Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.msi

Overview

General Information

Sample name:setup.msi
Analysis ID:1580946
MD5:99c84a1c2cf1acd2ddeb621561789acb
SHA1:c5efa38a646b02ea2263dacd5a17586295c6fcd3
SHA256:404e2b3ecd486cf7a533790edbe22ab145c767f8c413a95570b0cc41c3b46143
Tags:LegionLoadermsiRobotDroppersuccessroadway-comuser-aachum
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
Query firmware table information (likely to detect VMs)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 3544 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 5720 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 1016 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 45E70E686A70EB9A9EBD77437EA9ABD2 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 7448 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7888 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ImporterREDServer.exe (PID: 7992 cmdline: "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe" MD5: F67792E08586EA936EBCAE43AAB0388D)
        • conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • createdump.exe (PID: 7896 cmdline: "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)
      • conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 45E70E686A70EB9A9EBD77437EA9ABD2, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1016, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7448, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 45E70E686A70EB9A9EBD77437EA9ABD2, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1016, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7448, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 45E70E686A70EB9A9EBD77437EA9ABD2, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1016, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7448, ProcessName: powershell.exe
Sigma detected: Msiexec Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.6.3, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1016, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49737
Sigma detected: Suspicious MsiExec Embedding Parent
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 45E70E686A70EB9A9EBD77437EA9ABD2, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1016, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7448, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 45E70E686A70EB9A9EBD77437EA9ABD2, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1016, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7448, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-26T13:21:50.246687+010028292021A Network Trojan was detected192.168.2.649737104.21.6.3443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 87.6% probability
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}Jump to behavior
Source: unknownHTTPS traffic detected: 104.21.6.3:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 0000000F.00000000.2397498820.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: setup.msi
Source: Binary string: ucrtbase.pdb source: setup.msi
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: setup.msi
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: setup.msi
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_filesystem\lib\win\release\64\boost_filesystem.pdb)) source: boost_filesystem.dll.3.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvaunittesting\lib\win\release\64\dvaunittesting.pdb source: dvaunittesting.dll.3.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: setup.msi
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 00000012.00000002.2402268433.00000001802BD000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: setup.msi
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: setup.msi
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: BCUninstaller.exe.3.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmp, vcruntime140.dll.3.dr
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_system\lib\win\release\64\boost_system.pdb source: boost_system.dll.3.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 00000012.00000000.2399751564.0000000140013000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll.3.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvaunittesting\lib\win\release\64\dvaunittesting.pdb44 source: dvaunittesting.dll.3.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: setup.msi
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_threads\lib\win\release\64\boost_threads.pdb source: boost_threads.dll.3.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 0000000F.00000000.2397498820.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\Projects\WinRAR\rar\build\unrar64\Release\UnRAR.pdb source: UnRar.exe.3.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmp, msvcp140.dll.3.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: setup.msi
Source: Binary string: ucrtbase.pdbUGP source: setup.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.msi, MSI63BF.tmp.3.dr, MSI62D2.tmp.3.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: setup.msi
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.3.dr
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_threads\lib\win\release\64\boost_threads.pdb!! source: boost_threads.dll.3.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 00000012.00000000.2399751564.0000000140013000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: setup.msi
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.3.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: setup.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: setup.msi
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_filesystem\lib\win\release\64\boost_filesystem.pdb source: boost_filesystem.dll.3.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: setup.msi
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.msi
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.3.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.msi
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.3.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.3.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: BCUninstaller.exe.3.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: setup.msi
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_program_options\lib\win\release\64\boost_program_options.pdb++ source: boost_program_options.dll.3.dr
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.msi
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_program_options\lib\win\release\64\boost_program_options.pdb source: boost_program_options.dll.3.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.msi
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9445A330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,18_2_00007FFD9445A330

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.6:49737 -> 104.21.6.3:443
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: successroadway.com
Source: unknownHTTP traffic detected: POST /updater.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: successroadway.comContent-Length: 71Cache-Control: no-cache
Source: setup.msi, boost_system.dll.3.dr, boost_threads.dll.3.dr, boost_filesystem.dll.3.dr, boost_program_options.dll.3.dr, dvaunittesting.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: UnRar.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: boost_system.dll.3.dr, boost_threads.dll.3.dr, boost_filesystem.dll.3.dr, boost_program_options.dll.3.dr, dvaunittesting.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: boost_system.dll.3.dr, boost_threads.dll.3.dr, boost_filesystem.dll.3.dr, boost_program_options.dll.3.dr, dvaunittesting.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: setup.msi, boost_system.dll.3.dr, boost_threads.dll.3.dr, boost_filesystem.dll.3.dr, boost_program_options.dll.3.dr, dvaunittesting.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: UnRar.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: UnRar.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: UnRar.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: setup.msiString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: BCUninstaller.exe.3.drString found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: BCUninstaller.exe.3.drString found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: BCUninstaller.exe.3.drString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: BCUninstaller.exe.3.drString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: BCUninstaller.exe.3.drString found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: UnRar.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: setup.msi, boost_system.dll.3.dr, boost_threads.dll.3.dr, boost_filesystem.dll.3.dr, boost_program_options.dll.3.dr, dvaunittesting.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: boost_system.dll.3.dr, boost_threads.dll.3.dr, boost_filesystem.dll.3.dr, boost_program_options.dll.3.dr, dvaunittesting.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: setup.msiString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: UnRar.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: UnRar.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: UnRar.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: boost_system.dll.3.dr, boost_threads.dll.3.dr, boost_filesystem.dll.3.dr, boost_program_options.dll.3.dr, dvaunittesting.dll.3.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: setup.msiString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: setup.msi, boost_system.dll.3.dr, boost_threads.dll.3.dr, boost_filesystem.dll.3.dr, boost_program_options.dll.3.dr, dvaunittesting.dll.3.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: setup.msi, boost_system.dll.3.dr, boost_threads.dll.3.dr, boost_filesystem.dll.3.dr, boost_program_options.dll.3.dr, dvaunittesting.dll.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: boost_system.dll.3.dr, boost_threads.dll.3.dr, boost_filesystem.dll.3.dr, boost_program_options.dll.3.dr, dvaunittesting.dll.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: UnRar.exe.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: boost_system.dll.3.dr, boost_threads.dll.3.dr, boost_filesystem.dll.3.dr, boost_program_options.dll.3.dr, dvaunittesting.dll.3.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: setup.msiString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
Source: setup.msi, boost_system.dll.3.dr, boost_threads.dll.3.dr, boost_filesystem.dll.3.dr, boost_program_options.dll.3.dr, dvaunittesting.dll.3.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000009.00000002.2328298351.000000000625A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: UnRar.exe.3.drString found in binary or memory: http://ocsp.digicert.com0
Source: UnRar.exe.3.drString found in binary or memory: http://ocsp.digicert.com0A
Source: setup.msi, boost_system.dll.3.dr, UnRar.exe.3.dr, boost_threads.dll.3.dr, boost_filesystem.dll.3.dr, boost_program_options.dll.3.dr, dvaunittesting.dll.3.drString found in binary or memory: http://ocsp.digicert.com0C
Source: boost_system.dll.3.dr, boost_threads.dll.3.dr, boost_filesystem.dll.3.dr, boost_program_options.dll.3.dr, dvaunittesting.dll.3.drString found in binary or memory: http://ocsp.digicert.com0H
Source: boost_system.dll.3.dr, boost_threads.dll.3.dr, boost_filesystem.dll.3.dr, boost_program_options.dll.3.dr, dvaunittesting.dll.3.drString found in binary or memory: http://ocsp.digicert.com0I
Source: setup.msiString found in binary or memory: http://ocsp.digicert.com0K
Source: setup.msiString found in binary or memory: http://ocsp.digicert.com0N
Source: setup.msi, boost_system.dll.3.dr, boost_threads.dll.3.dr, boost_filesystem.dll.3.dr, boost_program_options.dll.3.dr, dvaunittesting.dll.3.drString found in binary or memory: http://ocsp.digicert.com0O
Source: UnRar.exe.3.drString found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000009.00000002.2325598804.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: BCUninstaller.exe.3.drString found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: BCUninstaller.exe.3.drString found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: BCUninstaller.exe.3.drString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: BCUninstaller.exe.3.drString found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: setup.msiString found in binary or memory: http://schemas.mick
Source: powershell.exe, 00000009.00000002.2325598804.00000000051F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BCUninstaller.exe.3.drString found in binary or memory: http://subca.ocsp-certum.com01
Source: BCUninstaller.exe.3.drString found in binary or memory: http://subca.ocsp-certum.com02
Source: BCUninstaller.exe.3.drString found in binary or memory: http://subca.ocsp-certum.com05
Source: powershell.exe, 00000009.00000002.2325598804.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: BCUninstaller.exe.3.drString found in binary or memory: http://www.certum.pl/CPS0
Source: setup.msi, boost_system.dll.3.dr, UnRar.exe.3.dr, boost_threads.dll.3.dr, boost_filesystem.dll.3.dr, boost_program_options.dll.3.dr, dvaunittesting.dll.3.drString found in binary or memory: http://www.digicert.com/CPS0
Source: boost_system.dll.3.dr, boost_threads.dll.3.dr, boost_filesystem.dll.3.dr, boost_program_options.dll.3.dr, dvaunittesting.dll.3.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ImporterREDServer.exe, 00000012.00000002.2402268433.00000001802BD000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-
Source: BCUninstaller.exe.3.drString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: BCUninstaller.exe.3.drString found in binary or memory: https://aka.ms/dotnet-core-applaunch?You
Source: BCUninstaller.exe.3.drString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: BCUninstaller.exe.3.drString found in binary or memory: https://aka.ms/dotnet/app-launch-failed&gui=trueShowing
Source: powershell.exe, 00000009.00000002.2325598804.00000000051F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: setup.msiString found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
Source: powershell.exe, 00000009.00000002.2328298351.000000000625A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.2328298351.000000000625A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.2328298351.000000000625A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000009.00000002.2325598804.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.2325598804.0000000005654000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: classes_nocoops.jsa.3.drString found in binary or memory: https://java.oracle.com/
Source: powershell.exe, 00000009.00000002.2328298351.000000000625A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: setup.msiString found in binary or memory: https://successroadway.com/updater.phpx
Source: BCUninstaller.exe.3.drString found in binary or memory: https://www.certum.pl/CPS0
Source: setup.msi, boost_system.dll.3.dr, boost_threads.dll.3.dr, boost_filesystem.dll.3.dr, boost_program_options.dll.3.dr, dvaunittesting.dll.3.drString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownHTTPS traffic detected: 104.21.6.3:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5f599b.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI62D2.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6360.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI63BF.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI63EF.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI644D.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI64CB.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI650B.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8093.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8C3C.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8C5C.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5f599e.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5f599e.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI62D2.tmpJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_000000014001222018_2_0000000140012220
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_000000014000839018_2_0000000140008390
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_0000000140007FC018_2_0000000140007FC0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9446BCD018_2_00007FFD9446BCD0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9447547018_2_00007FFD94475470
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9446946018_2_00007FFD94469460
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD94470C6018_2_00007FFD94470C60
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD94476C8418_2_00007FFD94476C84
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD944844E018_2_00007FFD944844E0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD944895A818_2_00007FFD944895A8
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9448BDA018_2_00007FFD9448BDA0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD94482D7018_2_00007FFD94482D70
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9446CDF018_2_00007FFD9446CDF0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9448B69818_2_00007FFD9448B698
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9446DF1018_2_00007FFD9446DF10
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9447071018_2_00007FFD94470710
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD94473F0018_2_00007FFD94473F00
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD94468FB018_2_00007FFD94468FB0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9447478018_2_00007FFD94474780
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9445C78018_2_00007FFD9445C780
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9445D81018_2_00007FFD9445D810
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9445E8B018_2_00007FFD9445E8B0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD944660D018_2_00007FFD944660D0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9448288018_2_00007FFD94482880
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9445F9B018_2_00007FFD9445F9B0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9448F9DA18_2_00007FFD9448F9DA
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9447220818_2_00007FFD94472208
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9448A27C18_2_00007FFD9448A27C
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9447633818_2_00007FFD94476338
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9447434018_2_00007FFD94474340
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9446ABB018_2_00007FFD9446ABB0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9446644018_2_00007FFD94466440
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFDAC12750818_2_00007FFDAC127508
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: String function: 000000014000BC30 appears 53 times
Source: api-ms-win-core-file-l1-2-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
Source: setup.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameDataUploader.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameucrtbase.dllj% vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenamevcruntime140.dllT vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenamemsvcp140.dllT vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs setup.msi
Source: setup.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs setup.msi
Source: classification engineClassification label: mal68.evad.winMSI@17/91@1/1
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_0000000140010BE0 GetLastError,FormatMessageA,18_2_0000000140010BE0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9445A7B0 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn,18_2_00007FFD9445A7B0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML9888.tmpJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF42C9C193E0DFE6A0.TMPJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 45E70E686A70EB9A9EBD77437EA9ABD2
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe"
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 45E70E686A70EB9A9EBD77437EA9ABD2Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: dvacore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: libzip.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_system.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_date_time.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_threads.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_filesystem.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: dvaunittesting.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: utest.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}Jump to behavior
Source: setup.msiStatic file information: File size 60336524 > 1048576
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 0000000F.00000000.2397498820.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: setup.msi
Source: Binary string: ucrtbase.pdb source: setup.msi
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: setup.msi
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: setup.msi
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_filesystem\lib\win\release\64\boost_filesystem.pdb)) source: boost_filesystem.dll.3.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvaunittesting\lib\win\release\64\dvaunittesting.pdb source: dvaunittesting.dll.3.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: setup.msi
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 00000012.00000002.2402268433.00000001802BD000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: setup.msi
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: setup.msi
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: BCUninstaller.exe.3.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmp, vcruntime140.dll.3.dr
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_system\lib\win\release\64\boost_system.pdb source: boost_system.dll.3.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 00000012.00000000.2399751564.0000000140013000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll.3.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvaunittesting\lib\win\release\64\dvaunittesting.pdb44 source: dvaunittesting.dll.3.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: setup.msi
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_threads\lib\win\release\64\boost_threads.pdb source: boost_threads.dll.3.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 0000000F.00000000.2397498820.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\Projects\WinRAR\rar\build\unrar64\Release\UnRAR.pdb source: UnRar.exe.3.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmp, msvcp140.dll.3.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: setup.msi
Source: Binary string: ucrtbase.pdbUGP source: setup.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.msi, MSI63BF.tmp.3.dr, MSI62D2.tmp.3.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: setup.msi
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.3.dr
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_threads\lib\win\release\64\boost_threads.pdb!! source: boost_threads.dll.3.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 00000012.00000000.2399751564.0000000140013000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: setup.msi
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.3.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: setup.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: setup.msi
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_filesystem\lib\win\release\64\boost_filesystem.pdb source: boost_filesystem.dll.3.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: setup.msi
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.msi
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.3.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.msi
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.3.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.3.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: BCUninstaller.exe.3.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: setup.msi
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_program_options\lib\win\release\64\boost_program_options.pdb++ source: boost_program_options.dll.3.dr
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.msi
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_program_options\lib\win\release\64\boost_program_options.pdb source: boost_program_options.dll.3.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.msi
Source: api-ms-win-core-file-l1-2-0.dll.3.drStatic PE information: 0xEA0DB5AA [Mon Jun 7 16:36:58 2094 UTC]
Source: UnRar.exe.3.drStatic PE information: section name: _RDATA
Source: BCUninstaller.exe.3.drStatic PE information: section name: _RDATA
Source: createdump.exe.3.drStatic PE information: section name: _RDATA
Source: vcruntime140.dll.3.drStatic PE information: section name: _RDATA
Source: MSI63EF.tmp.3.drStatic PE information: section name: .fptable
Source: MSI644D.tmp.3.drStatic PE information: section name: .fptable
Source: MSI64CB.tmp.3.drStatic PE information: section name: .fptable
Source: MSI650B.tmp.3.drStatic PE information: section name: .fptable
Source: MSI62D2.tmp.3.drStatic PE information: section name: .fptable
Source: MSI6360.tmp.3.drStatic PE information: section name: .fptable
Source: MSI63BF.tmp.3.drStatic PE information: section name: .fptable
Source: MSI8093.tmp.3.drStatic PE information: section name: .fptable
Source: MSI8C5C.tmp.3.drStatic PE information: section name: .fptable
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0354BDAC push esp; ret 9_2_0354BDB3
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6360.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI63EF.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI644D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8093.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_system.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_threads.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_date_time.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI62D2.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8C5C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI650B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI63BF.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI64CB.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\utest.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_filesystem.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8C5C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6360.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI650B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI63EF.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI63BF.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI62D2.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI644D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI64CB.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8093.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9448C0C0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,18_2_00007FFD9448C0C0
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4341Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 632Jump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8C5C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6360.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI650B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI63EF.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI63BF.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI644D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI64CB.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8093.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI62D2.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeAPI coverage: 8.2 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7592Thread sleep count: 4341 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7592Thread sleep count: 632 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7636Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7612Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD9445A330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,18_2_00007FFD9445A330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: classes_nocoops.jsa.3.drBinary or memory string: [Ljava/lang/VirtualMachineError;
Source: classes_nocoops.jsa.3.drBinary or memory string: ,jdk.vm.ci.hotspot.HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.3.drBinary or memory string: ()Ljdk/vm/ci/runtime/JVMCICompiler;
Source: classes_nocoops.jsa.3.drBinary or memory string: VirtualMachineError.java
Source: setup.msiBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: classes_nocoops.jsa.3.drBinary or memory string: jdk/vm/ci/common/JVMCIError
Source: classes_nocoops.jsa.3.drBinary or memory string: jdk.vm.ci.services.JVMCIServiceLocator
Source: classes_nocoops.jsa.3.drBinary or memory string: jdk.vm.ci.hotspot.aarch64.AArch64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.3.drBinary or memory string: &jdk.vm.ci.services.JVMCIServiceLocator
Source: classes_nocoops.jsa.3.drBinary or memory string: ()Ljdk/vm/ci/runtime/JVMCIRuntime;
Source: classes_nocoops.jsa.3.drBinary or memory string: java/lang/VirtualMachineError.class
Source: classes_nocoops.jsa.3.drBinary or memory string: 7jdk.vm.ci.hotspot.amd64.AMD64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.3.drBinary or memory string: <"()Ljdk/vm/ci/runtime/JVMCIRuntime;
Source: classes_nocoops.jsa.3.drBinary or memory string: [Ljava/lang/VirtualMachineError;
Source: classes_nocoops.jsa.3.drBinary or memory string: java/lang/VirtualMachineError
Source: classes_nocoops.jsa.3.drBinary or memory string: org.graalvm.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
Source: classes_nocoops.jsa.3.drBinary or memory string: %jdk/vm/ci/hotspot/HotSpotJVMCIRuntime
Source: classes_nocoops.jsa.3.drBinary or memory string: jdk/vm/ci/hotspot/HotSpotJVMCIRuntime
Source: classes_nocoops.jsa.3.drBinary or memory string: ;jdk.vm.ci.hotspot.aarch64.AArch64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.3.drBinary or memory string: jdk/vm/ci/runtime/JVMCI
Source: classes_nocoops.jsa.3.drBinary or memory string: )()Ljdk/vm/ci/hotspot/HotSpotJVMCIRuntime;
Source: classes_nocoops.jsa.3.drBinary or memory string: UG#java/lang/VirtualMachineError.class
Source: classes_nocoops.jsa.3.drBinary or memory string: #()Ljdk/vm/ci/runtime/JVMCICompiler;
Source: classes_nocoops.jsa.3.drBinary or memory string: jdk.vm.ci.hotspot.HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.3.drBinary or memory string: jdk.vm.ci.hotspot.amd64.AMD64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.3.drBinary or memory string: <org.graalvm.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
Source: classes_nocoops.jsa.3.drBinary or memory string: Ljava/lang/VirtualMachineError;
Source: classes_nocoops.jsa.3.drBinary or memory string: ()Ljdk/vm/ci/hotspot/HotSpotJVMCIRuntime;
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 15_2_00007FF72D5C2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00007FF72D5C2ECC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 15_2_00007FF72D5C3074 SetUnhandledExceptionFilter,15_2_00007FF72D5C3074
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 15_2_00007FF72D5C2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00007FF72D5C2ECC
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 15_2_00007FF72D5C2984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00007FF72D5C2984
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_0000000140011004 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_0000000140011004
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_0000000140011D78 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_0000000140011D78
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_0000000140011F24 SetUnhandledExceptionFilter,18_2_0000000140011F24
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFD944A2CDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_00007FFD944A2CDC
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 18_2_00007FFDAC13004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_00007FFDAC13004C

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss8d12.ps1" -propfile "c:\users\user\appdata\local\temp\msi8cff.txt" -scriptfile "c:\users\user\appdata\local\temp\scr8d00.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr8d01.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss8d12.ps1" -propfile "c:\users\user\appdata\local\temp\msi8cff.txt" -scriptfile "c:\users\user\appdata\local\temp\scr8d00.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr8d01.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: ___lc_locale_name_func,GetLocaleInfoEx,18_2_00007FFD9447EFC0
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 15_2_00007FF72D5C2DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,15_2_00007FF72D5C2DA0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		1
Replication Through Removable Media		1
Command and Scripting Interpreter		1
Scripting		1
DLL Side-Loading		1
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		1
DLL Side-Loading		1
Windows Service		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Windows Service		11
Process Injection		2
Obfuscated Files or Information		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Timestomp		NTDS24
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets111
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Masquerading		DCSync121
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job121
Virtualization/Sandbox Evasion		Proc Filesystem1
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
Process Injection		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580946 Sample: setup.msi Startdate: 26/12/2024 Architecture: WINDOWS Score: 68 49 successroadway.com 2->49 57 Suricata IDS alerts for network traffic 2->57 59 AI detected suspicious sample 2->59 61 Sigma detected: Suspicious Script Execution From Temp Folder 2->61 63 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->63 9 msiexec.exe 139 107 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 35 C:\Windows\Installer\MSI8C5C.tmp, PE32 9->35 dropped 37 C:\Windows\Installer\MSI8093.tmp, PE32 9->37 dropped 39 C:\Windows\Installer\MSI650B.tmp, PE32 9->39 dropped 41 52 other files (none is malicious) 9->41 dropped 14 msiexec.exe 14 9->14         started        19 cmd.exe 1 9->19         started        21 createdump.exe 1 9->21         started        process6 dnsIp7 51 successroadway.com 104.21.6.3, 443, 49737 CLOUDFLARENETUS United States 14->51 43 C:\Users\user\AppData\Local\...\scr8D00.ps1, Unicode 14->43 dropped 45 C:\Users\user\AppData\Local\...\pss8D12.ps1, Unicode 14->45 dropped 47 C:\Users\user\AppData\Local\...\msi8CFF.txt, Unicode 14->47 dropped 53 Query firmware table information (likely to detect VMs) 14->53 55 Bypasses PowerShell execution policy 14->55 23 powershell.exe 17 14->23         started        25 ImporterREDServer.exe 1 19->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        file8 signatures9 process10 process11 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_date_time.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_filesystem.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_system.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_threads.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\msvcp140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\utest.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140_1.dll0%ReversingLabs
C:\Windows\Installer\MSI62D2.tmp0%ReversingLabs
C:\Windows\Installer\MSI6360.tmp0%ReversingLabs
C:\Windows\Installer\MSI63BF.tmp0%ReversingLabs
C:\Windows\Installer\MSI63EF.tmp0%ReversingLabs
C:\Windows\Installer\MSI644D.tmp0%ReversingLabs
C:\Windows\Installer\MSI64CB.tmp0%ReversingLabs
C:\Windows\Installer\MSI650B.tmp0%ReversingLabs
C:\Windows\Installer\MSI8093.tmp0%ReversingLabs
C:\Windows\Installer\MSI8C5C.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://successroadway.com/updater.php0%Avira URL Cloudsafe
http://subca.ocsp-certum.com050%Avira URL Cloudsafe
https://java.oracle.com/0%Avira URL Cloudsafe
http://ccsca2021.ocsp-certum.com050%Avira URL Cloudsafe
https://successroadway.com/updater.phpx0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
successroadway.com
104.21.6.3
truetrue
    		unknown
    fp2e7a.wpc.phicdn.net
    		192.229.221.95
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://successroadway.com/updater.phptrue
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.2328298351.000000000625A000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://crl.certum.pl/ctsca2021.crl0oBCUninstaller.exe.3.drfalse
          		high
          https://aka.ms/dotnet-core-applaunch?YouBCUninstaller.exe.3.drfalse
            		high
            http://repository.certum.pl/ctnca.cer09BCUninstaller.exe.3.drfalse
              		high
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.2325598804.0000000005346000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://crl.certum.pl/ctnca.crl0kBCUninstaller.exe.3.drfalse
                  		high
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.2325598804.0000000005346000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://go.micropowershell.exe, 00000009.00000002.2325598804.0000000005654000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://java.oracle.com/classes_nocoops.jsa.3.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://contoso.com/Licensepowershell.exe, 00000009.00000002.2328298351.000000000625A000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Iconpowershell.exe, 00000009.00000002.2328298351.000000000625A000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://ccsca2021.crl.certum.pl/ccsca2021.crl0sBCUninstaller.exe.3.drfalse
                            		high
                            http://schemas.micksetup.msifalse
                              		high
                              https://aka.ms/dotnet/app-launch-failedBCUninstaller.exe.3.drfalse
                                		high
                                https://aka.ms/dotnet/app-launch-failed&gui=trueShowingBCUninstaller.exe.3.drfalse
                                  		high
                                  https://www.certum.pl/CPS0BCUninstaller.exe.3.drfalse
                                    		high
                                    https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.2325598804.0000000005346000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://repository.certum.pl/ccsca2021.cer0BCUninstaller.exe.3.drfalse
                                        		high
                                        https://aka.ms/dotnet-core-applaunch?BCUninstaller.exe.3.drfalse
                                          		high
                                          https://successroadway.com/updater.phpxsetup.msifalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://repository.certum.pl/ctsca2021.cer0BCUninstaller.exe.3.drfalse
                                            		high
                                            https://aka.ms/pscore6lBpowershell.exe, 00000009.00000002.2325598804.00000000051F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://subca.ocsp-certum.com05BCUninstaller.exe.3.drfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://subca.ocsp-certum.com02BCUninstaller.exe.3.drfalse
                                                		high
                                                http://subca.ocsp-certum.com01BCUninstaller.exe.3.drfalse
                                                  		high
                                                  https://contoso.com/powershell.exe, 00000009.00000002.2328298351.000000000625A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.2328298351.000000000625A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://crl.certum.pl/ctnca2.crl0lBCUninstaller.exe.3.drfalse
                                                        		high
                                                        http://repository.certum.pl/ctnca2.cer09BCUninstaller.exe.3.drfalse
                                                          		high
                                                          http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-ImporterREDServer.exe, 00000012.00000002.2402268433.00000001802BD000.00000002.00000001.01000000.00000008.sdmpfalse
                                                            		high
                                                            http://ccsca2021.ocsp-certum.com05BCUninstaller.exe.3.drfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://aka.ms/winui2/webview2download/Reload():setup.msifalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000009.00000002.2325598804.00000000051F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.certum.pl/CPS0BCUninstaller.exe.3.drfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  104.21.6.3
                                                                  		successroadway.comUnited States
                                                                  		13335CLOUDFLARENETUStrue

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1580946
                                                                  Start date and time:2024-12-26 13:20:41 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 7m 50s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:25
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:setup.msi
                                                                  Detection:MAL
                                                                  Classification:mal68.evad.winMSI@17/91@1/1
                                                                  EGA Information:
                                                                  • Successful, ratio: 33.3%
                                                                  HCA Information:
                                                                  • Successful, ratio: 100%
                                                                  • Number of executed functions: 14
                                                                  • Number of non-executed functions: 193
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .msi

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 40.126.53.9, 20.223.35.26, 23.206.197.42, 13.107.246.63, 172.202.163.200, 150.171.27.10, 4.245.163.56
                                                                  • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Execution Graph export aborted for target ImporterREDServer.exe, PID 7992 because there are no executed function
                                                                  • Execution Graph export aborted for target powershell.exe, PID 7448 because it is empty
                                                                  • Not all processes where analyzed, report is missing behavior information

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  07:21:51API Interceptor5x Sleep call for process: powershell.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  104.21.6.3setup.msiGet hashmaliciousUnknownBrowse
                                                                    Remittance Advice.emlGet hashmaliciousReCaptcha PhishBrowse

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      successroadway.comsetup.msiGet hashmaliciousUnknownBrowse
                                                                      • 104.21.6.3
                                                                      fp2e7a.wpc.phicdn.netERTL09tA59.exeGet hashmaliciousLummaCBrowse
                                                                      • 192.229.221.95
                                                                      vJPhYDClT5.exeGet hashmaliciousUnknownBrowse
                                                                      • 192.229.221.95
                                                                      V2s8yjvIJw.exeGet hashmaliciousIris StealerBrowse
                                                                      • 192.229.221.95
                                                                      k6olCJyvIj.exeGet hashmaliciousLummaCBrowse
                                                                      • 192.229.221.95
                                                                      G6xnfES308.exeGet hashmaliciousUnknownBrowse
                                                                      • 192.229.221.95
                                                                      XM6cn2uNux.exeGet hashmaliciousLummaCBrowse
                                                                      • 192.229.221.95
                                                                      bG89JAQXz2.exeGet hashmaliciousLummaCBrowse
                                                                      • 192.229.221.95
                                                                      q8b3OisMC4.dllGet hashmaliciousUnknownBrowse
                                                                      • 192.229.221.95
                                                                      eszstwQPwq.ps1Get hashmaliciousLockBit ransomware, MetasploitBrowse
                                                                      • 192.229.221.95
                                                                      0vM02qWRT9.ps1Get hashmaliciousLockBit ransomware, MetasploitBrowse
                                                                      • 192.229.221.95

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      CLOUDFLARENETUSERTL09tA59.exeGet hashmaliciousLummaCBrowse
                                                                      • 104.21.66.86
                                                                      MaZjv5XeQi.exeGet hashmaliciousLummaCBrowse
                                                                      • 172.67.157.254
                                                                      jT7sgjdTea.exeGet hashmaliciousLummaCBrowse
                                                                      • 172.67.157.254
                                                                      Y4svWfRK1L.exeGet hashmaliciousLummaCBrowse
                                                                      • 172.67.157.254
                                                                      YKri2nEBWE.exeGet hashmaliciousLummaCBrowse
                                                                      • 172.67.157.254
                                                                      0c8cY5GOMh.exeGet hashmaliciousLummaCBrowse
                                                                      • 104.21.66.86
                                                                      setup.msiGet hashmaliciousUnknownBrowse
                                                                      • 104.21.6.3
                                                                      z3IxCpcpg4.exeGet hashmaliciousLummaCBrowse
                                                                      • 104.21.66.86
                                                                      GtEVo1eO2p.exeGet hashmaliciousLummaCBrowse
                                                                      • 172.67.157.254
                                                                      SPFFah2O2q.exeGet hashmaliciousLummaCBrowse
                                                                      • 172.67.157.254

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      37f463bf4616ecd445d4a1937da06e19setup.msiGet hashmaliciousUnknownBrowse
                                                                      • 104.21.6.3
                                                                      HVlonDQpuI.exeGet hashmaliciousVidarBrowse
                                                                      • 104.21.6.3
                                                                      00000.ps1Get hashmaliciousLummaCBrowse
                                                                      • 104.21.6.3
                                                                      123.ps1Get hashmaliciousLummaCBrowse
                                                                      • 104.21.6.3
                                                                      Purchase Order No. G02873362-Docx.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                      • 104.21.6.3
                                                                      blq.exeGet hashmaliciousGh0stCringe, RunningRAT, XRedBrowse
                                                                      • 104.21.6.3
                                                                      PodcastsTries.exeGet hashmaliciousVidarBrowse
                                                                      • 104.21.6.3
                                                                      New PO - Supplier 0202AW-PER2.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                      • 104.21.6.3
                                                                      RNEQTT.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                      • 104.21.6.3

                                                                      Dropped Files

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exesetup.msiGet hashmaliciousUnknownBrowse
                                                                        installer.msiGet hashmaliciousUnknownBrowse
                                                                          E8vC8KRIp1.msiGet hashmaliciousUnknownBrowse
                                                                            installer.msiGet hashmaliciousUnknownBrowse
                                                                              3gPZmVbozD.msiGet hashmaliciousUnknownBrowse
                                                                                setup.msiGet hashmaliciousUnknownBrowse
                                                                                  installer.msiGet hashmaliciousUnknownBrowse
                                                                                    setup.msiGet hashmaliciousUnknownBrowse
                                                                                      Setup.msiGet hashmaliciousUnknownBrowse
                                                                                        q9bzWO2X1r.msiGet hashmaliciousUnknownBrowse

                                                                                          Created / dropped Files

                                                                                          C:\Config.Msi\5f599d.rbs

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):20795
                                                                                          Entropy (8bit):5.796426254384711
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:N+O9KXgTF1bfRqYUtX+/F9ir3VPQHCCQIQNV8cP6wmJFgopdLV7mFJ3nE4bNUNv7:N+O9KXgTF1bfRqYUtX+/F9ir3VPQHCCT
                                                                                          MD5:F7B407DF38D98F29C5D1EC2B40723157
                                                                                          SHA1:E5643D996BFD8EE261D4868DC1AA70A172489676
                                                                                          SHA-256:736737B654332B5EF346B8CC036FAAB08F101449E1AF6A0945E8180EB548C8B2
                                                                                          SHA-512:3030139339D3A367C60427CA23CAE97EE09D63869D9E7E7FC2DF0C8511DC562D0FE79604B389C9B8085FEF23D090B7F57FA7E30A6B9B28EF3D545DDA36C371D7
                                                                                          Malicious:false
                                                                                          Preview:...@IXOS.@.....@.:.Y.@.....@.....@.....@.....@.....@......&.{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}..Cave App..setup.msi.@.....@.....@.....@......icon_22.exe..&.{394343F4-E39C-409D-BD57-1C70A6E4B89C}.....@.....@.....@.....@.......@.....@.....@.......@......Cave App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}.@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}&.{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}.@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}&.{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}.@......&.{DE28A560-E5E1-4035-8CA3-44934686A249}&.{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}.@......&.{03D39B98-E7BB-4062-BD92-307D642A5CF1}&.{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{1C4A5FBA-760B-4754-A

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):1360
                                                                                          Entropy (8bit):5.4135884505161025
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:3qWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NK3R82r+SVbR:6WSU4xymI4RfoUeW+mZ9tK8NWR82jVbR
                                                                                          MD5:D5028397D86F34AC9543E7AD0AB2F82A
                                                                                          SHA1:31F69F656AF7E694A2A7B05120FAA7BB30C01A2D
                                                                                          SHA-256:813419B3AD480024DCB4ED8D247B5FB1E5F540A2A3ECAC795713BCD417363375
                                                                                          SHA-512:D98692209EC0A7E7F3656923A5110DC0BD3C5F6ED2D3E2183019A814F7CFAD8C7D946AE288F56E24F0D63DCD0BB9780F74300C974B0504FA952B8C3778A8AC6F
                                                                                          Malicious:false
                                                                                          Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bs5rtfer.mha.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mtlde4y2.01x.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\msi8CFF.txt

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                          File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):96
                                                                                          Entropy (8bit):2.99798449505456
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:QmalTuOIAlSRYplflbPRYplf955:Qmalt9lLZiLN
                                                                                          MD5:F26BF481CA203C7D611850139ACBEF41
                                                                                          SHA1:EA86C45B436D1B8F5F42F87AE5034332A5BCFEC4
                                                                                          SHA-256:A6AE6BBFC3486BA26A9A3C67B127D6972D16B8B925BDE4AF20880EE1B1D997CB
                                                                                          SHA-512:D1D2AE7C30A146AC1A85BDC133CE1F105AFC6F4EC8C5BD21A8EAACD0910929D3A9FCB540AB533A253C296C51DC71D1AE58749F7449DAB1C530E82D78D3544E4E
                                                                                          Malicious:true
                                                                                          Preview:..C.e.v.e.r.a.l.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .T.r.i.a.l.N.o.w. .:.<.-.>.:. .0. .<.<.:.>.>. .

                                                                                          C:\Users\user\AppData\Local\Temp\pss8D12.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):6668
                                                                                          Entropy (8bit):3.5127462716425657
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                                                          MD5:30C30EF2CB47E35101D13402B5661179
                                                                                          SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                                                          SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                                                          SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                                                          Malicious:true
                                                                                          Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                          C:\Users\user\AppData\Local\Temp\scr8D00.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                          Category:modified
                                                                                          Size (bytes):250
                                                                                          Entropy (8bit):3.576902729499699
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:QfFok79idK3fclQ9zgltHN+KiVmMXFVrMTlp1LlG7JidK3fpdInO:QfF3IugM/XFVrMTWNvn
                                                                                          MD5:479FAC6E0C05C5A57698619AFE51DEF2
                                                                                          SHA1:1AF4A4DB75ACE8324ED7BFF59D711E80A7BDB821
                                                                                          SHA-256:700080D274E5629A2BFA0D47B9BAF53AD69E67A64A2B04D84115D5851AB3DDBD
                                                                                          SHA-512:B0B5065C216EBC1124B985F3FF86EE7C7E7E9B994190D1103C454EDD602E0242B7160BFFB202538470254675DFACAC6159F1A459B979DAD563BDED84FCED193E
                                                                                          Malicious:true
                                                                                          Preview:..$.o.i.g.n.q.p. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".C.e.v.e.r.a.l.S.e.s.".....$.a.v.o.i.j.g. .=. .[.u.i.n.t.3.2.].(.$.o.i.g.n.q.p. .-.r.e.p.l.a.c.e. .'.b.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".T.r.i.a.l.N.o.w.". .$.a.v.o.i.j.g.

                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Installer\{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}\icon_22.exe

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:MS Windows icon resource - 7 icons, 256x256, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                                                          Category:dropped
                                                                                          Size (bytes):372526
                                                                                          Entropy (8bit):4.467275942115759
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:aAVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOzzCIhZ:LCANx6xPZX9mBW
                                                                                          MD5:B52B2D1D4C9E56CA24AB0CD0730CC5AD
                                                                                          SHA1:C70A3683DF57DE3096CA58F314C0B649035392CC
                                                                                          SHA-256:73CDA59B9158F5DCA967A6EC24A3608C672DCA63F714BFD7B7B5F81C1303F457
                                                                                          SHA-512:CDCAB1C415B87948AD45C967D6C50EA24935D7E58CFC30717E2943D9CE9F5DDEFCB5E60BCE58F9F387635EA30E1A0399DBA644316CC53F1802BAE73B76CB1BFA
                                                                                          Malicious:false
                                                                                          Preview:............ .( ..v......... .(.... ..@@.... .(B...(..00.... ..%...j.. .... ............... .....>......... .h......(............. ...... ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exe

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):310928
                                                                                          Entropy (8bit):6.001677789306043
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
                                                                                          MD5:147B71C906F421AC77F534821F80A0C6
                                                                                          SHA1:3381128CA482A62333E20D0293FDA50DC5893323
                                                                                          SHA-256:7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
                                                                                          SHA-512:2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Joe Sandbox View:
                                                                                          • Filename: setup.msi, Detection: malicious, Browse
                                                                                          • Filename: installer.msi, Detection: malicious, Browse
                                                                                          • Filename: E8vC8KRIp1.msi, Detection: malicious, Browse
                                                                                          • Filename: installer.msi, Detection: malicious, Browse
                                                                                          • Filename: 3gPZmVbozD.msi, Detection: malicious, Browse
                                                                                          • Filename: setup.msi, Detection: malicious, Browse
                                                                                          • Filename: installer.msi, Detection: malicious, Browse
                                                                                          • Filename: setup.msi, Detection: malicious, Browse
                                                                                          • Filename: Setup.msi, Detection: malicious, Browse
                                                                                          • Filename: q9bzWO2X1r.msi, Detection: malicious, Browse
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}|...|...|....../p....../v....../1...u.a.l....../u...|........./v....../}...Rich|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):117496
                                                                                          Entropy (8bit):6.136079902481222
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:P4ynPKh5ilvitpOeRZBMZTWTKnSU3hGe+K8b9Ate83CtyxZMPXR0qmOi4:PjoiaUDahe+B92e9tiMPXR0qmOX
                                                                                          MD5:F67792E08586EA936EBCAE43AAB0388D
                                                                                          SHA1:4A5B4009DE72DB003D57F8A4416D17F95B3539A8
                                                                                          SHA-256:4D434BB99C771524C35222E5C65EBEE87FD2F16DDA05BF6191F9723EECE2434D
                                                                                          SHA-512:F9E69377201E2DC577792F01B71ED3C9AF6C8AD52DD9E139C99EF1D9096F3EB7796F89642242BE8CEE4030EA9CF60EF1AA93D1B0890326A83CB9063E919F1E4A
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,|..B/..B/..B/.../..B/.G...B/.F...B/.A...B/.C...B/.C...B/..G...B/<.C...B/..C/..B/<.G...B/<../..B/.../..B/<.@...B/Rich..B/................PE..d.....-a..........#............................@.....................................].... .................................................D...,...............`....................]..T...................P_..(...P^...............0..H............................text............................... ..`.rdata...o...0...p..."..............@..@.data...@...........................@....pdata..`...........................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exe

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):506008
                                                                                          Entropy (8bit):6.4284173495366845
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
                                                                                          MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
                                                                                          SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
                                                                                          SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
                                                                                          SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):12224
                                                                                          Entropy (8bit):6.596101286914553
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
                                                                                          MD5:919E653868A3D9F0C9865941573025DF
                                                                                          SHA1:EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
                                                                                          SHA-256:2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
                                                                                          SHA-512:6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):12224
                                                                                          Entropy (8bit):6.640081558424349
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
                                                                                          MD5:7676560D0E9BC1EE9502D2F920D2892F
                                                                                          SHA1:4A7A7A99900E41FF8A359CA85949ACD828DDB068
                                                                                          SHA-256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
                                                                                          SHA-512:F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11712
                                                                                          Entropy (8bit):6.6023398138369505
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
                                                                                          MD5:AC51E3459E8FCE2A646A6AD4A2E220B9
                                                                                          SHA1:60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
                                                                                          SHA-256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
                                                                                          SHA-512:6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11720
                                                                                          Entropy (8bit):6.614262942006268
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
                                                                                          MD5:B0E0678DDC403EFFC7CDC69AE6D641FB
                                                                                          SHA1:C1A4CE4DED47740D3518CD1FF9E9CE277D959335
                                                                                          SHA-256:45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
                                                                                          SHA-512:2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11720
                                                                                          Entropy (8bit):6.654155040985372
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
                                                                                          MD5:94788729C9E7B9C888F4E323A27AB548
                                                                                          SHA1:B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
                                                                                          SHA-256:ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
                                                                                          SHA-512:AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):15304
                                                                                          Entropy (8bit):6.548897063441128
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
                                                                                          MD5:580D9EA2308FC2D2D2054A79EA63227C
                                                                                          SHA1:04B3F21CBBA6D59A61CD839AE3192EA111856F65
                                                                                          SHA-256:7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
                                                                                          SHA-512:97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11712
                                                                                          Entropy (8bit):6.622041192039296
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
                                                                                          MD5:35BC1F1C6FBCCEC7EB8819178EF67664
                                                                                          SHA1:BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
                                                                                          SHA-256:7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
                                                                                          SHA-512:9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11720
                                                                                          Entropy (8bit):6.730719514840594
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
                                                                                          MD5:3BF4406DE02AA148F460E5D709F4F67D
                                                                                          SHA1:89B28107C39BB216DA00507FFD8ADB7838D883F6
                                                                                          SHA-256:349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
                                                                                          SHA-512:5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11720
                                                                                          Entropy (8bit):6.626458901834476
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
                                                                                          MD5:BBAFA10627AF6DFAE5ED6E4AEAE57B2A
                                                                                          SHA1:3094832B393416F212DB9107ADD80A6E93A37947
                                                                                          SHA-256:C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
                                                                                          SHA-512:D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):12232
                                                                                          Entropy (8bit):6.577869728469469
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
                                                                                          MD5:3A4B6B36470BAD66621542F6D0D153AB
                                                                                          SHA1:5005454BA8E13BAC64189C7A8416ECC1E3834DC6
                                                                                          SHA-256:2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
                                                                                          SHA-512:84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11712
                                                                                          Entropy (8bit):6.6496318655699795
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
                                                                                          MD5:A038716D7BBD490378B26642C0C18E94
                                                                                          SHA1:29CD67219B65339B637A1716A78221915CEB4370
                                                                                          SHA-256:B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
                                                                                          SHA-512:43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):12736
                                                                                          Entropy (8bit):6.587452239016064
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
                                                                                          MD5:D75144FCB3897425A855A270331E38C9
                                                                                          SHA1:132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
                                                                                          SHA-256:08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
                                                                                          SHA-512:295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):14280
                                                                                          Entropy (8bit):6.658205945107734
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
                                                                                          MD5:8ACB83D102DABD9A5017A94239A2B0C6
                                                                                          SHA1:9B43A40A7B498E02F96107E1524FE2F4112D36AE
                                                                                          SHA-256:059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
                                                                                          SHA-512:B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):12224
                                                                                          Entropy (8bit):6.621310788423453
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
                                                                                          MD5:808F1CB8F155E871A33D85510A360E9E
                                                                                          SHA1:C6251ABFF887789F1F4FC6B9D85705788379D149
                                                                                          SHA-256:DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
                                                                                          SHA-512:441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11720
                                                                                          Entropy (8bit):6.7263193693903345
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
                                                                                          MD5:CFF476BB11CC50C41D8D3BF5183D07EC
                                                                                          SHA1:71E0036364FD49E3E535093E665F15E05A3BDE8F
                                                                                          SHA-256:B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
                                                                                          SHA-512:7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):12744
                                                                                          Entropy (8bit):6.601327134572443
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
                                                                                          MD5:F43286B695326FC0C20704F0EEBFDEA6
                                                                                          SHA1:3E0189D2A1968D7F54E721B1C8949487EF11B871
                                                                                          SHA-256:AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
                                                                                          SHA-512:6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):14272
                                                                                          Entropy (8bit):6.519411559704781
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
                                                                                          MD5:E173F3AB46096482C4361378F6DCB261
                                                                                          SHA1:7922932D87D3E32CE708F071C02FB86D33562530
                                                                                          SHA-256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
                                                                                          SHA-512:3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):12232
                                                                                          Entropy (8bit):6.659079053710614
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
                                                                                          MD5:9C9B50B204FCB84265810EF1F3C5D70A
                                                                                          SHA1:0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
                                                                                          SHA-256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
                                                                                          SHA-512:EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11200
                                                                                          Entropy (8bit):6.7627840671368835
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
                                                                                          MD5:0233F97324AAAA048F705D999244BC71
                                                                                          SHA1:5427D57D0354A103D4BB8B655C31E3189192FC6A
                                                                                          SHA-256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
                                                                                          SHA-512:8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):12224
                                                                                          Entropy (8bit):6.590253878523919
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
                                                                                          MD5:E1BA66696901CF9B456559861F92786E
                                                                                          SHA1:D28266C7EDE971DC875360EB1F5EA8571693603E
                                                                                          SHA-256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
                                                                                          SHA-512:08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11720
                                                                                          Entropy (8bit):6.672720452347989
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
                                                                                          MD5:7A15B909B6B11A3BE6458604B2FF6F5E
                                                                                          SHA1:0FEB824D22B6BEEB97BCE58225688CB84AC809C7
                                                                                          SHA-256:9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
                                                                                          SHA-512:D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):13760
                                                                                          Entropy (8bit):6.575688560984027
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
                                                                                          MD5:6C3FCD71A6A1A39EAB3E5C2FD72172CD
                                                                                          SHA1:15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
                                                                                          SHA-256:A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
                                                                                          SHA-512:EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):12232
                                                                                          Entropy (8bit):6.70261983917014
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
                                                                                          MD5:D175430EFF058838CEE2E334951F6C9C
                                                                                          SHA1:7F17FBDCEF12042D215828C1D6675E483A4C62B1
                                                                                          SHA-256:1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
                                                                                          SHA-512:6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):12744
                                                                                          Entropy (8bit):6.599515320379107
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
                                                                                          MD5:9D43B5E3C7C529425EDF1183511C29E4
                                                                                          SHA1:07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
                                                                                          SHA-256:19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
                                                                                          SHA-512:C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):12232
                                                                                          Entropy (8bit):6.690164913578267
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
                                                                                          MD5:43E1AE2E432EB99AA4427BB68F8826BB
                                                                                          SHA1:EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
                                                                                          SHA-256:3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
                                                                                          SHA-512:40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11720
                                                                                          Entropy (8bit):6.615761482304143
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
                                                                                          MD5:735636096B86B761DA49EF26A1C7F779
                                                                                          SHA1:E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
                                                                                          SHA-256:5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
                                                                                          SHA-512:3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):12744
                                                                                          Entropy (8bit):6.627282858694643
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
                                                                                          MD5:031DC390780AC08F498E82A5604EF1EB
                                                                                          SHA1:CF23D59674286D3DC7A3B10CD8689490F583F15F
                                                                                          SHA-256:B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
                                                                                          SHA-512:1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):15816
                                                                                          Entropy (8bit):6.435326465651674
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
                                                                                          MD5:285DCD72D73559678CFD3ED39F81DDAD
                                                                                          SHA1:DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
                                                                                          SHA-256:6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
                                                                                          SHA-512:84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):12232
                                                                                          Entropy (8bit):6.5874576656353145
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
                                                                                          MD5:5CCE7A5ED4C2EBAF9243B324F6618C0E
                                                                                          SHA1:FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
                                                                                          SHA-256:AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
                                                                                          SHA-512:FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):13768
                                                                                          Entropy (8bit):6.645869978118917
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
                                                                                          MD5:41FBBB054AF69F0141E8FC7480D7F122
                                                                                          SHA1:3613A572B462845D6478A92A94769885DA0843AF
                                                                                          SHA-256:974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
                                                                                          SHA-512:97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_date_time.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):61176
                                                                                          Entropy (8bit):5.850944458899023
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:8dAqjxlblBAeX9cMPqnLQmnSPFCCBXuk9:8d1l59cJbSNZBXuO
                                                                                          MD5:3B02A4FCAAC283D3C5E082B62F88BE25
                                                                                          SHA1:C230237FA2BEF46A4C9649871EE46BBA89958C4E
                                                                                          SHA-256:D02FB06775ED21CE1124C5A9BA42D7E00872C4CAF3933F0852FFD98591EE9790
                                                                                          SHA-512:9FE3ACDC6CDC51F56AB205A669F3865FB18DA79750A62E896615AF98F4D37B4A5DADB898126B421133CBD86805A1A84D1C92A429F88AA2152D07939BEBEB93B0
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.X.F...F...F...>O..F.......F.......F.......F.......F.......F...F...F..-/...F..-/...F..-/#..F...FK..F..-/...F..Rich.F..........PE..d.....-a.........." .....X...|.......Y.................................................... .....................................................x.......h.......................0...P...T.......................(....................p..X............................text....V.......X.................. ..`.rdata...X...p...Z...\..............@..@.data...............................@....pdata..............................@..@.rsrc...h...........................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_filesystem.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):127224
                                                                                          Entropy (8bit):6.217127607919178
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:KOMFt1bvZ+4WYoIW9YAlqlEO/NiuE0PJmISN10ZpzdUAsSAl9/mEzuEVvHV7Gvru:fMFZ+4azlqlEO/0d0PkIxPYGX6
                                                                                          MD5:ABDA3CF0D286D6CC5EC2CB1B49DBC180
                                                                                          SHA1:85CA9C24AD7CF07830E86607723770645D724C28
                                                                                          SHA-256:5549E8D3C90AFC8A90558529FE0127CE8A36805D853ED2BBD2A832E497D07405
                                                                                          SHA-512:AF813D4529C7971C6427E84C21275F2D703495E8BCDE72112ED400FCF2BFD64D1E3754E7A8D95A4D1953472C3C9821EF0444CD844F02AE31FA2C5FA8D93E66CF
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'y.fI*.fI*.fI*...*.fI*..M+.fI*..J+.fI*..L+.fI*..H+.fI*..H+.fI*..H+.fI*.fH*.fI*..L+.fI*..I+.fI*...*.fI*.f.*.fI*..K+.fI*Rich.fI*................PE..d.....-a.........." ......................................................... ............ ..........................................x..|B..............p.......@...............D....>..T...................0@..(...0?............... ...............................text...p........................... ..`.rdata....... ......................@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc..D...........................@..B................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):418040
                                                                                          Entropy (8bit):6.1735291180760505
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:vJXvKtM+eZLmd2Mht6hBj2+1J3Hw2iojntPqbmdv0Pz:vJXvcMRZLmd2Mht6hBj3A2iW8WO
                                                                                          MD5:1CC74B77B1A0B6F14B19F45412D62227
                                                                                          SHA1:25C8D5B1DD13C826AC97995E2265E7960877A869
                                                                                          SHA-256:1314E7F48DCFAA9ED62AD80C19D4EAD856C6D216D6F80B8EFA1A3803087C506A
                                                                                          SHA-512:CA88D9DB167FEE11DCF88FD365DBAEF9E2704996E622F1523943C5AF54D6AE2546D860DB86B20757C89FA52E4140D474EB0EA4A69042AA4CAAF6125E0D5381D9
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+ ..Es..Es..Es...s..Es..Ar..Es..Fr..Es..@r..Es..Dr..Es..Dr..Es..Ds(.Es..@r..Es..Er..Es..s..Es...s..Es..Gr..EsRich..Es........PE..d.....-a.........." .........:.......................................................4.... .........................................`n...T...........p.......0..d2...D.................T...................0...(...0................ ...............................text...\........................... ..`.rdata..h.... ......................@..@.data....7.......0..................@....pdata..d2...0...4..................@..@.rsrc........p.......8..............@..@.reloc...............>..............@..B................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):698104
                                                                                          Entropy (8bit):6.463466021766765
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:rtCgw2rHcLfk4heNe39mSOWE64h/5+JLkxBdmmVaSV:JCglHsfb9vzE64h/CAxBdmmVaSV
                                                                                          MD5:087DAF44CD13B79E4D59068B3A1C6250
                                                                                          SHA1:653FB242A44C7742764C77D8249D00DDDC1C867E
                                                                                          SHA-256:7AAFC98B0189C4DB66E03EC69B0DA58E59F5728FA9C37F7A61D1531E4D146FD6
                                                                                          SHA-512:3BB7494191EDDA18416B425762EA35B1C614CA420E6D0A8BBA5B9749C453F2552435FC97CF4532E088BBEC2B57A7DC9F782F7C7CEC67F96A33511C367F6A5052
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>.B.P.B.P.B.P.K...N.P...T.J.P...S.@.P...U.Z.P...Q.F.P...Q.G.P.B.Q...P..U.P.P..P.C.P...C.P.B...C.P..R.C.P.RichB.P.........................PE..d.....-a.........." ................l................................................s.... ..........................................7..T...4...........X....`...D...................Q..T...................@S..(...@R..................H............................text............................... ..`.rdata...V.......X..................@..@.data...`(...0..."..................@....pdata...D...`...F...6..............@..@.rsrc...X............|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_system.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):31480
                                                                                          Entropy (8bit):5.969706735107452
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:rTnmLAtoAmXkI4WW9jLU7gJX5ZGz/5UtxcNPMUyZJKSm/dAgZsHL4DhAm:noxXzI5Z05uqlyEiRUhR
                                                                                          MD5:CC2C7E9435E8F818F3114AEFCC84E053
                                                                                          SHA1:F106C5EEAA3545CB85BA1217F40E4AE8F047E69E
                                                                                          SHA-256:59415F12FF688B58C9180A545F4836A4C2DDF472C232B3BE9FAB7965F9980924
                                                                                          SHA-512:316D0F0374DA2818CC1A83A6F8BE8E70CCCC2D9F37DB54DF9322FF26FF436EB18532CEB549F286E569E1A6B82BA1345FFE4A7ADC678AE450FC5C3C637F24259D
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{...{...{...r.e.....)...h...)...s...)...y...)....... ...x...{...E......y......z......z...{.a.z......z...Rich{...........PE..d.....-a.........." .....,...4......@0................................................... ..........................................T......tU..x.......`....p.......^..............0F..T....................G..(....F...............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...h....`.......N..............@....pdata.......p.......R..............@..@.rsrc...`............V..............@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_threads.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):103672
                                                                                          Entropy (8bit):5.851546804507911
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:DkEZwX0tTbIIJdLJABqKSimO9K64vaO4WpgXyhchiUKcvKXMnVOlVS:QErbXvAxO41yhcBvKXwaVS
                                                                                          MD5:129051E3B7B8D3CC55559BEDBED09486
                                                                                          SHA1:E257D69C91594C623A8649AC3F76DC4B0C4D8EDF
                                                                                          SHA-256:73BFA0700A1C1631483D1ADC79A5225066A28A5CA94D70267DE6B0573BF11BDF
                                                                                          SHA-512:6DCF486B58A0C8E16CB0A2A0B7C53812275DF7E55CEBE94B645517D2A061A67CA3B9CFDDA4F94E89BE57D3B629540C4A45DD153EF84DB90E46D06257A936831A
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X..............&........................................&.............&......&......&.J.......".....&......Rich............................PE..d.....-a.........." ................4...............................................:..... ..........................................J.......[..........`............x..............`...T.......................(....................................................text............................... ..`.rdata.............................@..@.data........p.......N..............@....pdata...............\..............@..@.rsrc...`............n..............@..@.reloc...............t..............@..B........................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):57488
                                                                                          Entropy (8bit):6.382541157520703
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
                                                                                          MD5:71F796B486C7FAF25B9B16233A7CE0CD
                                                                                          SHA1:21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
                                                                                          SHA-256:B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
                                                                                          SHA-512:A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):4664568
                                                                                          Entropy (8bit):6.259383987199329
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:AroFmAk9nrwChDI061WcO0ABWmIex2MvOGL//VCsHqwApmqamnBObTETCAtdB8n:0tI0OWiVmIek+QpmqtB+9
                                                                                          MD5:A6A89F55416DB79D9E13B82685A04D60
                                                                                          SHA1:EDE6DE1377BBE28E1F0D0DEF095367F1E788FE3B
                                                                                          SHA-256:22D7C730C0092CDE5E339276F45882ACF4E172269153C6A328D83314DBACEF4B
                                                                                          SHA-512:D2A734AE3ACC3033C050634839E32F90AE29862D77EC28B87945D62D44562ED56AC2A4266BC70F0F42CACCC0A7D93B07E2B42D7FFCEFE2F599A6A9DC2F26C583
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........$n..J=..J=..J=...=..J=..N<..J=..I<..J=..O<..J=..K<..J=..N<..J=..L<..J=..K<..J=..K<..J=..K=i.J=..N<..J=..O<U.J=..J<..J=..=..J=...=..J=..H<..J=Rich..J=................PE..d.....-a.........." ......+..........f(.......................................I.......H... ..........................................7>.8.....A......@I.......G......G......PI..F....1.T...................0.1.(...0.1...............+..............................text.....+.......+................. ..`.rdata.......+.......+.............@..@.data....'...`B......DB.............@....pdata.......G.......E.............@..@.rsrc........@I.......F.............@..@.reloc...F...PI..H....F.............@..B........................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):215288
                                                                                          Entropy (8bit):6.050529290720027
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:emvBIfdYtwUTAgsHW0Akz0dMtTWYUQ4TyjEXv8pQxI88hw:ekBIATA1z7tTzovXv8Kxzj
                                                                                          MD5:BF5EE5008353BB5C52DCF8821082CE6B
                                                                                          SHA1:F85B517F96FE87D953925D05238345A03594C8F8
                                                                                          SHA-256:9273A49CAC32ACA5358A77D41DE00FEB589ED3285B2B2E07E9CE9CEBF80BAA31
                                                                                          SHA-512:B5862D1679AB4F44B228C3E52F5CB98616BF089BAD5EC3BBB63ABDCABDDB55C71C36628E2945C7460AA33F836D85A1A320BF2C704072B307A3B719CD3C6A8549
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[..5...5...5......5...1...5...6...5...0...5...4...5...4...5.#.4...5...4.-.5.#.0...5.#.5...5.#....5.......5.#.7...5.Rich..5.........PE..d.....-a.........." .........j...............................................p............ ..............................................!...........P..h....0.......,.......`..........T...........................@................................................text............................... ..`.rdata..............................@..@.data....$..........................@....pdata.......0... ..................@..@.rsrc...h....P......."..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ghiuoqfj.rar

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:RAR archive data, v5
                                                                                          Category:dropped
                                                                                          Size (bytes):410286
                                                                                          Entropy (8bit):7.999439739918456
                                                                                          Encrypted:true
                                                                                          SSDEEP:12288:qiy7UWJmwWAmkIvMa3ImNtPteTG7/3Ynu+nOuYVjwwaeQ:wPJvJB2jtVeTe3YuxuYd3Q
                                                                                          MD5:29CD433EC8BDEB8FE60F170DE69E5DE0
                                                                                          SHA1:029D95777CB78F874A8751CDEFDACE492B79FACC
                                                                                          SHA-256:97A47BF9786944D2A4CE9F15E0DD2DC84CD3E447E9B382E7F9F29BB2B367EA92
                                                                                          SHA-512:A4A4A4CBAE0C046BA9E55824672151F3CF4F4E7006C7B011E982580F91E5DC1B5B8381349AACF665F100044CBF86601B15080FF51A2FC082E37E33DCDF3A88B6
                                                                                          Malicious:false
                                                                                          Preview:Rar!.....:q.!......T......H?..&|N%o..H.vz.r.@|\..].O...fS.}..s"R.......v....Yz.`.!.S.<P..Qt....yn....hp...O.`.......n9..yR.#]......)c.s.......s...G....nD..y..E..W{..,.\J.....W..........N.......!Pv0.f^..).."........q.rG.. ...!1.....n...=.C.T.#g..n.."..G.z...T...x..m.~.B.....45 ..z.... .......%u1:...V5zk*B......\.n.Y..~h...@....h..[.=...i....x...!.Nq.....W.jG.Q%..k...l.#.....j.W.\!...%....w.A.......Mk.......4......3..N..j(...IA?.~Ko.0..0E.(..%..n+.5....;.~.....l..os..`.....Tl..,.N.Cr..F.ZV._....P0.(I.S...,3..A..)tZ_)..n.y,....G.Vx.8g...x..>.........^./%s.=.I0......!}x.7...iT...?!...W.x@`?V.oe..2.`M.+...k.,n........y...^L..p...!..Jo....2\<.LKuW.E[B.v......v.).....&.....\EE".2F..FI5m9..{..C.>..........C.%C.]...].%..>.V....r.#G.D..V.Q..jA_.P..'[..q.!..X..@.....xJ....b....W.....C...d.I(K....wQAx...n.w..........8PH..0...V......G.....e....M.a...sP....p.e."...Y....G.4v..>.M...M-/uM..@y..;~........O.C...L..H..3'...'.w.(. g...Q.S....k.M...R..P..o.

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\msvcp140.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):566704
                                                                                          Entropy (8bit):6.494428734965787
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
                                                                                          MD5:6DA7F4530EDB350CF9D967D969CCECF8
                                                                                          SHA1:3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
                                                                                          SHA-256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
                                                                                          SHA-512:1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):22
                                                                                          Entropy (8bit):3.879664004902594
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:mKDDlR+7H6U:hOD6U
                                                                                          MD5:D9324699E54DC12B3B207C7433E1711C
                                                                                          SHA1:864EB0A68C2979DCFF624118C9C0618FF76FA76C
                                                                                          SHA-256:EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
                                                                                          SHA-512:E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
                                                                                          Malicious:false
                                                                                          Preview:@echo off..Start "" %1

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\classes.jsa

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):12124160
                                                                                          Entropy (8bit):4.1175508751036585
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
                                                                                          MD5:8A13CBE402E0BBF3DA56315F0EBA7F8E
                                                                                          SHA1:EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
                                                                                          SHA-256:7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
                                                                                          SHA-512:46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
                                                                                          Malicious:false
                                                                                          Preview:.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\classes_nocoops.jsa

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):12124160
                                                                                          Entropy (8bit):4.117842215789484
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:lIsY5NLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8v:lYNDUK7k59
                                                                                          MD5:8DD2CDF8B1702DEE25F4BC2DCE10DA8F
                                                                                          SHA1:7AE8D142C41159D65C7AB9598C90EC1DF33138D1
                                                                                          SHA-256:B19E92D742D8989D275BB34FB7828211969997D38FF9250D9561F432D5C5F62C
                                                                                          SHA-512:6CEBD788559543623A3F54154F6C84E31A9716CFFA19D199087F0704CC9016F54CF0B3CFF6D8DB65428138EEB12553B23EBA7EDAF5B64A050A077DD2951286B0
                                                                                          Malicious:false
                                                                                          Preview:....j..L.........*.\.....................................+..............................j..-.....................................!>.............................|<:.......................A.......@...... t...............................".....................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.datatransfer.jmod

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Java jmod module version 1.0
                                                                                          Category:dropped
                                                                                          Size (bytes):51389
                                                                                          Entropy (8bit):7.916683616123071
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
                                                                                          MD5:8F4C0388762CD566EAE3261FF8E55D14
                                                                                          SHA1:B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
                                                                                          SHA-256:AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
                                                                                          SHA-512:1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
                                                                                          Malicious:false
                                                                                          Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^*#.j...R.A..qV.1o...p.....|._.-N$.!.;X....|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be.*.eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.*t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N....*..r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.desktop.jmod

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Java jmod module version 1.0
                                                                                          Category:dropped
                                                                                          Size (bytes):12133334
                                                                                          Entropy (8bit):7.944474086295981
                                                                                          Encrypted:false
                                                                                          SSDEEP:196608:h6fa1BzmQR9sZTGVq8B4ISiOCC0SabOyigGRA7OtuPZIWeXB:6a1gk+8B4IS8S2OyiJRA7OtYZaB
                                                                                          MD5:E3705B15388EC3BDFE799AD5DB80B172
                                                                                          SHA1:0B9B77F028727C73265393A68F37FC69C30205BD
                                                                                          SHA-256:BE59AC0E673827B731CF5616B41DA11581A5863285FEA1A0696AA4F93796BCC3
                                                                                          SHA-512:CA44B3E7658232FCC19C9AD223455F326D34B17384E566B8CAF0F7409D71B2B86F4089BF4A35128EC6CFFE080DF84C69C72C22B230FB0F2F8CB345442318F737
                                                                                          Malicious:false
                                                                                          Preview:JM..PK.........n/Q................classes/module-info.class.X...e../.l.!..!.#..M..."..g..#.B.........0;{.AAD.EE..QQQ.aG....{.]....7......~.{....k...{....<HD...4.......x%?G.4_St.Z...\..].+c..t.t........iC./...gZ..].8C..D'M...\3.+~5......z.<.f1..2.v./.As.Lv.....`2.M%...d.h..S`....YC.....D.u0-l.V#.5.,.e..)[..[.v..*............d.I...A........A+&."..8g.)"..E..1!.Z.]....Ak..5.......<'..L8bC..V4.U2.~$...i....)."I...O...d:......@..S...w0m...-....2..x....z.....O....k.8.}....P.....=..I/...<../.d..k....43VL.i...........C.S|`..!b.8....3.Ey..S..e..+.../T..j...g..B.@q9.."..>.LU..2-i....-.!....Z....g.BGl.j..R...Z.D.YJ.Kd...9 l.FN4.Rk.22..b..Rn...u..x.,...j.I.aZ.....X[{L.e..Z#..`.Z...*8..[.p..0.(...j..W..-M...V..H7.c.KN...5e.."...t[um..R...UF.c..1.....z|z.EeO..j..k.V..\x.8.....et;.9.^.Pa..+......U....Iu.q.t....HY.g...q.......omK...FKr1.F..F?.i.d../.]....68..L.........W..s.CU.|y.....zE..Q\...82..W.i[.#Q..xm......P..u.<.#...yC...,........~B..|sF.

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.instrument.jmod

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Java jmod module version 1.0
                                                                                          Category:dropped
                                                                                          Size (bytes):41127
                                                                                          Entropy (8bit):7.961466748192397
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
                                                                                          MD5:D039093C051B1D555C8F9B245B3D7FA0
                                                                                          SHA1:C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
                                                                                          SHA-256:4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
                                                                                          SHA-512:334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
                                                                                          Malicious:false
                                                                                          Preview:JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...*A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z|*.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.logging.jmod

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Java jmod module version 1.0
                                                                                          Category:dropped
                                                                                          Size (bytes):113725
                                                                                          Entropy (8bit):7.928841651831531
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
                                                                                          MD5:3A03EF8F05A2D0472AE865D9457DAB32
                                                                                          SHA1:7204170A08115A16A50D5A06C3DE7B0ADB6113B1
                                                                                          SHA-256:584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
                                                                                          SHA-512:1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
                                                                                          Malicious:false
                                                                                          Preview:JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm......*..Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h.*.^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz|..^.........8q..{...}.*G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j*..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.management.jmod

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Java jmod module version 1.0
                                                                                          Category:dropped
                                                                                          Size (bytes):896846
                                                                                          Entropy (8bit):7.923431656723031
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
                                                                                          MD5:C6FBB7D49CAA027010C2A817D80CA77C
                                                                                          SHA1:4191E275E1154271ABF1E54E85A4FF94F59E7223
                                                                                          SHA-256:1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
                                                                                          SHA-512:FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
                                                                                          Malicious:false
                                                                                          Preview:JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..|..]{.........S|...(cu/..i.d.z...[....'.M|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\utest.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):639224
                                                                                          Entropy (8bit):6.219852228773659
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
                                                                                          MD5:01DACEA3CBE5F2557D0816FC64FAE363
                                                                                          SHA1:566064A9CB1E33DB10681189A45B105CDD504FD4
                                                                                          SHA-256:B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
                                                                                          SHA-512:C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):98224
                                                                                          Entropy (8bit):6.452201564717313
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                                                          MD5:F34EB034AA4A9735218686590CBA2E8B
                                                                                          SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                                                          SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                                                          SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140_1.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):37256
                                                                                          Entropy (8bit):6.297533243519742
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
                                                                                          MD5:135359D350F72AD4BF716B764D39E749
                                                                                          SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
                                                                                          SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
                                                                                          SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Installer\5f599b.msi

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {394343F4-E39C-409D-BD57-1C70A6E4B89C}, Number of Words: 10, Subject: Cave App, Author: Weqos Apps Industries, Name of Creating Application: Cave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Cave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 26 06:52:15 2024, Last Saved Time/Date: Thu Dec 26 06:52:15 2024, Last Printed: Thu Dec 26 06:52:15 2024, Number of Pages: 450
                                                                                          Category:dropped
                                                                                          Size (bytes):60336524
                                                                                          Entropy (8bit):7.202431493527563
                                                                                          Encrypted:false
                                                                                          SSDEEP:786432:zGZojVmrjV7eIAtehOTZ0oZ4sdUuzt/NCaY2ksCo:zGcVmrjV7eIvhOTZ5RjVