CD0
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBE2D36
LCMapStringEx.KERNEL32 ref: 00007FFE0EBE2D7E
WideCharToMultiByte.KERNEL32 ref: 00007FFE0EBE2DC0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBE2DD4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBE2DF4

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: ByteCharMultiStringWide$freemalloc$__strncnt
String ID:
API String ID: 1733283546-0
Opcode ID: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
Instruction ID: 7bf78e85c8d7089e48d4619f76f5e47bb65a781932286337c4d8efef357b3882
Opcode Fuzzy Hash: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
Instruction Fuzzy Hash: 71917F32A08B8286EB608F21D48037967E5FB44BA8F544235EE9D57BF8DF7DE4458B40

Function 00007FFE0EC19350 Relevance: 16.7, APIs: 11, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EC19CD4: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC19122), ref: 00007FFE0EC19CFA
Part of subcall function 00007FFE0EC19CD4: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC19122), ref: 00007FFE0EC19D64

_Stoflt.LIBCPMT ref: 00007FFE0EC193D4
_FXp_setw.LIBCPMT ref: 00007FFE0EC193EE
_FXp_setw.LIBCPMT ref: 00007FFE0EC19401
_FXp_setn.LIBCPMT ref: 00007FFE0EC19445
_FXp_addx.LIBCPMT ref: 00007FFE0EC19457
_FXp_setw.LIBCPMT ref: 00007FFE0EC194AE
_FXp_setw.LIBCPMT ref: 00007FFE0EC194C1
_FXp_setn.LIBCPMT ref: 00007FFE0EC1940C

Part of subcall function 00007FFE0EC108B4: _FXp_setw.LIBCPMT ref: 00007FFE0EC108ED

_FXp_setn.LIBCPMT ref: 00007FFE0EC194CC
_FXp_setn.LIBCPMT ref: 00007FFE0EC19505
_FXp_addx.LIBCPMT ref: 00007FFE0EC19517

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: Xp_setw$Xp_setn$Xp_addx$Stofltisspaceisxdigit
String ID:
API String ID: 3166507417-0
Opcode ID: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
Instruction ID: d156dc7d99c01971b7caad8780bbced8cef34f3137ff5eae638d5a2073725a14
Opcode Fuzzy Hash: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
Instruction Fuzzy Hash: F961F622F086C2AAFB10DFA2C4D12FD3721AB85748F504235DE8D677A5DE3AE54AC701

Function 00000001400071E0 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

SetDllDirectoryW.KERNEL32 ref: 000000014000721A
?AppDir@Dir@filesupport@dvacore@@SA?AV123@XZ.DVACORE ref: 0000000140007225
?FullPath@Dir@filesupport@dvacore@@QEBA?AV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@std@@XZ.DVACORE ref: 0000000140007236
?UTF16to8@string@dvacore@@YA?AV?$basic_string@EU?$char_traits@E@std@@U?$SBAAllocator@E@allocator@dvacore@@@std@@AEBV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@4@@Z.DVACORE ref: 0000000140007245
?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140007275
?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 00000001400072A6
??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400072B6
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007362
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007372
??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 000000014000738A

Part of subcall function 0000000140008300: WaitForMultipleObjects.KERNEL32 ref: 0000000140008346
Part of subcall function 0000000140008300: ResetEvent.KERNEL32 ref: 0000000140008355

Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007859
Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007866
Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007873
Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007880
Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000788D
Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000789A

??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400073F6

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: Dir@filesupport@dvacore@@$CloseHandle$Allocator@_Allocator@allocator@dvacore@@BlockDispose@FileSmallU?$char_traits@_UnmapV?$basic_string@_ViewW@std@@atoi$Allocator@Dir@DirectoryE@allocator@dvacore@@@std@@E@std@@EventF16to8@string@dvacore@@FullMultipleObjectsPath@ResetU?$char_traits@V123@V?$basic_string@W@allocator@dvacore@@@4@@W@allocator@dvacore@@@std@@Wait
String ID:
API String ID: 2702579277-0
Opcode ID: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
Instruction ID: 4e02132fa2518a481f17a5c3ad5963577c23686a774b89ce01035fe16d76d46e
Opcode Fuzzy Hash: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
Instruction Fuzzy Hash: 09618EB2608A4082FB12CB26F8947EA67A2F78EBD0F505121FB9D476B5DF3DC5498700

Function 00007FFE0EC29BC0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFE0EC29DCE
_CxxThrowException.VCRUNTIME140 ref: 00007FFE0EC29DDF
std::ios_base::failure::failure.LIBCPMT ref: 00007FFE0EC29E22
_CxxThrowException.VCRUNTIME140 ref: 00007FFE0EC29E33
std::ios_base::failure::failure.LIBCPMT ref: 00007FFE0EC29EAD
_CxxThrowException.VCRUNTIME140 ref: 00007FFE0EC29EBE

Strings

ios_base::failbit set, xrefs: 00007FFE0EC29DA2, 00007FFE0EC29DF6, 00007FFE0EC29E81
ios_base::badbit set, xrefs: 00007FFE0EC29D96, 00007FFE0EC29DEA, 00007FFE0EC29E40, 00007FFE0EC29E74, 00007FFE0EC29ED0
ios_base::eofbit set, xrefs: 00007FFE0EC29DA9, 00007FFE0EC29DFD, 00007FFE0EC29E88

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
Instruction ID: 6eb2ac9998ec2de09c989ac003f35a592c68ac813fea8bb4f31e1f712a89cbe5
Opcode Fuzzy Hash: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
Instruction Fuzzy Hash: 0F919062A18A85A2EF64CF19E4D13B96760FBD4B84F548036CA8E477B5DF3ED846C301

Function 00007FFE1330E350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMON

Download Yara Rule

Strings

`generic-type-, xrefs: 00007FFE1330E491
`template-parameter-, xrefs: 00007FFE1330E44A
generic-type-, xrefs: 00007FFE1330E45E
template-parameter-, xrefs: 00007FFE1330E417

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID:
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 0-3207858774
Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
Instruction ID: 606cf050714bde27de9d5f03bf3cfc5ab7bce46f87510240db048384b56ec545
Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
Instruction Fuzzy Hash: 3B91AB32B08E868DFB108B62D4502BC77A0AB64B64F4845B2DE6D233B6DF3CE545D318

Function 00007FFE1330A13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A198

Part of subcall function 00007FFE1330722C: DName::operator+=.LIBVCRUNTIME ref: 00007FFE13307247

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A2C5

Strings

`unknown ecsu', xrefs: 00007FFE1330A164
class , xrefs: 00007FFE1330A2DA
cointerface , xrefs: 00007FFE1330A26C
coclass , xrefs: 00007FFE1330A27E
struct , xrefs: 00007FFE1330A2E9
enum , xrefs: 00007FFE1330A287
union , xrefs: 00007FFE1330A2F2

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: Name::operator+$Name::operator+=
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 179159573-1464470183
Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
Instruction ID: afda46302a8321e602c1bcaa81b4c441be55a1a556662d9b258ce46c3c70d297
Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
Instruction Fuzzy Hash: 9D517A31E18E26CDFB14CBA6E8405BC33B4BB243A4F500275DE2D76A69DF29E552C704

Function 00007FFE0EC1B440 Relevance: 15.2, APIs: 10, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EC1BBD8: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC1B212), ref: 00007FFE0EC1BBFE
Part of subcall function 00007FFE0EC1BBD8: iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC1B212), ref: 00007FFE0EC1BC76

_FXp_setw.LIBCPMT ref: 00007FFE0EC1B4DE
_FXp_setw.LIBCPMT ref: 00007FFE0EC1B4F1
_FXp_setn.LIBCPMT ref: 00007FFE0EC1B535
_FXp_addx.LIBCPMT ref: 00007FFE0EC1B547
_FXp_setw.LIBCPMT ref: 00007FFE0EC1B59E
_FXp_setw.LIBCPMT ref: 00007FFE0EC1B5B1
_FXp_setn.LIBCPMT ref: 00007FFE0EC1B4FC

Part of subcall function 00007FFE0EC108B4: _FXp_setw.LIBCPMT ref: 00007FFE0EC108ED

_FXp_setn.LIBCPMT ref: 00007FFE0EC1B5BC
_FXp_setn.LIBCPMT ref: 00007FFE0EC1B5F5
_FXp_addx.LIBCPMT ref: 00007FFE0EC1B607

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: Xp_setw$Xp_setn$Xp_addx$iswspaceiswxdigit
String ID:
API String ID: 3781602613-0
Opcode ID: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
Instruction ID: 79f8f67ea540ed6dc4285734d8620b2f7be76c505e0c9d5eb29439bf9658b6c9
Opcode Fuzzy Hash: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
Instruction Fuzzy Hash: DF61C522F08A82EAF710DFA2C4C11FD2721AB55748F504536DE4D67BA5DE3EE94ACB01

Function 00007FFE133088E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE133089AE
DName::operator+.LIBVCRUNTIME ref: 00007FFE133089BE
DName::operator+.LIBVCRUNTIME ref: 00007FFE13308A0A
DName::operator+.LIBVCRUNTIME ref: 00007FFE13308A1A
DName::operator+.LIBVCRUNTIME ref: 00007FFE13308A2A
DName::operator+.LIBVCRUNTIME ref: 00007FFE13308A9D
DName::operator+.LIBVCRUNTIME ref: 00007FFE13308AAE
DName::operator+.LIBVCRUNTIME ref: 00007FFE13308AC0
DName::operator+.LIBVCRUNTIME ref: 00007FFE13308AEC
DName::operator+.LIBVCRUNTIME ref: 00007FFE13308AFB

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
Instruction ID: e01e4476c5e825f3442993bf085f1a7e018441999e41eb8f17180454eea1f972
Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
Instruction Fuzzy Hash: 51618A62F04B529CFB00DBA2D8801EC27B1BB107A8F404476DE6D3BAA9DF78D545C344

Function 00007FFE1A4512D0 Relevance: 15.1, APIs: 10, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45138A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4513A9
memmove.VCRUNTIME140 ref: 00007FFE1A4513CA
__AdjustPointer.LIBCMT ref: 00007FFE1A4513EA
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4513F7
__AdjustPointer.LIBCMT ref: 00007FFE1A451433
memmove.VCRUNTIME140 ref: 00007FFE1A451441
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A451448
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45148D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A451494

Memory Dump Source

Source File: 0000000C.00000002.1920546941.00007FFE1A451000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 0000000C.00000002.1920454243.00007FFE1A450000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920631684.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920747487.00007FFE1A458000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920936180.00007FFE1A459000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe1a450000_ImporterREDServer.jbxd

Similarity

API ID: abort$AdjustPointermemmove
String ID:
API String ID: 338301193-0
Opcode ID: 07f6f1c71b1fba12c50c9bfb688491a0a06ff6fb4efb73833bc0a4a245d0f2ba
Instruction ID: ab3d2bf39f9f70bdd0041414ce6a29f64a4b18c4c59e61ff3d05cb026d8be023
Opcode Fuzzy Hash: 07f6f1c71b1fba12c50c9bfb688491a0a06ff6fb4efb73833bc0a4a245d0f2ba
Instruction Fuzzy Hash: 69519FA2F0AF4281FA65FB5BD05453C6694AF45FA4F1984F7DA4E06AA4DF2CE461C300

Function 00007FFE133031A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1330333E
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330334B

Part of subcall function 00007FFE13306710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1330239E), ref: 00007FFE1330671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133035F9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303644
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE13303679

Strings

csm, xrefs: 00007FFE133032E7
csm, xrefs: 00007FFE13303285
csm, xrefs: 00007FFE13303367

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
Instruction ID: 5b4014f580c43b88c61bdcf58b40691fa99d85ee5380e304aa17ceaa4bb1543a
Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
Instruction Fuzzy Hash: 20E1C372A08A818EE750DF7AD4803AE77A0FB64B78F140175DAAD67765CF38E085C704

Function 00007FFE1A451650 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1A4517EA
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4517F7

Part of subcall function 00007FFE1A4533C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4533CE

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A451AA5
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A451AF0
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE1A451B25

Strings

csm, xrefs: 00007FFE1A451731
csm, xrefs: 00007FFE1A451813
csm, xrefs: 00007FFE1A451793

Memory Dump Source

Source File: 0000000C.00000002.1920546941.00007FFE1A451000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 0000000C.00000002.1920454243.00007FFE1A450000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920631684.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920747487.00007FFE1A458000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920936180.00007FFE1A459000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe1a450000_ImporterREDServer.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: cb3bf927df27b60c74c765ddc221b28a06d569304d98737ce8ec765a202f2bbd
Instruction ID: 31088108f935c430db0587a9948692a64effcbdd203dc3c457576e008ef76eea
Opcode Fuzzy Hash: cb3bf927df27b60c74c765ddc221b28a06d569304d98737ce8ec765a202f2bbd
Instruction Fuzzy Hash: EAE1A3B3A08B828AE711FF6AD4802BD77A0FB45B68F1441B7DA4D47666DF38E495C700

Function 00007FFE0EC1A080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EC1A0BD
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EC1A15B
memchr.VCRUNTIME140 ref: 00007FFE0EC1A16D
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EC1A1A8
memchr.VCRUNTIME140 ref: 00007FFE0EC1A1B6
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC1A236

Strings

0, xrefs: 00007FFE0EC1A0F8
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00007FFE0EC1A164, 00007FFE0EC1A177

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: memchrtolower$_errnoisspace
String ID: 0$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3508154992-2692187688
Opcode ID: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
Instruction ID: eb1b0522a399a9f283ccbd7b5a4b2a22402c1d2c491de4e6cf3ff18c405bdd5c
Opcode Fuzzy Hash: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
Instruction Fuzzy Hash: 3751F812A0E6C2A9EB618F3498943B966907F46790F584570DDDE063B5DE3EE8468303

Function 00007FFE1330BE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330BFD8

Part of subcall function 00007FFE13308C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330913D
Part of subcall function 00007FFE13308C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE13309175

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330BF8A

Strings

std::nullptr_t , xrefs: 00007FFE1330BF16
cli::array<, xrefs: 00007FFE1330BF57
void, xrefs: 00007FFE1330BE6E
void , xrefs: 00007FFE1330BE96
cli::pin_ptr<, xrefs: 00007FFE1330BFA1
std::nullptr_t, xrefs: 00007FFE1330BF03

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
Instruction ID: ecff60bcfbdd1f009dca05d3a01a3681d4c46eb00fc70ca211c09ee6bece37f6
Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
Instruction Fuzzy Hash: BC514972E18F458CFB198FA2E8412BC77B0BB28764F4441B5DA6D22AA5DF7C9144C718

Function 00000001400078C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954

Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B

Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C

Strings

ImptRED_CEvent_, xrefs: 0000000140007975

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
String ID: ImptRED_CEvent_
API String ID: 2242036409-942587184
Opcode ID: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
Instruction ID: 9b405900c275d478bf9193c59fc3990d56eeb31e22b03c6e117ca8d8066cf312
Opcode Fuzzy Hash: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
Instruction Fuzzy Hash: 1D519AB2204B8096EB11CB6AE89079E7B70F389B98F504111EF8D57BA9DF3DC549CB00

Function 0000000140007E00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E41
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007E60
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E94

Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007ECB

Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007EE5
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F92
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F9C

Strings

ImptRED_SEvent_, xrefs: 0000000140007EB5

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
String ID: ImptRED_SEvent_
API String ID: 2242036409-1609572862
Opcode ID: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
Instruction ID: 8a97eb910a4fcdb6b4de6865597d3f36b8df7ed7ebbeccb018c797ebbaee1b0b
Opcode Fuzzy Hash: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
Instruction Fuzzy Hash: 15519A72204B8096EB11CB6AE8907AE7B70F389B98F504111EF8D17BA8DF3DC549CB40

Function 0000000140007A80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14

Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B

Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C

Strings

ImptRED_CmdMap_, xrefs: 0000000140007B35

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
String ID: ImptRED_CmdMap_
API String ID: 2242036409-3276274529
Opcode ID: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
Instruction ID: 80f30c22282736ca9dbe0986c54b36137faedd7c3a9fa85d2e807ed86ae44cad
Opcode Fuzzy Hash: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
Instruction Fuzzy Hash: BC518972204B8096EB11CB6AE8907DE7B70F389B98F504111EF8D17BA8DF79C449CB00

Function 0000000140007C40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007C81
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007CA0
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007CD4

Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D0B

Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D25
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DD2
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DDC

Strings

ImptRED_DMap_, xrefs: 0000000140007CF5

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
String ID: ImptRED_DMap_
API String ID: 2242036409-2879874026
Opcode ID: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
Instruction ID: 0bc148500ed73b7892a49071eae52613f37d732fbc5d9ce32192ec441dd01905
Opcode Fuzzy Hash: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
Instruction Fuzzy Hash: F9518BB2204B4096EB11CB56E8807AE7B70F789B98F504116EF8D17BA8DF7DC549CB00

Function 00007FFE0EBE6C20 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFE0EBE6C74
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFE0EBE66A0,?,?,?,00007FFE0EBE83FD), ref: 00007FFE0EBE6C85
_CxxThrowException.VCRUNTIME140 ref: 00007FFE0EBE6CB2
std::ios_base::failure::failure.LIBCPMT ref: 00007FFE0EBE6CF5
_CxxThrowException.VCRUNTIME140 ref: 00007FFE0EBE6D06

Strings

ios_base::failbit set, xrefs: 00007FFE0EBE6C20, 00007FFE0EBE6C48, 00007FFE0EBE6CC9
ios_base::badbit set, xrefs: 00007FFE0EBE6C3C, 00007FFE0EBE6C90, 00007FFE0EBE6CBD
ios_base::eofbit set, xrefs: 00007FFE0EBE6C4F, 00007FFE0EBE6CD0

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: ExceptionThrow$std::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1099746521-1866435925
Opcode ID: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
Instruction ID: 8faaeb758318ed81f72fdd3940cf9df5cebf773db5cd0697e721135aa0132016
Opcode Fuzzy Hash: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
Instruction Fuzzy Hash: D121D8A1A1954AA5FE24DF10E8C26FA1321FFA0340F984036D5CE427BEEF2ED545CB41

Function 0000000140004FF0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 275stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00000001400050DF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140005233

Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA

memcmp.VCRUNTIME140 ref: 00000001400052B4
memcmp.VCRUNTIME140 ref: 0000000140005325
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400053DA

Strings

SideCarLut, xrefs: 00000001400050D1, 000000014000512C
MRDH, xrefs: 0000000140005433

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemcmp$strcmp
String ID: MRDH$SideCarLut
API String ID: 916663099-3852011117
Opcode ID: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
Instruction ID: 38950fd8b35224f21f2e144008351fd49fe11793fcade85143d264d05d5c62af
Opcode Fuzzy Hash: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
Instruction Fuzzy Hash: 4DD192B2204A8496EB62DF26E8843DE2761F74A7D5F841212FB5D4BAF6EF74C645C300

Function 00007FFE0EC29940 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFE0EC29B4E
_CxxThrowException.VCRUNTIME140 ref: 00007FFE0EC29B5F
std::ios_base::failure::failure.LIBCPMT ref: 00007FFE0EC29BA2
_CxxThrowException.VCRUNTIME140 ref: 00007FFE0EC29BB3

Strings

ios_base::failbit set, xrefs: 00007FFE0EC29B22, 00007FFE0EC29B76
ios_base::badbit set, xrefs: 00007FFE0EC29B16, 00007FFE0EC29B6A
ios_base::eofbit set, xrefs: 00007FFE0EC29B29, 00007FFE0EC29B7D

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
Instruction ID: 77e40d3296f41f798c76409092917bc708989f0f3305adf5f67149eb8c7ce699
Opcode Fuzzy Hash: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
Instruction Fuzzy Hash: 57613062A08A86A5EB64CF19D4D13B96760FBD4F84F54803ACA8E477B5DF3ED846C301

Function 00007FFE0EBF43F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167fileCOMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFE0EBF4494
_CxxThrowException.VCRUNTIME140 ref: 00007FFE0EBF44A5
fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE0EBF4581
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE0EBF460D

Strings

ios_base::failbit set, xrefs: 00007FFE0EBF4468
ios_base::badbit set, xrefs: 00007FFE0EBF445D
ios_base::eofbit set, xrefs: 00007FFE0EBF446F

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: ExceptionThrowfputwcfwritestd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1428583292-1866435925
Opcode ID: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
Instruction ID: c714b26ba80fb00c46a166b756a9340bfefe1fcbbb14cf421bd683f3ab46b683
Opcode Fuzzy Hash: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
Instruction Fuzzy Hash: E9719E72619A86A9EF64CF65E4802BE33A0FB54B88F844032EA8D67B74DF3DD555C700

Function 00007FFE13305F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE133063F0: RtlPcToFileHeader.KERNEL32 ref: 00007FFE13306434
Part of subcall function 00007FFE133063F0: RaiseException.KERNEL32 ref: 00007FFE1330647A

RtlPcToFileHeader.KERNEL32 ref: 00007FFE13305FA7
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00007FFE13306003

Strings

Bad read pointer - no RTTI data!, xrefs: 00007FFE13306108
Attempted a typeid of nullptr pointer!, xrefs: 00007FFE133060E5
Bad dynamic_cast!, xrefs: 00007FFE13306072
Access violation - no RTTI data!, xrefs: 00007FFE13305F0A, 00007FFE1330612B

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
API String ID: 1852475696-928371585
Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
Instruction ID: 2d98b8da232cc3116597f5cefd4a62557a2472c79bfa4be9646a38cfaf8c31a4
Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
Instruction Fuzzy Hash: B851B362A0DE46DAEE20CB26E4901BD6360FF64BA4F504571DAAD276BADF3CE505C304

Function 00007FFE0EC296E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFE0EC298D3
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE0EC1C678), ref: 00007FFE0EC298E4
std::ios_base::failure::failure.LIBCPMT ref: 00007FFE0EC29927
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE0EC1C678), ref: 00007FFE0EC29938

Strings

ios_base::failbit set, xrefs: 00007FFE0EC298A7, 00007FFE0EC298FB
ios_base::badbit set, xrefs: 00007FFE0EC2989B, 00007FFE0EC298EF
ios_base::eofbit set, xrefs: 00007FFE0EC298AE, 00007FFE0EC29902

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
Instruction ID: 63c39ad9b4c8c5f46fbdca7229f5d110ed462b561525edb83be33b2a9f64b6f2
Opcode Fuzzy Hash: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
Instruction Fuzzy Hash: 3E615E62A08A8595EB64CF19D4D13B96760FBD0F94F58803ACA8E477B5DF3ED846C302

Function 00007FFE0EC19E70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EC19EBA
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EC19F4C
memchr.VCRUNTIME140 ref: 00007FFE0EC19F5E
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EC19F93
memchr.VCRUNTIME140 ref: 00007FFE0EC19FA1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC1A01F

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00007FFE0EC19F55, 00007FFE0EC19F6B

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: memchrtolower$_errnoisspace
String ID: 0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3508154992-4256519037
Opcode ID: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
Instruction ID: 1cbab3bdbb2275eb32b3d0a3aad655d2544c2f89891c474bea03450ae75cca09
Opcode Fuzzy Hash: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
Instruction Fuzzy Hash: C551E722A0D6C666E7218E3594A43B976D0BF86B94F484174DDDE437B4DE3EE842C702

Function 00007FFE1330E148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330E1BC
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330E1CB
DName::operator+=.LIBVCRUNTIME ref: 00007FFE1330E2E8

Part of subcall function 00007FFE1330C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C459
Part of subcall function 00007FFE1330C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C492
Part of subcall function 00007FFE1330C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C7BB

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330E26B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330E27B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330E325

Strings

{for , xrefs: 00007FFE1330E1F4

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: Name::operator+$Name::operator+=
String ID: {for
API String ID: 179159573-864106941
Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
Instruction ID: 02bc4ae01f6feb34610a84400f8f8328b14b6835919ffc7dfbfe76f607d78339
Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
Instruction Fuzzy Hash: 4E518D72A08E859DE7019F26C4413EC77A4EB24768F4080B1EA6C27BA6DF7CD650C318

Function 00007FFE0EBEB280 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFE0EBEB311
_CxxThrowException.VCRUNTIME140 ref: 00007FFE0EBEB322
std::ios_base::failure::failure.LIBCPMT ref: 00007FFE0EBEB417
_CxxThrowException.VCRUNTIME140 ref: 00007FFE0EBEB428

Strings

ios_base::failbit set, xrefs: 00007FFE0EBEB2E5, 00007FFE0EBEB3EB
ios_base::badbit set, xrefs: 00007FFE0EBEB2DA, 00007FFE0EBEB3E0
ios_base::eofbit set, xrefs: 00007FFE0EBEB2EC, 00007FFE0EBEB3F2

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
Instruction ID: ed9e231ab8a70a85ba7038c2219035a5585218d6dea263a80519a103c27ac526
Opcode Fuzzy Hash: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
Instruction Fuzzy Hash: A7519E62A08A4A91EF60CF29D5C12BD6760FF84B84F544532DA9D837B9DF2DD845CB00

Function 00007FFE133068AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FFE13306A6B,?,?,00000000,00007FFE1330689C,?,?,?,?,00007FFE133065E5), ref: 00007FFE13306931
GetLastError.KERNEL32(?,?,?,00007FFE13306A6B,?,?,00000000,00007FFE1330689C,?,?,?,?,00007FFE133065E5), ref: 00007FFE1330693F
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE13306A6B,?,?,00000000,00007FFE1330689C,?,?,?,?,00007FFE133065E5), ref: 00007FFE13306958
LoadLibraryExW.KERNEL32(?,?,?,00007FFE13306A6B,?,?,00000000,00007FFE1330689C,?,?,?,?,00007FFE133065E5), ref: 00007FFE1330696A
FreeLibrary.KERNEL32(?,?,?,00007FFE13306A6B,?,?,00000000,00007FFE1330689C,?,?,?,?,00007FFE133065E5), ref: 00007FFE133069B0
GetProcAddress.KERNEL32(?,?,?,00007FFE13306A6B,?,?,00000000,00007FFE1330689C,?,?,?,?,00007FFE133065E5), ref: 00007FFE133069BC

Strings

api-ms-, xrefs: 00007FFE13306951

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
String ID: api-ms-
API String ID: 916704608-2084034818
Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
Instruction ID: b7aae946a8d91d241258989ff18183624e8fbc637ecef721bb62c4943a7a1a7f
Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
Instruction Fuzzy Hash: 0231C421B1AE4299EE11DB0799002B9A394FF64BB0F294575DD7D2B7A9EF3CE144C308

Function 00007FFE1A453558 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A453717,?,?,00000000,00007FFE1A453548,?,?,?,?,00007FFE1A4532C9), ref: 00007FFE1A4535DD
GetLastError.KERNEL32(?,?,?,00007FFE1A453717,?,?,00000000,00007FFE1A453548,?,?,?,?,00007FFE1A4532C9), ref: 00007FFE1A4535EB
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A453717,?,?,00000000,00007FFE1A453548,?,?,?,?,00007FFE1A4532C9), ref: 00007FFE1A453604
LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A453717,?,?,00000000,00007FFE1A453548,?,?,?,?,00007FFE1A4532C9), ref: 00007FFE1A453616
FreeLibrary.KERNEL32(?,?,?,00007FFE1A453717,?,?,00000000,00007FFE1A453548,?,?,?,?,00007FFE1A4532C9), ref: 00007FFE1A45365C
GetProcAddress.KERNEL32(?,?,?,00007FFE1A453717,?,?,00000000,00007FFE1A453548,?,?,?,?,00007FFE1A4532C9), ref: 00007FFE1A453668

Strings

api-ms-, xrefs: 00007FFE1A4535FD

Memory Dump Source

Source File: 0000000C.00000002.1920546941.00007FFE1A451000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 0000000C.00000002.1920454243.00007FFE1A450000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920631684.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920747487.00007FFE1A458000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920936180.00007FFE1A459000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe1a450000_ImporterREDServer.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
String ID: api-ms-
API String ID: 916704608-2084034818
Opcode ID: f3ae6e208fe004567e7f0a3f678c73f8fb6582ef1bf2b3c2b3910a50123c0093
Instruction ID: 4c7697f960399a6fe41d7a27a0a58cfa91874543dcc4120afa2ed25dc96e39d3
Opcode Fuzzy Hash: f3ae6e208fe004567e7f0a3f678c73f8fb6582ef1bf2b3c2b3910a50123c0093
Instruction Fuzzy Hash: 2631B261B1AE4291EE21AB13A82057A63D4BF48FB0F5945FADD1D473A0DF3CF4658740

Function 00007FFE0EC112C4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EC1B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
Part of subcall function 00007FFE0EC1B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
Part of subcall function 00007FFE0EC1B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
Part of subcall function 00007FFE0EC1B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD

_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EC11309
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EC11326
_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EC1134B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EC11368

Part of subcall function 00007FFE0EBE4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D72
Part of subcall function 00007FFE0EBE4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D98
Part of subcall function 00007FFE0EBE4D50: memmove.VCRUNTIME140(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4DB0

Strings

:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE0EC11373
:AM:am:PM:pm, xrefs: 00007FFE0EC11392
:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE0EC11331

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 2607222871-35662545
Opcode ID: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
Instruction ID: 9afad98429ebff60d15a7fe96f73f765993c2230ce5c02c0b1a43d69db30781e
Opcode Fuzzy Hash: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
Instruction Fuzzy Hash: E6216136A04B8592EB10DF31E4802A973A1FB99F84F458235DB8D4776AEF3CE581C780

Function 00007FFE0EBF6A20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EC1B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
Part of subcall function 00007FFE0EC1B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
Part of subcall function 00007FFE0EC1B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
Part of subcall function 00007FFE0EC1B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD

_W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBF6A5E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBF6A7B
_W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBF6A9B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBF6AB8

Part of subcall function 00007FFE0EBE4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBF6AB5,?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBE4DF9
Part of subcall function 00007FFE0EBE4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBF6AB5,?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBE4E28
Part of subcall function 00007FFE0EBE4DD0: memmove.VCRUNTIME140(?,?,00000000,00007FFE0EBF6AB5,?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBE4E3F

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE0EBF6A86
:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE0EBF6AC3
:AM:am:PM:pm, xrefs: 00007FFE0EBF6AD4

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 2607222871-3743323925
Opcode ID: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
Instruction ID: 4cd3df4714114d82e6760b6bd82cd0d7a80332975adb6f7598c78fa052ede494
Opcode Fuzzy Hash: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
Instruction Fuzzy Hash: 92216522E08B8592D720DF21E49427973B0FF99B84F405235DA8E53766DF7DE494C781

Function 00007FFE133025E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133026A0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133026BE
__AdjustPointer.LIBCMT ref: 00007FFE133026FF
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330270C
__AdjustPointer.LIBCMT ref: 00007FFE13302748
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330275D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133027A2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133027A9

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
Instruction ID: d500719622b797de94648a33a44b72416860f68811ac72ad3da824d0d9412dea
Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
Instruction Fuzzy Hash: B351D321E09E4689EAA6CB13D04463C63A4AF74FB0F0540B5EE6DA67B6DF6CE441C308

Function 00007FFE133027CC Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302886
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133028A5
__AdjustPointer.LIBCMT ref: 00007FFE133028E6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133028F3
__AdjustPointer.LIBCMT ref: 00007FFE1330292F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302944
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302989
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302990

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
Instruction ID: b32aa8f634e8eeee5686d8ca7137b57ea6fb95e40eb4694476f06213cda9143e
Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
Instruction Fuzzy Hash: A951D721E09E4389FAA5CB57948463CA394EF74FB1F0944B5CEADA67B5DF2CE4418308

Function 00007FFE0EC190D0 Relevance: 10.7, APIs: 7, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EC19CD4: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC19122), ref: 00007FFE0EC19CFA
Part of subcall function 00007FFE0EC19CD4: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC19122), ref: 00007FFE0EC19D64

_Stoflt.LIBCPMT ref: 00007FFE0EC1915B
_Xp_setn.LIBCPMT ref: 00007FFE0EC19196
_Xp_setn.LIBCPMT ref: 00007FFE0EC191D1
_Xp_addx.LIBCPMT ref: 00007FFE0EC191E4
_Xp_setn.LIBCPMT ref: 00007FFE0EC19262
_Xp_setn.LIBCPMT ref: 00007FFE0EC1929D
_Xp_addx.LIBCPMT ref: 00007FFE0EC192B1

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
String ID:
API String ID: 578106097-0
Opcode ID: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
Instruction ID: 245d84d56b4df23139c0016f24dc0422386f1597a507a705dcb3876f1446f6b6
Opcode Fuzzy Hash: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
Instruction Fuzzy Hash: 7561F422B1CAC2A2E611DE61E4D05FE6720FBD6744F500136EE8E537A5DE3EE5468B02

Function 00007FFE0EC19950 Relevance: 10.7, APIs: 7, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EC19CD4: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC19122), ref: 00007FFE0EC19CFA
Part of subcall function 00007FFE0EC19CD4: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC19122), ref: 00007FFE0EC19D64

_Stoflt.LIBCPMT ref: 00007FFE0EC199DB
_Xp_setn.LIBCPMT ref: 00007FFE0EC19A16
_Xp_setn.LIBCPMT ref: 00007FFE0EC19A51
_Xp_addx.LIBCPMT ref: 00007FFE0EC19A64
_Xp_setn.LIBCPMT ref: 00007FFE0EC19AE2
_Xp_setn.LIBCPMT ref: 00007FFE0EC19B1D
_Xp_addx.LIBCPMT ref: 00007FFE0EC19B31

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
String ID:
API String ID: 578106097-0
Opcode ID: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
Instruction ID: 8860a8621c83dbc04c79b49f028f71c0b0be12d77038ae91dde9bfa2a155ab7b
Opcode Fuzzy Hash: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
Instruction Fuzzy Hash: CD610622B1C6C2A6E711DE61E4D05BE6720FBC6744F500172EECD536A5DE3EE54A8B01

Function 000000014000C2E0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 164COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE

Part of subcall function 000000014000C8A0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000014000C98E

memcpy.VCRUNTIME140 ref: 000000014000C3C8
memcpy.VCRUNTIME140 ref: 000000014000C427

Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0B6
Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0C4

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000C52F

Strings

REDR3D-x64.dll, xrefs: 000000014000C41D, 000000014000C43B
[TEST TEST] IGNORING REDIRECT %s, xrefs: 000000014000C542
[LOAD PATH ] %s, xrefs: 000000014000C310

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: memcpy$__acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturn
String ID: REDR3D-x64.dll$[LOAD PATH ] %s$[TEST TEST] IGNORING REDIRECT %s
API String ID: 1244713665-103080910
Opcode ID: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
Instruction ID: cfd617ef930489ab8aca6008b2e9167fc097850ba9bca21f1b358ae0caa8a91c
Opcode Fuzzy Hash: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
Instruction Fuzzy Hash: 8E719AB2721A4086EB12CF66E8443DD37B1F749BD8F484622EF195BBA9DB38C181C340

Function 00007FFE13305520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFE133055E9
_local_unwind.LIBVCRUNTIME ref: 00007FFE1330568C

Strings

csm, xrefs: 00007FFE133056D0
RCC, xrefs: 00007FFE1330556E
csm, xrefs: 00007FFE13305584
MOC, xrefs: 00007FFE13305562

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: FileHeader_local_unwind
String ID: MOC$RCC$csm$csm
API String ID: 2627209546-1441736206
Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
Instruction ID: ee08a0d92f4298641f4ed53d2ae382b87543e4a7517ba80243e9bf94bfaf9f7c
Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
Instruction Fuzzy Hash: F8517172E0DA168EFB609F26900137D76A0FF64BA4F141071EA6D663A5DF3CE4818B05

Function 00000001400074F0 Relevance: 10.6, APIs: 7, Instructions: 131COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 1492985063-0
Opcode ID: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
Instruction ID: c8404d0b7dac135a461826d57f818375c200501a51cfbfcecc82e8383ca51cf8
Opcode Fuzzy Hash: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
Instruction Fuzzy Hash: 11515F72600A4082EB62CF1BE5947A9A7A0F789FE5F15C611EF9E477F1CB7AC5468300

Function 00007FFE0EBEBA68 Relevance: 10.6, APIs: 7, Instructions: 110COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBB38
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBB48
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBB5D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBB91
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBB9B
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBBAB
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBBBB

Part of subcall function 00007FFE0EC325AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5AF8), ref: 00007FFE0EC325C6

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: memmove$memset$_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1468981775-0
Opcode ID: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
Instruction ID: 552e7374e007507aaf32d696a545a73df43f81e57ff5f8e1cd957fd1923afc4b
Opcode Fuzzy Hash: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
Instruction Fuzzy Hash: 7A41B421B08681A1EE24DF66E5842A9A351FB44BD4F544532EF9D0BBBEDE7CD041C740

Function 00007FFE0EBF2FAC Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FFE0EBF2FD9
GetCurrentThreadId.KERNEL32 ref: 00007FFE0EBF2FF4
GetCurrentThreadId.KERNEL32 ref: 00007FFE0EBF300A
xtime_get.LIBCPMT ref: 00007FFE0EBF3046
GetCurrentThreadId.KERNEL32 ref: 00007FFE0EBF3061
GetCurrentThreadId.KERNEL32 ref: 00007FFE0EBF3096
GetCurrentThreadId.KERNEL32 ref: 00007FFE0EBF30EF

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: CurrentThread$xtime_get
String ID:
API String ID: 1104475336-0
Opcode ID: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
Instruction ID: 79465ca6b675407478ecc27e2a016d28c5bb8bf691b7348bf8a57c994f1016a7
Opcode Fuzzy Hash: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
Instruction Fuzzy Hash: 2B41CB32A0864796EA78CF35E48477973A1EB44B45F504036DBCE926B1DF3EE885CB01

Function 00007FFE0EBF58B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFE0EBF5954
_CxxThrowException.VCRUNTIME140 ref: 00007FFE0EBF5965
setvbuf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE0EBF599E

Strings

ios_base::failbit set, xrefs: 00007FFE0EBF5928
ios_base::badbit set, xrefs: 00007FFE0EBF591D, 00007FFE0EBF5970
ios_base::eofbit set, xrefs: 00007FFE0EBF592F

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: ExceptionThrowsetvbufstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2924853686-1866435925
Opcode ID: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
Instruction ID: 3f3357b9f172789a0f47161016322e7f47f97597d3826bb6f1a7a791764ec3e8
Opcode Fuzzy Hash: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
Instruction Fuzzy Hash: 5C41B273A15B8696EB68CF25E4803AD33A0FB14B98F444131DA8C57669DF3DD5A4CB40

Function 00007FFE0EC03B28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EC03B56

Part of subcall function 00007FFE0EC1B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
Part of subcall function 00007FFE0EC1B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
Part of subcall function 00007FFE0EC1B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
Part of subcall function 00007FFE0EC1B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD

_Maklocstr.LIBCPMT ref: 00007FFE0EC03BCF
_Maklocstr.LIBCPMT ref: 00007FFE0EC03BE5
_Getvals.LIBCPMT ref: 00007FFE0EC03C8A

Strings

true, xrefs: 00007FFE0EC03BDE
false, xrefs: 00007FFE0EC03BC8

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: Maklocstr$Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
String ID: false$true
API String ID: 2626534690-2658103896
Opcode ID: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
Instruction ID: aca3de2adbe277101c996bd361fedcc0a3276ebbf42599ba96e635e6de0dadea
Opcode Fuzzy Hash: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
Instruction Fuzzy Hash: 47414C26B08A81A9F711CF74E4401ED33B1FB98748B405236EE8D67A69EF38D596C780

Function 00007FFE1330D740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE1330CE14), ref: 00007FFE1330D803
DName::DName.LIBVCRUNTIME ref: 00007FFE1330D822

Strings

void, xrefs: 00007FFE1330D786
`template-parameter, xrefs: 00007FFE1330D830

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: NameName::atol
String ID: `template-parameter$void
API String ID: 2130343216-4057429177
Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
Instruction ID: 76a62267eba4e3c23af488a9991f97291b3bf2fd9791966979e339055da59c44
Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
Instruction Fuzzy Hash: 0A413522F08F56CCFB009BA6D8552BC23B1BB28BA8F541175DE2D26A79DF38A505C344

Function 00007FFE13308624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE133086DB

Strings

void, xrefs: 00007FFE13308759
<ellipsis>, xrefs: 00007FFE13308734
..., xrefs: 00007FFE13308724
,..., xrefs: 00007FFE133086A8
,<ellipsis>, xrefs: 00007FFE133086B8

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: Name::operator+
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 2943138195-2211150622
Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
Instruction ID: 076c5fff74ffc01a178469f328f098d03c90abe817e8f858a146097334025b89
Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
Instruction Fuzzy Hash: 1F414A72A08F4ACCFB018F66D8402AC7BB0BB28728F444171DA6D6637ADF3CA545C748

Function 00007FFE1330A31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A40F

Strings

short , xrefs: 00007FFE1330A39C
unsigned , xrefs: 00007FFE1330A3E3
char , xrefs: 00007FFE1330A3A5
int , xrefs: 00007FFE1330A38D
long , xrefs: 00007FFE1330A37E

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: Name::operator+
String ID: char $int $long $short $unsigned
API String ID: 2943138195-3894466517
Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
Instruction ID: 73479b7d9560641004236f9dc9eae077e86501b2da49d0c88ba7b5958bf5234e
Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
Instruction Fuzzy Hash: 06416A72A18A56CCF7118F7AE8441BC37B1BB28764F4482B1DE2C62BB9DF389545C708

Function 00007FFE0EBEC0A0 Relevance: 9.3, APIs: 6, Instructions: 318stringCOMMON

Download Yara Rule

APIs

strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EBEC13D
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EBEC150
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EBEC165
memset.VCRUNTIME140 ref: 00007FFE0EBEC1F1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBEC4AD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBEC4F7

Part of subcall function 00007FFE0EBF1DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0EBEC320), ref: 00007FFE0EBF1DFB
Part of subcall function 00007FFE0EBF1DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE0EBEC320), ref: 00007FFE0EBF1E08

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemsetstrcspn$localeconvmemmove
String ID:
API String ID: 3009415009-0
Opcode ID: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
Instruction ID: 4b109ae2f28a530a12141c145e22dae3e426cbfb02934c6a63f998653b5fd528
Opcode Fuzzy Hash: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
Instruction Fuzzy Hash: 54E14B22B09B8695EB11CFB9D4406AC6771FB49B88F504136DE9D27BA9DF3CD44AC700

Function 00007FFE0EC186F0 Relevance: 9.2, APIs: 6, Instructions: 235COMMON

Download Yara Rule

APIs

_Dunscale.LIBCPMT ref: 00007FFE0EC1872B
_Dunscale.LIBCPMT ref: 00007FFE0EC187DF

Part of subcall function 00007FFE0EC0FFB0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE0EC0EFA4), ref: 00007FFE0EC0FFB9

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: Dunscale$_errno
String ID:
API String ID: 2900277114-0
Opcode ID: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
Instruction ID: 59b1b3afaf6aebcb04d8dd5a17f4a23d7bcc3ab028dee75a38d7bb2218fc8fc2
Opcode Fuzzy Hash: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
Instruction Fuzzy Hash: 45A1E617D1CFC6A6E719DE3484C01BD2362FF17794F508275EB8A265A5EF39A0A2C342

Function 00007FFE0EC100EC Relevance: 9.2, APIs: 6, Instructions: 235COMMON

Download Yara Rule

APIs

_FDunscale.LIBCPMT ref: 00007FFE0EC10127
_FDunscale.LIBCPMT ref: 00007FFE0EC101DA

Part of subcall function 00007FFE0EC0FFB0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE0EC0EFA4), ref: 00007FFE0EC0FFB9

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: Dunscale$_errno
String ID:
API String ID: 2900277114-0
Opcode ID: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
Instruction ID: 12d8294eb01d6d92b4071827f797c20b806341b1cdacebf2424ba261adabd400
Opcode Fuzzy Hash: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
Instruction Fuzzy Hash: F9A1D532E086C6BAEB10DE2685C20BC7352FF56358F544270EB89125F6DF3AB4D69702

Function 000000014000AF60 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 192COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,000000014000B31C), ref: 000000014000B027
memcpy.VCRUNTIME140(?,?,?,?,?,000000014000B31C), ref: 000000014000B0B9
memcpy.VCRUNTIME140(?,?,?,?,?,000000014000B31C), ref: 000000014000B15E

Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0B6
Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0C4

Part of subcall function 0000000140009FD0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000A0FD
Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A107
Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A115

memcpy.VCRUNTIME140 ref: 000000014000B1EF
memcpy.VCRUNTIME140 ref: 000000014000B254

Strings

R3DAPI 7.3.1-44A14 (20200513 W64S), xrefs: 000000014000AFA1

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturn
String ID: R3DAPI 7.3.1-44A14 (20200513 W64S)
API String ID: 2665656946-1215215629
Opcode ID: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
Instruction ID: 1f94f83d43c849715069b53280c3cf1e8531b19b99bc01c412034d7b6d4e24df
Opcode Fuzzy Hash: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
Instruction Fuzzy Hash: B19122B1211A8499EB22DF27F8503DA7361F74ABD4F884222EB490B7B9DB7EC141C701

Function 00007FFE0EBE8F20 Relevance: 9.2, APIs: 6, Instructions: 185COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE0EBE8FD3

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: fgetc
String ID:
API String ID: 2807381905-0
Opcode ID: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
Instruction ID: f689f416f7fcdde8a6f0ba1c965c232d136c4f4ba637338478ae5514761810df
Opcode Fuzzy Hash: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
Instruction Fuzzy Hash: B6915073605A81D8EB24CF35C4943AC33A1FB84B98F551632EA9D87BA9DF3AD458C740

Function 00007FFE0EC1B1C0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EC1BBD8: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC1B212), ref: 00007FFE0EC1BBFE
Part of subcall function 00007FFE0EC1BBD8: iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC1B212), ref: 00007FFE0EC1BC76

_Xp_setn.LIBCPMT ref: 00007FFE0EC1B286
_Xp_setn.LIBCPMT ref: 00007FFE0EC1B2C1
_Xp_addx.LIBCPMT ref: 00007FFE0EC1B2D4
_Xp_setn.LIBCPMT ref: 00007FFE0EC1B352
_Xp_setn.LIBCPMT ref: 00007FFE0EC1B38D
_Xp_addx.LIBCPMT ref: 00007FFE0EC1B3A1

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
String ID:
API String ID: 3490103321-0
Opcode ID: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
Instruction ID: 50a5fa67ed678d2f27098a6ded44614926f85c06d1736a7c39ff513b1bee163f
Opcode Fuzzy Hash: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
Instruction Fuzzy Hash: 6B61F722B1C6C2E2E611DE61E4C05FE6720FB96744F500176EE8D537A5DE3ED84A8B01

Function 00007FFE0EC1B960 Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EC1BBD8: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC1B212), ref: 00007FFE0EC1BBFE
Part of subcall function 00007FFE0EC1BBD8: iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC1B212), ref: 00007FFE0EC1BC76

_Xp_setn.LIBCPMT ref: 00007FFE0EC1BA26
_Xp_setn.LIBCPMT ref: 00007FFE0EC1BA61
_Xp_addx.LIBCPMT ref: 00007FFE0EC1BA74
_Xp_setn.LIBCPMT ref: 00007FFE0EC1BAF2
_Xp_setn.LIBCPMT ref: 00007FFE0EC1BB2D
_Xp_addx.LIBCPMT ref: 00007FFE0EC1BB41

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
String ID:
API String ID: 3490103321-0
Opcode ID: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
Instruction ID: d34401fff68750012ee56e62070e06ff3b493ce9a8b90424d8bb37001f6c87c3
Opcode Fuzzy Hash: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
Instruction Fuzzy Hash: 23610722B1CAC2E6E711DF61E4C05BE6720FB86344F500172EECD57AA9DE3ED9498B01

Function 00007FFE0EBE9A58 Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFE0EBE9B42
memmove.VCRUNTIME140 ref: 00007FFE0EBE9B52
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBE9B91
memmove.VCRUNTIME140 ref: 00007FFE0EBE9B9B
memmove.VCRUNTIME140 ref: 00007FFE0EBE9BAB
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE0EBE9BDA

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
Instruction ID: 4afbe508269da6d222e440a8358ffe22a5322b69c253a3cd9e93c0a6d310b593
Opcode Fuzzy Hash: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
Instruction Fuzzy Hash: 36410465B18685A1EE24DF26E4442A96351EF48FE0F544631DFAD07BFADE3CE045C740

Function 00007FFE0EBEA000 Relevance: 9.1, APIs: 6, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FFE0EBEA078
GetFileInformationByHandle.KERNEL32 ref: 00007FFE0EBEA08E
CloseHandle.KERNEL32 ref: 00007FFE0EBEA09D
CreateFileW.KERNEL32 ref: 00007FFE0EBEA0C7
GetFileInformationByHandle.KERNEL32 ref: 00007FFE0EBEA0DD
CloseHandle.KERNEL32 ref: 00007FFE0EBEA0EC

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: FileHandle$CloseCreateInformation
String ID:
API String ID: 1240749428-0
Opcode ID: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
Instruction ID: 8a9858ccb10eef3211e9c3877b48a3205bdba7902179ba2707240577b4e57aa7
Opcode Fuzzy Hash: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
Instruction Fuzzy Hash: BE41B432F086828AF760CF74E8507BA33A0AB587A8F015735DE9C46BA8DF39D5958740

Function 00007FFE133062D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

__unDName.LIBVCRUNTIME ref: 00007FFE13306326
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE13306369
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE13306393
InterlockedPushEntrySList.KERNEL32 ref: 00007FFE133063B0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE133063BC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE133063C5

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
String ID:
API String ID: 3741236498-0
Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
Instruction ID: 95331ba962e91b6897781405d6a7c78559e53180b704b7f8b1a809176f030245
Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
Instruction Fuzzy Hash: F931E122B19F5188EB118B27A8041AD63A4FF28FF0B6846B5DE3D133A4EE3DD442C344

Function 00000001400117B8 Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

__scrt_initialize_onexit_tables.LIBCMT ref: 00000001400117E8

Part of subcall function 0000000140010DD8: _initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140010E1A

_RTC_Initialize.LIBCMT ref: 00000001400117F1

Part of subcall function 0000000140010FEC: _onexit.LIBCMT ref: 0000000140010FF0

_configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 000000014001183D
_initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014001184B
__scrt_fastfail.LIBCMT ref: 0000000140011869
__scrt_initialize_default_local_stdio_options.LIBCMT ref: 0000000140011874

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_configthreadlocale_initialize_narrow_environment_initialize_onexit_table_onexit
String ID:
API String ID: 2153537742-0
Opcode ID: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
Instruction ID: 534899ad21150968aac174715d7514135b35f9473fc5e80356d1b8ef46292b69
Opcode Fuzzy Hash: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
Instruction Fuzzy Hash: 95115E38A0024155FA5FB7F398173EC11969FAC3C4F454524BB498F2F3EE7B88658662

Function 00007FFE0EBE2F50 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE0EBE5F96), ref: 00007FFE0EBE2F59
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5F96), ref: 00007FFE0EBE2F6B
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE0EBE5F96), ref: 00007FFE0EBE2F7A
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE0EBE5F96), ref: 00007FFE0EBE2FE0
___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE0EBE5F96), ref: 00007FFE0EBE2FEE
_wcsdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE0EBE5F96), ref: 00007FFE0EBE3001

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: __pctype_func$___lc_codepage_func___lc_locale_name_func_wcsdupcalloc
String ID:
API String ID: 490008815-0
Opcode ID: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
Instruction ID: 81688cfba89588d0e586763b4db72daf65652c5b9e8c2e1a7758eb76e9c3d229
Opcode Fuzzy Hash: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
Instruction Fuzzy Hash: 66212A22D18B8583E7158F38D5552B873A0FBA9B48F15A234CECC16326EF79E6E5C340

Function 0000000140007850 Relevance: 9.0, APIs: 6, Instructions: 21fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32 ref: 0000000140007859
CloseHandle.KERNEL32 ref: 0000000140007866
UnmapViewOfFile.KERNEL32 ref: 0000000140007873
CloseHandle.KERNEL32 ref: 0000000140007880
CloseHandle.KERNEL32 ref: 000000014000788D
CloseHandle.KERNEL32 ref: 000000014000789A

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
Instruction ID: e4157fc547da492297a5d265050bc8fab675aa544c6886f43f24823cbbcadd6d
Opcode Fuzzy Hash: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
Instruction Fuzzy Hash: 1DF01438616E00D5FA07DB63ECA83A427A1BB8DBD9F440211EB4E4B331DE3F85998300

Function 00007FFE133038A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13306710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1330239E), ref: 00007FFE1330671E

EncodePointer.KERNEL32 ref: 00007FFE13303918
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE13303963
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303B91

Strings

MOC, xrefs: 00007FFE1330392C
RCC, xrefs: 00007FFE13303934

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
Instruction ID: 5d14bb7f7ae126e2c0e8e7936ef9fcc0985c046511a1c4f85e930de763b7b301
Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
Instruction Fuzzy Hash: 5F91A273A08B818EE710CB66E8802AE7BA0F7547A8F14417AEF9D27765DF38D195C704

Function 00007FFE1A451B3C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A45349C: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFE1A451222), ref: 00007FFE1A4534DC

EncodePointer.KERNEL32 ref: 00007FFE1A451BAC
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1A451BF7
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A451E25

Strings

MOC, xrefs: 00007FFE1A451BC0
RCC, xrefs: 00007FFE1A451BC8

Memory Dump Source

Source File: 0000000C.00000002.1920546941.00007FFE1A451000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 0000000C.00000002.1920454243.00007FFE1A450000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920631684.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920747487.00007FFE1A458000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920936180.00007FFE1A459000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe1a450000_ImporterREDServer.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: b9d59197ed9058caaff3681df3c64902a43601032ad083162a420140406a310d
Instruction ID: f6990e212b63b9d77aff2c40b0969a7ea4bd145461f67864c5c5fb56a3a2a7cd
Opcode Fuzzy Hash: b9d59197ed9058caaff3681df3c64902a43601032ad083162a420140406a310d
Instruction Fuzzy Hash: 269195B3B04B818AE711EB6AD4402BD77B0FB45B98F1041A6EA4D17765DF38D1A5CB00

Function 00007FFE1330BB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330BC50

Part of subcall function 00007FFE13308C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330913D
Part of subcall function 00007FFE13308C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE13309175

Strings

std::nullptr_t , xrefs: 00007FFE1330BDC5
volatile , xrefs: 00007FFE1330BBD3, 00007FFE1330BD21
volatile, xrefs: 00007FFE1330BBE2, 00007FFE1330BD30
std::nullptr_t, xrefs: 00007FFE1330BDF1

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
Instruction ID: 0682f87c3c18d3d479ff9e9da1c76e920fd00e96dce7eacdba13cfdbe7fe842a
Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
Instruction Fuzzy Hash: 7B717F71A08E428CEB58CF56D9501BCA7B4BB257A4F4445B5DA6D23AB9DF3CE250C308

Function 000000014000ABD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 150COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140 ref: 000000014000AD12
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000ADD5

Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE

Strings

[FAIL INT. ] too many paths, xrefs: 000000014000AC12
[FAIL INT. ] path '%s' already exists at index %u, xrefs: 000000014000AD7C
@, xrefs: 000000014000AD6E

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnmemcmp
String ID: @$[FAIL INT. ] path '%s' already exists at index %u$[FAIL INT. ] too many paths
API String ID: 3207467095-2931640462
Opcode ID: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
Instruction ID: 2da19ac7c4dfbac8c42f28ebd32a6b72bd3b2cb838895640dc67fbc0c8e08b7c
Opcode Fuzzy Hash: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
Instruction Fuzzy Hash: DC5169B2B10A5489EB11CF6AE8407DD37B1F709BA8F504216EF2A67BE9DB74C581C740

Function 00007FFE13303690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13306710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1330239E), ref: 00007FFE1330671E

EncodePointer.KERNEL32 ref: 00007FFE133036DC
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1330372B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330389F

Strings

RCC, xrefs: 00007FFE133036F9
MOC, xrefs: 00007FFE133036F0

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
Instruction ID: 7c840b8be91657f5a40371bd575335ee382201b86d704a9cdd3888d30f102607
Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
Instruction Fuzzy Hash: 19616936A08F858AE714CF66D0803AE77A0FB54BA8F144165EF5D23B68CF78E055C708

Function 00007FFE0EC19CD4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC19122), ref: 00007FFE0EC19CFA
isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC19122), ref: 00007FFE0EC19D0B
isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC19122), ref: 00007FFE0EC19D64
isalnum.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC19122), ref: 00007FFE0EC19E14

Strings

(, xrefs: 00007FFE0EC19E08

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: isspace$isalnumisxdigit
String ID: (
API String ID: 3355161242-3887548279
Opcode ID: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
Instruction ID: 9751574c17c1764370e9eb11513b917356370601c6596b7aed8b613d59cd95bb
Opcode Fuzzy Hash: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
Instruction Fuzzy Hash: 7A41A617D0C5C266EB258F31E5A13F56B919F52B84F08D070CAD8072A6DE3FE8058712

Function 00007FFE0EC1BBD8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC1B212), ref: 00007FFE0EC1BBFE
iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC1B212), ref: 00007FFE0EC1BC0F
iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0EC1B212), ref: 00007FFE0EC1BC76

Strings

(, xrefs: 00007FFE0EC1BD47

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: iswspace$iswxdigit
String ID: (
API String ID: 3812816871-3887548279
Opcode ID: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
Instruction ID: 883ff5f3f2881b26a2edc56de29c078b3e45fde9c0484808efbb2c224ebd397d
Opcode Fuzzy Hash: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
Instruction Fuzzy Hash: 2A51A756D085D3E1EB28AB61D5912F972A1EF21B88F488071DACD464B8EF7FEC41C712

Function 00007FFE0EC039E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EC1B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
Part of subcall function 00007FFE0EC1B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
Part of subcall function 00007FFE0EC1B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
Part of subcall function 00007FFE0EC1B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFE0EBFA22C), ref: 00007FFE0EC03A25

Part of subcall function 00007FFE0EBEB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EC11347,?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EBEB7BF
Part of subcall function 00007FFE0EBEB794: memmove.VCRUNTIME140(?,?,00000000,00007FFE0EC11347,?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EBEB7DB

_Getvals.LIBCPMT ref: 00007FFE0EC03A61

Strings

$+xv, xrefs: 00007FFE0EC03B08
$+xv, xrefs: 00007FFE0EC03A91
+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v, xrefs: 00007FFE0EC03A98

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
API String ID: 3031888307-3573081731
Opcode ID: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
Instruction ID: 3721014ccf9136a2136447127ad442cd4960a47e0681dc451f69f4ec4855eebb
Opcode Fuzzy Hash: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
Instruction Fuzzy Hash: B141BE72A08BC1ABE725CF66958057D7BA0FB85B81B044235DB8943E21DF79F571CB00

Function 00007FFE0EC03CB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EC03CE2

Part of subcall function 00007FFE0EC1B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
Part of subcall function 00007FFE0EC1B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
Part of subcall function 00007FFE0EC1B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
Part of subcall function 00007FFE0EC1B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD

_Maklocstr.LIBCPMT ref: 00007FFE0EC03D5B
_Maklocstr.LIBCPMT ref: 00007FFE0EC03D71

Strings

true, xrefs: 00007FFE0EC03D6A
false, xrefs: 00007FFE0EC03D54

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
String ID: false$true
API String ID: 309754672-2658103896
Opcode ID: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
Instruction ID: 4a875babe7295aebd8193d04d75b4e318b8aa3ff2c88c6a3647d1c5db6d6c592
Opcode Fuzzy Hash: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
Instruction Fuzzy Hash: C9414923A18B85A9E714CFB0E4901ED33B0FB88748B405136EE8D67B69EF38D595C794

Function 00007FFE0EBE83E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFE0EBE8483
_CxxThrowException.VCRUNTIME140 ref: 00007FFE0EBE8494

Strings

ios_base::failbit set, xrefs: 00007FFE0EBE8457
ios_base::badbit set, xrefs: 00007FFE0EBE844C
ios_base::eofbit set, xrefs: 00007FFE0EBE845E

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
Instruction ID: 9a4aea7ab831396da08781dad93c818f930da4b54411dc3eecb651b3eb6d54ed
Opcode Fuzzy Hash: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
Instruction Fuzzy Hash: 6D21A162A18B8696EE28DF25E5813B96370FB50784F884031D6CD47BB9DF3DE1A5CB00

Function 00007FFE0EBE8D10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFE0EBE8D67
_CxxThrowException.VCRUNTIME140 ref: 00007FFE0EBE8D78

Strings

ios_base::failbit set, xrefs: 00007FFE0EBE8D3B
ios_base::badbit set, xrefs: 00007FFE0EBE8D2F
ios_base::eofbit set, xrefs: 00007FFE0EBE8D42

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
Instruction ID: b89b571d83ab09ca7de993d3b0f756d6072d179c7ebbee554d04edccf5b821c7
Opcode Fuzzy Hash: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
Instruction Fuzzy Hash: C4F0D6A1A18A4AE5EE28CB10E4816F92321FB90744F984435D18D066B9DF3EE146CB41

Function 0000000140006B70 Relevance: 7.8, APIs: 5, Instructions: 255COMMON

Download Yara Rule

APIs

?Recycle@MemoryRecycler@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140006CC6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140006CF5
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006D52
memcpy.VCRUNTIME140 ref: 0000000140006DD5
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006E6E

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: D@std@@@std@@Pninc@?$basic_streambuf@U?$char_traits@$MemoryRecycle@Recycler@allocator@dvacore@@_invalid_parameter_noinfo_noreturnmemcpy
String ID:
API String ID: 3275830057-0
Opcode ID: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
Instruction ID: 3173563bc62d35887f7c9779bdd612006aafe20ffacca945d5b8f48763ffbb63
Opcode Fuzzy Hash: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
Instruction Fuzzy Hash: 5CA16BB2704B8485EB16CF2AE5443A977A2F389FE8F584516EF8D177A4DB38C895C340

Function 00007FFE0EBF4A60 Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

fgetwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE0EBF4B16

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: fgetwc
String ID:
API String ID: 2948136663-0
Opcode ID: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
Instruction ID: 7b6d0cd1994a07db59450b6f70136df15b4138547ebad035d42f3e0653dffa0f
Opcode Fuzzy Hash: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
Instruction Fuzzy Hash: 07816D73605A81C8EB24CF65C0903AD33A1FB48B98F511636EB9E97BA9DF3AD454C700

Function 0000000140009FD0 Relevance: 7.6, APIs: 5, Instructions: 112COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 000000014000A0B6
memcpy.VCRUNTIME140 ref: 000000014000A0C4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000A0FD
memcpy.VCRUNTIME140 ref: 000000014000A107
memcpy.VCRUNTIME140 ref: 000000014000A115

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2665656946-0
Opcode ID: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
Instruction ID: 6f8685d0ee64a854513a2710a76b76ebba126a19a16799565d604b2c87d49ee9
Opcode Fuzzy Hash: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
Instruction Fuzzy Hash: 884191B2304B8495EE16DB27B9043D9A395A74EBE0F440625BF6D0B7E5DE7CC081C304

Function 00007FFE0EBEB90C Relevance: 7.6, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEB9D3
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEB9E1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBA1A
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBA24
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEBA32

Part of subcall function 00007FFE0EC325AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5AF8), ref: 00007FFE0EC325C6

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: memmovememset$_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 3042321802-0
Opcode ID: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
Instruction ID: d108c35fd97fb65bc0fae609ff0e1806d27cdf1927f5d9ab38a00a1e6fad36e3
Opcode Fuzzy Hash: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
Instruction Fuzzy Hash: FD31F425B0868291EE34DF26A5883BA6351FB08BD0F184531DFDD0BBBADE7CE4818741

Function 00007FFE13309FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1330A01D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A03F
DName::DName.LIBVCRUNTIME ref: 00007FFE1330A052
DName::DName.LIBVCRUNTIME ref: 00007FFE1330A089
DName::DName.LIBVCRUNTIME ref: 00007FFE1330A094

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
Instruction ID: 7cb61d355a5f40449ad77c13eff0d40855d6e504d61ebdd8f5c1303e3e6f3e96
Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
Instruction Fuzzy Hash: EA415C32A08E5688F710CB62E9801BC33B4BB25BA0B5445B2DA6D637B5DF3CE956C304

Function 00007FFE0EBE4C30 Relevance: 7.5, APIs: 6, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EBF2160: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FFE0EBE4C3E,?,?,00000000,00007FFE0EBE5B5B), ref: 00007FFE0EBF216F

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5B5B), ref: 00007FFE0EBE4C47
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5B5B), ref: 00007FFE0EBE4C5B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5B5B), ref: 00007FFE0EBE4C6F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5B5B), ref: 00007FFE0EBE4C83
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5B5B), ref: 00007FFE0EBE4C97
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5B5B), ref: 00007FFE0EBE4CAB

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: free$setlocale
String ID:
API String ID: 294139027-0
Opcode ID: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
Instruction ID: 1e5e5b5c56ee6cdaed43a69cc404b4ccdd17864811d9adf89869215911524983
Opcode Fuzzy Hash: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
Instruction Fuzzy Hash: FA110922A06A4591EB69DF71C0E633963A1EF44F48F180534CA4E0A368CF6EE894D3C1

Function 00007FFE0EBF3380 Relevance: 7.5, APIs: 5, Instructions: 17COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE0EBF338E
fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE0EBF339A
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE0EBF33A5
fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE0EBF33B3
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBF33B9

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: __acrt_iob_func$abortfputcfputs
String ID:
API String ID: 2697642930-0
Opcode ID: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
Instruction ID: 7bdc807064fb7b8a419106e8305be1092c2de405a92226c96f21e0b23743f289
Opcode Fuzzy Hash: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
Instruction Fuzzy Hash: D2E0ECA4A186C6A6EB08ABB1EC9933563269F48F52F240538C98F46378CE2D64884212

Function 00007FFE0EC0C480 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFE0EC0C5EC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC0C6D9

Strings

%.0Lf, xrefs: 00007FFE0EC0C51D
0123456789-, xrefs: 00007FFE0EC0C524

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemmove
String ID: %.0Lf$0123456789-
API String ID: 4032823789-3094241602
Opcode ID: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
Instruction ID: ec0ec5e9b4c5a6d559d8996877f88adf1f1b31fe7816efb027d36354706b5d0d
Opcode Fuzzy Hash: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
Instruction Fuzzy Hash: 1A717B66B09B95A9EB10CFA5D4906BC7371EB48B88F404136EE8D17BA8DE3DD44AC341

Function 00007FFE0EC16E40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FFE0EC16F41
memmove.VCRUNTIME140 ref: 00007FFE0EC16FA2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC1708C

Strings

0123456789-, xrefs: 00007FFE0EC16EE2

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemchrmemmove
String ID: 0123456789-
API String ID: 2457263114-3850129594
Opcode ID: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
Instruction ID: d043602b282152a7f51340c5a60ffe27758ae94b0e2e64b35f45cc576cd214c9
Opcode Fuzzy Hash: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
Instruction Fuzzy Hash: 78719D22B09BC5A9FB10CBB5D4902AC7771EB4AB98F440076DE9D17BA9CE39D45AC301

Function 000000014000CA70 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 174COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CB86
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CCD1

Strings

gfffffff, xrefs: 000000014000CC52
gfffffff, xrefs: 000000014000CA9F

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: gfffffff$gfffffff
API String ID: 3668304517-161084747
Opcode ID: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
Instruction ID: 0937b4d6cc115db4af66b3ecbb46b401b0ea56f4de858bbb036e92e46f157e0a
Opcode Fuzzy Hash: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
Instruction Fuzzy Hash: D151B5B2311B8942EE25CB17F945799B355E748BE4F048226AFAD8B7E4DF38D081C301

Function 00007FFE0EC170C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFE0EC1715A
memset.VCRUNTIME140 ref: 00007FFE0EC17212
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC172F9

Part of subcall function 00007FFE0EBEB7FC: memset.VCRUNTIME140(?,?,?,?,?,?,00000000,00007FFE0EC11347), ref: 00007FFE0EBEB8A2

Strings

%.0Lf, xrefs: 00007FFE0EC1714A

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: memset$_invalid_parameter_noinfo_noreturnswprintf_s
String ID: %.0Lf
API String ID: 1248405305-1402515088
Opcode ID: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
Instruction ID: 170b2e4c54f029ca353c0237e47f5d75a17ec4ae1e901d4e7d2bb818d132b581
Opcode Fuzzy Hash: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
Instruction Fuzzy Hash: F161B222B08BC195EB11CB76E8802AD7771EB4AB94F544172EE8D27B7ADE3DD046C301

Function 00007FFE13304044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13306710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1330239E), ref: 00007FFE1330671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133041C3

Strings

csm, xrefs: 00007FFE133041FD
, xrefs: 00007FFE13304114
csm, xrefs: 00007FFE13304093

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: abort
String ID: $csm$csm
API String ID: 4206212132-1512788406
Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
Instruction ID: 14df9676fac50ec4151e1d24cfdfbf85645f10e7f67e0b0115b422b790d0cd56
Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
Instruction Fuzzy Hash: 7371A332A08A818AD7648F16D4407BD7BA0FB64FA8F048175DFAC27AA9CB3CD551CB44

Function 00007FFE1A4520B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A45349C: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFE1A451222), ref: 00007FFE1A4534DC

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45222F

Strings

, xrefs: 00007FFE1A452180
csm, xrefs: 00007FFE1A4520FF
csm, xrefs: 00007FFE1A452269

Memory Dump Source

Source File: 0000000C.00000002.1920546941.00007FFE1A451000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 0000000C.00000002.1920454243.00007FFE1A450000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920631684.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920747487.00007FFE1A458000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920936180.00007FFE1A459000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe1a450000_ImporterREDServer.jbxd

Similarity

API ID: abort
String ID: $csm$csm
API String ID: 4206212132-1512788406
Opcode ID: a09d5685cbd6900e1f150081fbd72c345e37c8c45745b80ef19bb6454a475952
Instruction ID: 09948e05cd1fe1754d755000a0d549ad12727534ed48f0b3eb3cd0f1aeef1a60
Opcode Fuzzy Hash: a09d5685cbd6900e1f150081fbd72c345e37c8c45745b80ef19bb6454a475952
Instruction Fuzzy Hash: EA71A2B2A08A8186D761AF22D45077D7BA0EB01FA9F0481B7FE4C57AA5CF3CD4A1C700

Function 00007FFE13303E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13306710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1330239E), ref: 00007FFE1330671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303F13
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE13303F23

Strings

csm, xrefs: 00007FFE13303E66
csm, xrefs: 00007FFE13303F75

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: Frameabort$EmptyHandler3::StateUnwind
String ID: csm$csm
API String ID: 4108983575-3733052814
Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
Instruction ID: 5b87596cc6666b00ccef6c2f01896475db51f894c5a467b797d29cd1a8b79bb3
Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
Instruction Fuzzy Hash: AB518432908A428AEB648F17954436D77A0FB60BB4F144276DBAD67BE5CF3CE550C708

Function 00007FFE0EBE2500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 00007FFE0EBE2542
RaiseException.KERNEL32 ref: 00007FFE0EBE2658
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBE267D

Strings

csm, xrefs: 00007FFE0EBE25A6

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: Exception$RaiseThrowabort
String ID: csm
API String ID: 3758033050-1018135373
Opcode ID: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
Instruction ID: 4dad2432ed843e0dd4c3fbfeea940604966ccbf5ff9c41dd446f0edd81151b3a
Opcode Fuzzy Hash: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
Instruction Fuzzy Hash: 10514E62904BC58AEB25CF28C4902A833A0FB58B58F159735DB9D077BADF39E5D5C700

Function 00007FFE0EBEF950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EBEF8D4
setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EBEF8E6
setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EBEF96B

Part of subcall function 00007FFE0EBE4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D72
Part of subcall function 00007FFE0EBE4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D98
Part of subcall function 00007FFE0EBE4D50: memmove.VCRUNTIME140(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4DB0

Strings

bad locale name, xrefs: 00007FFE0EBEF935

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: setlocale$freemallocmemmove
String ID: bad locale name
API String ID: 4085402405-1405518554
Opcode ID: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
Instruction ID: f4d8b6c2ec17e84438cef60d70aded4d98fd57b0038f4cc4463f4e829c42e9c9
Opcode Fuzzy Hash: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
Instruction Fuzzy Hash: 6D31B762F0868291FF75CF16E44017A6292AF85BC0F588036DADD477B9DE3CE9818B80

Function 00007FFE0EC1430C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EC1B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
Part of subcall function 00007FFE0EC1B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
Part of subcall function 00007FFE0EC1B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
Part of subcall function 00007FFE0EC1B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,0000003F,?,00000001,00007FFE0EC12278), ref: 00007FFE0EC1434D

Part of subcall function 00007FFE0EBEB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EC11347,?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EBEB7BF
Part of subcall function 00007FFE0EBEB794: memmove.VCRUNTIME140(?,?,00000000,00007FFE0EC11347,?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EBEB7DB

Strings

$+xv, xrefs: 00007FFE0EC14430
$+xv, xrefs: 00007FFE0EC143B9
+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v, xrefs: 00007FFE0EC143C0

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
API String ID: 462457024-3573081731
Opcode ID: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
Instruction ID: 6ac8ded6fc11c79231212b8992a6c4e377acc6cb44d8c5a235c7b8cd186b1adb
Opcode Fuzzy Hash: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
Instruction Fuzzy Hash: A541BC72A08BC2A7E728CF25A1C056D7BA1FB85B81B444275CB9D53E21DB39E562CB01

Function 00007FFE0EC038A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EC1B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
Part of subcall function 00007FFE0EC1B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
Part of subcall function 00007FFE0EC1B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
Part of subcall function 00007FFE0EC1B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFE0EBFA07C), ref: 00007FFE0EC038E1

Part of subcall function 00007FFE0EBEB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EC11347,?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EBEB7BF
Part of subcall function 00007FFE0EBEB794: memmove.VCRUNTIME140(?,?,00000000,00007FFE0EC11347,?,?,?,?,?,?,?,?,?,00007FFE0EC1243E), ref: 00007FFE0EBEB7DB

Part of subcall function 00007FFE0EBF67B0: _Maklocstr.LIBCPMT ref: 00007FFE0EBF67E0
Part of subcall function 00007FFE0EBF67B0: _Maklocstr.LIBCPMT ref: 00007FFE0EBF67FF
Part of subcall function 00007FFE0EBF67B0: _Maklocstr.LIBCPMT ref: 00007FFE0EBF681E

Strings

$+xv, xrefs: 00007FFE0EC039C4
$+xv, xrefs: 00007FFE0EC0394D
+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v, xrefs: 00007FFE0EC03954

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
API String ID: 2504686060-3573081731
Opcode ID: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
Instruction ID: 6bac62e39f1cb5dccde1ceffd44b32d0e1b2d4eeb643a20a54010ff53746cf9d
Opcode Fuzzy Hash: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
Instruction Fuzzy Hash: 3141AB72A08BC2A7E725CF2596C057E7BA1FB84781B054235DB8943A21DB7AF566CB00

Function 00007FFE1330A714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1330A778

Strings

%lf, xrefs: 00007FFE1330A7BE

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
Instruction ID: f5e6b3e118acf544ae5d8f87259f807cbd1e3de19d6e1f260b6e3da0b8e70eb2
Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
Instruction Fuzzy Hash: 5631D93290CE8189FA60CB66F85027E7760FB65BA4F4482B1E9BD67666CF3CD502C704

Function 00007FFE0EBEA4C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32 ref: 00007FFE0EBEA4F2
FindNextFileW.KERNEL32 ref: 00007FFE0EBEA523
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EBEA542

Strings

., xrefs: 00007FFE0EBEA4FC

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: FileFindNext$wcscpy_s
String ID: .
API String ID: 544952861-248832578
Opcode ID: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
Instruction ID: 1adf0ff5e90be026389c28cafe96758654166a0e10e3971f532cd5a026d60d4f
Opcode Fuzzy Hash: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
Instruction Fuzzy Hash: 12219362A1C68296FA70DF25E8443BA73A4EF88B94F544131EACD477A8DF3CD4498F40

Function 00007FFE0EBE6C00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 00007FFE0EBE6CB2
std::ios_base::failure::failure.LIBCPMT ref: 00007FFE0EBE6CF5
_CxxThrowException.VCRUNTIME140 ref: 00007FFE0EBE6D06

Strings

ios_base::badbit set, xrefs: 00007FFE0EBE6C90, 00007FFE0EBE6CBD

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: ExceptionThrow$std::ios_base::failure::failure
String ID: ios_base::badbit set
API String ID: 1099746521-3882152299
Opcode ID: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
Instruction ID: b8b9a6409c4d5668fafb674ac6677d50372e393dfe1f735d706a93c092d75075
Opcode Fuzzy Hash: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
Instruction Fuzzy Hash: CC01D6A1E28A4AA1FB38CE25D4825B91312EFE0744F148536D5CE06BBDDE3EE5068A00

Function 00007FFE13302400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13306710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1330239E), ref: 00007FFE1330671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330243E

Strings

RCC, xrefs: 00007FFE13302410
MOC, xrefs: 00007FFE13302418
csm, xrefs: 00007FFE13302420

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
Instruction ID: 9e10e85b0756940293677bfbf6226450e051ab89da82817758c40d7f994ea109
Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
Instruction Fuzzy Hash: 09F0AF36908A42CAEB505F2AE18006C3260FB68B60F1850B1E76C57276CF3CD4D0D705

Function 00007FFE1A451268 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A45349C: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFE1A451222), ref: 00007FFE1A4534DC

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4512A6

Strings

csm, xrefs: 00007FFE1A451288
MOC, xrefs: 00007FFE1A451280
RCC, xrefs: 00007FFE1A451278

Memory Dump Source

Source File: 0000000C.00000002.1920546941.00007FFE1A451000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 0000000C.00000002.1920454243.00007FFE1A450000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920631684.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920747487.00007FFE1A458000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920936180.00007FFE1A459000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe1a450000_ImporterREDServer.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: 603a5f7e1ffd35de89984d0ad558701558f89ae88de5ad9bc6a09e4dc68ebe23
Instruction ID: 2d019762d402d2b13b52595a7bb5cef6abbaccc731d504cdd7bcb820f87a5c18
Opcode Fuzzy Hash: 603a5f7e1ffd35de89984d0ad558701558f89ae88de5ad9bc6a09e4dc68ebe23
Instruction Fuzzy Hash: 7BF04476A18A4682D750BB16E54517C36A4EF49F64F1551F2D74846262CF3CE8B0CB01

Function 00007FFE1330E9E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__C_specific_handler.LIBVCRUNTIME ref: 00007FFE1330E9F0

Part of subcall function 00007FFE1330EC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1330ECF0
Part of subcall function 00007FFE1330EC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1330E9F5), ref: 00007FFE1330ED3F

Part of subcall function 00007FFE13306710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1330239E), ref: 00007FFE1330671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330EA1A

Strings

f, xrefs: 00007FFE1330E9F5
csm, xrefs: 00007FFE1330E9FB

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
String ID: csm$f
API String ID: 2451123448-629598281
Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
Instruction ID: 6d73ed30cecdeb63da5884826d499ef1ed45acc4e0ef9564a7c579fd3de88bbb
Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
Instruction Fuzzy Hash: DDE0E531E18E4284E7206B66B18013C27A0FF38B70F1480B8DA6C2766ACE3CE4A08209

Function 00007FFE13309CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1330C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C459
Part of subcall function 00007FFE1330C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C492
Part of subcall function 00007FFE1330C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C7BB

DName::operator+.LIBVCRUNTIME ref: 00007FFE13309E19
DName::operator+.LIBVCRUNTIME ref: 00007FFE13309E78
DName::operator+.LIBVCRUNTIME ref: 00007FFE13309EAA
DName::operator+.LIBVCRUNTIME ref: 00007FFE13309EBA

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
Instruction ID: 68a3f2cb711c9ae72f837340675bf5e742689cb66336fdd4900695039c10b6d8
Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
Instruction Fuzzy Hash: 69916772E08F568DFB118BA2D8403AC27B1BB24728F5445B6DE6D276B5DF38A845C348

Function 00007FFE1330A44C Relevance: 6.1, APIs: 4, Instructions: 134COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1330A4F1
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A501
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A51E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A553

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
Instruction ID: f72f27fe1bb595bc25a2283e8b9428dc5127ac2f844e347d5a14aa7f1bd05160
Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
Instruction Fuzzy Hash: B0517772A18E568CF7108FA2E8403BD37B0BB64768F544171DA6E276A6DF38E442C348

Function 0000000140001ED0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 0000000140001F64
memcpy.VCRUNTIME140 ref: 0000000140001F76
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140001FCC
memset.VCRUNTIME140 ref: 0000000140001FE6

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: memset$_invalid_parameter_noinfo_noreturnmemcpy
String ID:
API String ID: 3533975685-0
Opcode ID: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
Instruction ID: 948ad675966271c9991ceaad39470193d7d81f5c1b48440d7dc352eab6ab828f
Opcode Fuzzy Hash: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
Instruction Fuzzy Hash: B431B4B2711A9451EA06DF66F5443EDA291A788BE0F548635AF6C077E5EF38C4E2C300

Function 00007FFE0EBF6DC8 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE0EBF67E5), ref: 00007FFE0EBF6EA1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE0EBF67E5), ref: 00007FFE0EBF6EF2
memmove.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE0EBF67E5), ref: 00007FFE0EBF6EFC
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE0EBF6F3D

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
Instruction ID: c58e08a437e9de3710e52511b8f1c69e31d33772cbdcad1cb28ad8f73539506f
Opcode Fuzzy Hash: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
Instruction Fuzzy Hash: 1041E132B0868691EE28DF22E1141796355AB08BE4F584631EEAD0BBFDEE3CE041C740

Function 00007FFE0EBE9BE8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFE0EBE9CC0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EBE9D03
memmove.VCRUNTIME140 ref: 00007FFE0EBE9D0D
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE0EBE9D40

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
Instruction ID: 7a77ce6ca3c77304176ef3fa8d087e0b5f40da72f3af81b35e913360177fe2c7
Opcode Fuzzy Hash: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
Instruction Fuzzy Hash: E5312471B0868691EE24EF26E544269A391EF44BE4F548231DEBD07BF9DE7CE085C700

Function 00007FFE0EC0FD50 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

_FXp_setw.LIBCPMT ref: 00007FFE0EC0FDAF
_FXp_movx.LIBCPMT ref: 00007FFE0EC0FDBF

Part of subcall function 00007FFE0EC10594: memmove.VCRUNTIME140(?,?,00000004,00007FFE0EC0FDC4), ref: 00007FFE0EC105AA

Part of subcall function 00007FFE0EC1051C: ldexp.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,00007FFE0EC0FDD4), ref: 00007FFE0EC10550

_FXp_movx.LIBCPMT ref: 00007FFE0EC0FE06
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC0FE7F

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: Xp_movx$Xp_setw_errnoldexpmemmove
String ID:
API String ID: 2295688418-0
Opcode ID: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
Instruction ID: 0a85e545afe9412b81f2529d0dcaaafc5f1be510ff752befada2ba9932dfc66f
Opcode Fuzzy Hash: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
Instruction Fuzzy Hash: 2F41FB22B1CAC6A6F760DB6590C22F96350AF89740F144235DEDD133B6DF3EF9858602

Function 00007FFE0EBE3160 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EBE317D
___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EBE3187
islower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EBE31C4
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EBE31EC

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcislower
String ID:
API String ID: 2234106055-0
Opcode ID: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
Instruction ID: 0d4ac8cde90858d07377424d1239d202cd80d9cd8051e2f19ed6d96dd03e394d
Opcode Fuzzy Hash: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
Instruction Fuzzy Hash: CD318322A0C78182F7358F16A45427DAAD1EB94B91F184039DECA077ADDE3CE845CB11

Function 00007FFE0EBE3020 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EBE3037
___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EBE3041
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EBE3077
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0EBE309F

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcisupper
String ID:
API String ID: 3857474680-0
Opcode ID: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
Instruction ID: 9fac6a03dc35ae83f347bd09b1ef4f8a746c6b3949d1f7ee91cce2de28b543d9
Opcode Fuzzy Hash: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
Instruction Fuzzy Hash: 5431C472A0C78286FB258F15A45437D6AE1EB90B91F184035DECE07BAEDE2DE484CB11

Function 00007FFE1330C87C Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1330C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C459
Part of subcall function 00007FFE1330C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C492
Part of subcall function 00007FFE1330C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C7BB

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C8F7
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C906
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C982
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330C991

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
Instruction ID: 0d00968080e08e1589846c03c6b09c29e226ba526c4fe013e151c90ca738453b
Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
Instruction Fuzzy Hash: E6417772A08B85CDFB01CF69D8413AC37B0BB64B68F548065DE9D6B7AACF389841C314

Function 00007FFE0EC1AF70 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,00000000,?,?,?,00007FFE0EC0E921), ref: 00007FFE0EC1AFB7
memmove.VCRUNTIME140(?,00000000,?,?,?,00007FFE0EC0E921), ref: 00007FFE0EC1AFDB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE0EC0E921), ref: 00007FFE0EC1AFE8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE0EC0E921), ref: 00007FFE0EC1B05B

Part of subcall function 00007FFE0EBE2E30: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EBE2E5A
Part of subcall function 00007FFE0EBE2E30: LCMapStringEx.KERNEL32 ref: 00007FFE0EBE2E9E

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: String___lc_locale_name_funcfreemallocmemmovewcsnlen
String ID:
API String ID: 1076354707-0
Opcode ID: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
Instruction ID: e507555a5d34d480644444e5f7719f87ab749f7b6b7ace8188be642d950a497b
Opcode Fuzzy Hash: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
Instruction Fuzzy Hash: BE213661B08BD2D5E6309F12A48042AAA94FB46FE4F584235DEBD17BF8DF3DD5028700

Function 00007FFE0EBEAAA0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

_fsopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE0EBEAB43
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE0EBEAB51
_fsopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE0EBEAB82
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE0EBEAB9D

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _fsopen$fclosefseek
String ID:
API String ID: 410343947-0
Opcode ID: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
Instruction ID: 06a18dcda788e537b6ff60ea6f854762e6a334651de5a53c67ef3afd51ab79e4
Opcode Fuzzy Hash: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
Instruction Fuzzy Hash: 2E31C121B2878641EB78CB26A4956767696EF84FC4F084634CE8E477B8DE3CF9418B00

Function 00007FFE0EBEABB4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

_wfsopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE0EBEAC57
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE0EBEAC65
_wfsopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE0EBEAC96
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE0EBEACB1

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _wfsopen$fclosefseek
String ID:
API String ID: 1261181034-0
Opcode ID: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
Instruction ID: fb633595e1fb4fd3bb729ee42f33187743bf6a500f5b17957dfb2ca0b9a758e4
Opcode Fuzzy Hash: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
Instruction Fuzzy Hash: 9631B621B1968642EB79CF16A8966766795FFC4F84F085534CE8E43BA8DE3CF8418B40

Function 0000000140010660 Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 000000014001069B
GetLastError.KERNEL32 ref: 00000001400106AA

Part of subcall function 0000000140010BE0: GetLastError.KERNEL32 ref: 0000000140010C05
Part of subcall function 0000000140010BE0: FormatMessageA.KERNEL32 ref: 0000000140010C33

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014001072E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014001076F

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: ErrorLast_invalid_parameter_noinfo_noreturn$FormatFreeLibraryMessage
String ID:
API String ID: 4174221723-0
Opcode ID: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
Instruction ID: 329cc6dd5267e1a20a6fc7da630ad77381380cdf8f0f417e816be49fa379c834
Opcode Fuzzy Hash: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
Instruction Fuzzy Hash: F4315072A18B8441EB128B26E4453AE6751E79DBF4F249301F7FD0B6F9DBB9D5C08600

Function 00007FFE0EC1A5D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFE0EC1576B), ref: 00007FFE0EC1A604
___lc_collate_cp_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFE0EC1576B), ref: 00007FFE0EC1A60E

Part of subcall function 00007FFE0EBE26E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EBE2728
Part of subcall function 00007FFE0EBE26E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0EBE274E
Part of subcall function 00007FFE0EBE26E0: GetCPInfo.KERNEL32 ref: 00007FFE0EBE2792

memcmp.VCRUNTIME140(?,?,?,?,?,?,?,00007FFE0EC1576B), ref: 00007FFE0EC1A631
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FFE0EC1576B), ref: 00007FFE0EC1A66F

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: __strncnt$Info___lc_collate_cp_func___lc_locale_name_func_errnomemcmp
String ID:
API String ID: 3421985146-0
Opcode ID: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
Instruction ID: b740310971cb88be5131d16dfe8db4977c958e3718cdd8eba842a5f94753823d
Opcode Fuzzy Hash: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
Instruction Fuzzy Hash: 9C21A132A08BC286EB148F2AD48002DB7A4FB85FD4B454235DE9D537A8CF3DE8018701

Function 000000014000FAA0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78

Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE

Strings

[FINALIZE ] %08X %s, xrefs: 000000014000FACF
[UNLOAD LIB] %08X %s, xrefs: 000000014000FB11
[UNLOAD LIB], xrefs: 000000014000FAFC

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintfmemset
String ID: [FINALIZE ] %08X %s$[UNLOAD LIB]$[UNLOAD LIB] %08X %s
API String ID: 1351999747-1487749591
Opcode ID: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
Instruction ID: 71482a23b425682d2a021b79c21f529c824127a60a25d7ce3ea3483a94a8a675
Opcode Fuzzy Hash: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
Instruction Fuzzy Hash: 42213972215B8485E352DF22E5503DE37A4F74CF88F588129EB890BB69CF39C662D750

Function 00007FFE0EC18620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0EBF287C: FormatMessageA.KERNEL32 ref: 00007FFE0EBF28A2

memmove.VCRUNTIME140 ref: 00007FFE0EC1866D
memmove.VCRUNTIME140 ref: 00007FFE0EC1869D
LocalFree.KERNEL32 ref: 00007FFE0EC186C0

Strings

unknown error, xrefs: 00007FFE0EC18663

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: memmove$FormatFreeLocalMessage
String ID: unknown error
API String ID: 725469203-3078798498
Opcode ID: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
Instruction ID: c82aefa378e33c3c416ab02116ce774155000ae05278ee3f7cb737d277afea52
Opcode Fuzzy Hash: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
Instruction Fuzzy Hash: 21115B236097C592E7259F25E18036DB7A0FB8ABC8F484134DACC0B7AACF7DD5508741

Function 00007FFE0EC1B090 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_func
String ID:
API String ID: 3203701943-0
Opcode ID: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
Instruction ID: 6c2849c9110cf77f94335d8534ac6ae6aeb5100cb60be31ecdb3cacc00ef2f0e
Opcode Fuzzy Hash: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
Instruction Fuzzy Hash: 920108A2E1479186DB058F7AD440068B7A0FB59B84B148235EE8E87320DA3DD0C18B01

Function 00007FFE0EBE2468 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBE24D0

Strings

MOC, xrefs: 00007FFE0EBE248A
csm, xrefs: 00007FFE0EBE249A
RCC, xrefs: 00007FFE0EBE2492

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: malloc
String ID: MOC$RCC$csm
API String ID: 2803490479-2671469338
Opcode ID: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
Instruction ID: 2eb1c19de738b88ba82bd1bf061b96b689ca80283cdc8b96d1157aeb2975832e
Opcode Fuzzy Hash: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
Instruction Fuzzy Hash: B8018425E08342C6FF789F25958517D22B5EF49B84F284031DB8E077BDCE2CE981CA02

Function 00007FFE0EC0C9A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFE0EC0CB0C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC0CBF9

Strings

0123456789-, xrefs: 00007FFE0EC0CA44

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemmove
String ID: 0123456789-
API String ID: 4032823789-3850129594
Opcode ID: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
Instruction ID: 1d5f5aaa04bfac841dc5666850276e3ec94d94a1513c201bfc51a0f5f5129009
Opcode Fuzzy Hash: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
Instruction Fuzzy Hash: 93716C22B09B95A9EB10CFB5D4906BC7371FB48B88F444136EE8D17BA8DE39D45AC341

Function 00007FFE0EC0C710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFE0EC0C7AD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC0C960

Strings

%.0Lf, xrefs: 00007FFE0EC0C79D

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnswprintf_s
String ID: %.0Lf
API String ID: 296878162-1402515088
Opcode ID: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
Instruction ID: b8dc7059670c45cf85f28a551a8c86511b7d106f83ca8d8d196ab4857605fec4
Opcode Fuzzy Hash: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
Instruction Fuzzy Hash: 51717222B08B8595EB11CBB5E4806BDA371EF84B94F104232EE8D67B79DF39D055C341

Function 00007FFE0EC0CC30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFE0EC0CCCD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC0CE80

Strings

%.0Lf, xrefs: 00007FFE0EC0CCBD

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnswprintf_s
String ID: %.0Lf
API String ID: 296878162-1402515088
Opcode ID: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
Instruction ID: 5c1ad8c4f86044b0de9967c2e97fcb5a0aa395e3e49030e1fbaa052058f967bc
Opcode Fuzzy Hash: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
Instruction Fuzzy Hash: 4E718222B08B8595EB11CBB6E4806ADB371EF94B98F144232EE8D67B69DF3DD045C341

Function 00007FFE0EC18F00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FFE0EC18F09

Strings

invalid random_device value, xrefs: 00007FFE0EC18F1C

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: rand_s
String ID: invalid random_device value
API String ID: 863162693-3926945683
Opcode ID: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
Instruction ID: 92f52aab7b28c24b77f8b9c55f013a41ce65f42103c345a43d91220d29c84884
Opcode Fuzzy Hash: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
Instruction Fuzzy Hash: 97510722D18EC5A5F252CB3484E11BA6364BF5B3C4F048776E5EE365B5DF3FA0928242

Function 00007FFE13304710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13306710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1330239E), ref: 00007FFE1330671E

_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE133047E6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13304844

Strings

csm, xrefs: 00007FFE133048EA

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: abort$CreateFrameInfo
String ID: csm
API String ID: 2697087660-1018135373
Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
Instruction ID: 919e8aa3b6901c1d50e231208a195f6a5a3f081d24c5099668df340230c58bae
Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
Instruction Fuzzy Hash: 46515137A18B818AD660DF1AE04026E77A4FB98BB0F140575EB9D17B65CF3CE4A1CB04

Function 00007FFE1A452590 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A45349C: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFE1A451222), ref: 00007FFE1A4534DC

_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE1A452666
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4526C4

Strings

csm, xrefs: 00007FFE1A452769

Memory Dump Source

Source File: 0000000C.00000002.1920546941.00007FFE1A451000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 0000000C.00000002.1920454243.00007FFE1A450000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920631684.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920747487.00007FFE1A458000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920936180.00007FFE1A459000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe1a450000_ImporterREDServer.jbxd

Similarity

API ID: abort$CreateFrameInfo
String ID: csm
API String ID: 2697087660-1018135373
Opcode ID: 6e99a40f12b24c169b8c8d77f5cbd6e99d42a79d20cf72913f8a52ee3316c6bc
Instruction ID: e951cb27b2a14aa040c2acbf341571871fb4ebacc59ab1e0781d8989651ef6fa
Opcode Fuzzy Hash: 6e99a40f12b24c169b8c8d77f5cbd6e99d42a79d20cf72913f8a52ee3316c6bc
Instruction Fuzzy Hash: 685128B7718B4186D620EB16E04027E77A4FB89FA4F1415B6EB8D07B66CF38E461CB00

Function 00007FFE0EC17330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_Strftime.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE0EC173D7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0EC17465

Strings

!%x, xrefs: 00007FFE0EC17361

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: Strftime_invalid_parameter_noinfo_noreturn
String ID: !%x
API String ID: 1195835417-1893981228
Opcode ID: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
Instruction ID: 4f1ef3fd37f85a9046cf1d732c31e1c53946f4c50606fb24339a8bb074c353e2
Opcode Fuzzy Hash: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
Instruction Fuzzy Hash: 3941AC22F14AD1A8FB00CBB5D8807EC2B31BB4A798F444572EE8D17BA9DF3991858300

Function 00007FFE0EBE32D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE0EBE3305

Part of subcall function 00007FFE0EC325AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBE5AF8), ref: 00007FFE0EC325C6

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE0EBE57FA,?,?,?,00007FFE0EBE4438), ref: 00007FFE0EBE32FE

Strings

ios_base::failbit set, xrefs: 00007FFE0EBE331E

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID: ios_base::failbit set
API String ID: 1934640635-3924258884
Opcode ID: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
Instruction ID: 1e18ddd2b4c2fab6ebbd19e75b9ab896aec9d19895ff2c456dee20c1fac4955f
Opcode Fuzzy Hash: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
Instruction Fuzzy Hash: B3218521B09B8195DA70CF11A5406AAB3E4FB88BA0F544631EEDC43BADEF3CD9558B00

Function 00007FFE13309BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE13309CAA

Strings

void, xrefs: 00007FFE13309C0C
void , xrefs: 00007FFE13309C34

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
Instruction ID: a37da0e49650a488879deb7964826683de3cfa9f538fca6dc6695bef70018f46
Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
Instruction Fuzzy Hash: 62313572E18E558CFB00CBA6E8410EC37B4BB68768B440576EE6E62B79DF389144C758

Function 000000014000E370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000FAA0: memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000E441

Strings

[LOAD LIB ] %s, xrefs: 000000014000E3A4
[FAIL LOAD ] %s, xrefs: 000000014000E3ED

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemset
String ID: [FAIL LOAD ] %s$[LOAD LIB ] %s
API String ID: 1654775311-1428855073
Opcode ID: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
Instruction ID: e1e0474e3a99f30cd742c56738cdfbd4506b2c38850e860c1e011aff6007d584
Opcode Fuzzy Hash: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
Instruction Fuzzy Hash: EC218EB2714B8481FA16CB1AF44439A6362E78DBE4F544321BBA94BAF9DF38C181C740

Function 00007FFE0EBEF1B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFE0EBEC744), ref: 00007FFE0EBEF1D4

Part of subcall function 00007FFE0EC1B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B0
Part of subcall function 00007FFE0EC1B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0B8
Part of subcall function 00007FFE0EC1B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0C1
Part of subcall function 00007FFE0EC1B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE0EBE6093), ref: 00007FFE0EC1B0DD

Strings

true, xrefs: 00007FFE0EBEF243
false, xrefs: 00007FFE0EBEF22C

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
String ID: false$true
API String ID: 2502581279-2658103896
Opcode ID: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
Instruction ID: bc8211e2495447682a580ea38c79d532fc456c7f39770575664ffbb2b3210e27
Opcode Fuzzy Hash: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
Instruction Fuzzy Hash: AB21AD76608BC591EB20DF21E0803AA37A0FB98BA8F450532DADC07769DF38D590CB80

Function 00007FFE1330604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE133063F0: RtlPcToFileHeader.KERNEL32 ref: 00007FFE13306434
Part of subcall function 00007FFE133063F0: RaiseException.KERNEL32 ref: 00007FFE1330647A

RtlPcToFileHeader.KERNEL32 ref: 00007FFE133060BF

Strings

Bad dynamic_cast!, xrefs: 00007FFE13306072
Access violation - no RTTI data!, xrefs: 00007FFE1330604F

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: FileHeader$ExceptionRaise
String ID: Access violation - no RTTI data!$Bad dynamic_cast!
API String ID: 3685223789-3176238549
Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
Instruction ID: 5676251dcfaaf0ff1e4969d08f90b9d8dc97fa009be29380f15cbde4cbb1a734
Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
Instruction Fuzzy Hash: AB01B161A2DE06D9EE40CB16E8501BC6320FFB0BB4F8050B1D56E176BAEF6CD404C308

Function 00007FFE133063F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFE13306434
RaiseException.KERNEL32 ref: 00007FFE1330647A

Strings

csm, xrefs: 00007FFE13306467

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
Instruction ID: f938d593274e148220e9ee312fd72cffeb749a250c4e82f66e1445d53bb129da
Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
Instruction Fuzzy Hash: 14118F32A08F8182EB518F16F44026DB7A4FB98BA4F684270DE9D17B69DF3CC551C704

Function 00007FFE1A4531C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A453208
RaiseException.KERNEL32 ref: 00007FFE1A45324E

Strings

csm, xrefs: 00007FFE1A45323B

Memory Dump Source

Source File: 0000000C.00000002.1920546941.00007FFE1A451000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 0000000C.00000002.1920454243.00007FFE1A450000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920631684.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920747487.00007FFE1A458000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920936180.00007FFE1A459000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe1a450000_ImporterREDServer.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9f7a33d673fc978609ae4b898b368f5314f81222cced0233053e09beae7f99e8
Instruction ID: 98cfe312b12a96db6f2b3ab104c59d221e0a625a9fec9fb08b68f2a294efc027
Opcode Fuzzy Hash: 9f7a33d673fc978609ae4b898b368f5314f81222cced0233053e09beae7f99e8
Instruction Fuzzy Hash: 1A112B72608F4582EB109B16F4502697BE0FB88F94F5842B1EE9D47B64DF3CD565CB40

Function 00007FFE0EBE6330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE0EBE633D

Part of subcall function 00007FFE0EBE4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D72
Part of subcall function 00007FFE0EBE4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D98
Part of subcall function 00007FFE0EBE4D50: memmove.VCRUNTIME140(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4DB0

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBE635A

Strings

:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE0EBE6365

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: free$Getmonthsmallocmemmove
String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
API String ID: 794196016-4232081075
Opcode ID: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
Instruction ID: 35090479cc9d7afca55063f62e8f6ed4253ce10587154346303ee8e7e748347c
Opcode Fuzzy Hash: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
Instruction Fuzzy Hash: 54E03922A15B42A2EE10CB22F58426963B0EB18B80F584034DA9D02764DF3CE4E4C780

Function 00007FFE0EBE62C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE0EBE62CD

Part of subcall function 00007FFE0EBE4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D72
Part of subcall function 00007FFE0EBE4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4D98
Part of subcall function 00007FFE0EBE4D50: memmove.VCRUNTIME140(?,?,?,00007FFE0EBF2124,?,?,?,00007FFE0EBE43DB,?,?,?,00007FFE0EBE5B31), ref: 00007FFE0EBE4DB0

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBE62EA

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE0EBE62F5

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: free$Getdaysmallocmemmove
String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 2126063425-3283725177
Opcode ID: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
Instruction ID: aa54157cec7efe12e5c7362c08b095d1d56b19a628b0a53b61cf7da5b99a5aea
Opcode Fuzzy Hash: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
Instruction Fuzzy Hash: EDE0ED22B14B82A2EA14DF12F594369A360FF48B80F948435DBAD07765EF3DE4A48700

Function 00007FFE0EBE6A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE0EBE6A3D

Part of subcall function 00007FFE0EBE4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBF6AB5,?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBE4DF9
Part of subcall function 00007FFE0EBE4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBF6AB5,?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBE4E28
Part of subcall function 00007FFE0EBE4DD0: memmove.VCRUNTIME140(?,?,00000000,00007FFE0EBF6AB5,?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBE4E3F

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBE6A5A

Strings

:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE0EBE6A65

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: free$Getmonthsmallocmemmove
String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece
API String ID: 794196016-2030377133
Opcode ID: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
Instruction ID: b07fb7295196d19319b88440c316a95a3036724d518de6996436e5f7480b0d40
Opcode Fuzzy Hash: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
Instruction Fuzzy Hash: 69E06D22B04B46A2EA50CF12F5843696360FF48B80F846034DB4E03B68DF3CE4B4C700

Function 00007FFE0EBE69E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE0EBE69ED

Part of subcall function 00007FFE0EBE4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBF6AB5,?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBE4DF9
Part of subcall function 00007FFE0EBE4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE0EBF6AB5,?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBE4E28
Part of subcall function 00007FFE0EBE4DD0: memmove.VCRUNTIME140(?,?,00000000,00007FFE0EBF6AB5,?,?,?,?,?,?,?,?,?,00007FFE0EBFA96E), ref: 00007FFE0EBE4E3F

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBE6A0A

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE0EBE6A15

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: free$Getdaysmallocmemmove
String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 2126063425-3283725177
Opcode ID: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
Instruction ID: 4c2c9bd95ee69f7376c4a9290b66d55bf9cfda4c4bf0cff48f310521c847f9ef
Opcode Fuzzy Hash: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
Instruction Fuzzy Hash: 70E06D22B14B86A2EA20CF12F58436963A0EF48B90F545134DB4D03B68DF3CE4A48700

Function 0000000140012990 Relevance: 5.1, APIs: 4, Instructions: 105COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 00000001400129AE
_CxxThrowException.VCRUNTIME140 ref: 0000000140012A00
_CxxThrowException.VCRUNTIME140 ref: 0000000140012A31
_CxxThrowException.VCRUNTIME140 ref: 0000000140012A5E

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
Instruction ID: 3f6ef9a8942bd25f1c030384d86529519749b139d31aef7b6ed3ba5bf9942206
Opcode Fuzzy Hash: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
Instruction Fuzzy Hash: 582153B6610A8489E729EE37E8523E92311F78C7D8F149426BF4D4FBAECE31C4518340

Function 00000001400124D0 Relevance: 5.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 00000001400124F4
_CxxThrowException.VCRUNTIME140 ref: 0000000140012524

Part of subcall function 00000001400068A0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400068DC

_CxxThrowException.VCRUNTIME140 ref: 0000000140012554
_CxxThrowException.VCRUNTIME140 ref: 0000000140012584

Memory Dump Source

Source File: 0000000C.00000002.1918275636.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000C.00000002.1918226301.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918319235.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918347929.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.1918371547.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd

Similarity

API ID: ExceptionThrow$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2822070131-0
Opcode ID: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
Instruction ID: fb8aed582c15149af4c4f009e579fb1eee3dc1aedb4e9a74b926e9b9865ab3f7
Opcode Fuzzy Hash: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
Instruction Fuzzy Hash: 331151B5710A40C9E71DEB73A8423EA1211EB887C4F149536BF480BA6ECE76C4518740

Function 00007FFE1330672C Relevance: 5.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFE133065B9,?,?,?,?,00007FFE1330FB22,?,?,?,?,?), ref: 00007FFE1330674B
SetLastError.KERNEL32(?,?,?,00007FFE133065B9,?,?,?,?,00007FFE1330FB22,?,?,?,?,?), ref: 00007FFE133067D4

Memory Dump Source

Source File: 0000000C.00000002.1919968676.00007FFE13301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 0000000C.00000002.1919923323.00007FFE13300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920193231.00007FFE13311000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920311536.00007FFE13316000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000C.00000002.1920396623.00007FFE13317000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe13300000_ImporterREDServer.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
Instruction ID: 8f3a0269e4e7ca263cb3aff369a8733bfe70b3844679d4ccb9cd7ba3d7f51711
Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
Instruction Fuzzy Hash: 21112424F0DE528AFA54972398041792291EF68BF0F2446B4D97E277FADF3CA441E608

Function 00007FFE1A4533DC Relevance: 5.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFE1A45329D,?,?,?,?,00007FFE1A45411A,?,?,?,?,?), ref: 00007FFE1A4533FB
SetLastError.KERNEL32(?,?,?,00007FFE1A45329D,?,?,?,?,00007FFE1A45411A,?,?,?,?,?), ref: 00007FFE1A453483

Memory Dump Source

Source File: 0000000C.00000002.1920546941.00007FFE1A451000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 0000000C.00000002.1920454243.00007FFE1A450000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920631684.00007FFE1A455000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920747487.00007FFE1A458000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.1920936180.00007FFE1A459000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe1a450000_ImporterREDServer.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 945a849ef1e4ef306028dce5c92f669efe6900a2f555f55e0f0d86f2d5e2500a
Instruction ID: 479f95d0abd456450994b2144b3c1d5de1097ad16161fc6272fe47a8af93c2bc
Opcode Fuzzy Hash: 945a849ef1e4ef306028dce5c92f669efe6900a2f555f55e0f0d86f2d5e2500a
Instruction Fuzzy Hash: B81130E0F09E1292FA15B723A86013966A1AF45FB0F5846F6D92E473F5DF3CB4618740

Function 00007FFE0EBF8CD0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBF8CED
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBF8CF7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBF8D01
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBF8D0B

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
Instruction ID: 0cb4e1ea0baf92eeda4fd9ba8e0bd9ebc7b17799e056605ccc12a76f4c90764d
Opcode Fuzzy Hash: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
Instruction Fuzzy Hash: 0FF0EC36B18B82A2DB44DB25E9D4168A360FF88B90B144031CB8D43B74DF7EE4A58301

Function 00007FFE0EBF8C60 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBF8C7D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBF8C87
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBF8C91
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBF8C9B

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
Instruction ID: adcdf30cbc1f35811041453819d414d3ba2057ab6de7c56bd707dcbe0ecccb35
Opcode Fuzzy Hash: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
Instruction Fuzzy Hash: 68F0EC36B19B82A6DB48DB25E9D4168B360FF88B90B144031CB8D43B74DF7EE4A58301

Function 00007FFE0EC11DB0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EC11DCD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EC11DD7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EC11DE1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EC11DEB

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
Instruction ID: 62901fffe4049f804ef103ea5574176b033b001d8b236f79fa01328e729728a4
Opcode Fuzzy Hash: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
Instruction Fuzzy Hash: 31F0EC36B19B82A6DB45DB25E9D4168A360FF88F90B544031CB8D43B70DF6EE4A58301

Function 00007FFE0EBF8A08 Relevance: 5.0, APIs: 4, Instructions: 16COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBF8A1A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBF8A24
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBF8A2E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0EBF8A38

Memory Dump Source

Source File: 0000000C.00000002.1919492437.00007FFE0EBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE0EBE0000, based on PE: true

Associated: 0000000C.00000002.1919467827.00007FFE0EBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919607779.00007FFE0EC35000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919757085.00007FFE0EC63000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919807920.00007FFE0EC64000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.1919860754.00007FFE0EC67000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffe0ebe0000_ImporterREDServer.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
Instruction ID: 7335619da59392e714d45d6e7b9caaf169661e64cbf3c5c369e70a6bca2670ed
Opcode Fuzzy Hash: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
Instruction Fuzzy Hash: FFE0B663F14A4192EB64DF32D8E4038A370FF88F59B181032CF8E46334CE69D8A58381

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\5c7c37.rbs

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4s5rklwc.h3c.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hsul1pbm.ex4.ps1

C:\Users\user\AppData\Local\Temp\msiB093.txt

C:\Users\user\AppData\Local\Temp\pssB0A6.ps1

C:\Users\user\AppData\Local\Temp\scrB094.ps1

C:\Users\user\AppData\Roaming\Microsoft\Installer\{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}\icon_22.exe

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exe

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exe

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dll

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dll

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dll

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dll

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dll

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dll

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dll

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dll

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dll

C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dll

Windows Analysis Report
setup.msi

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre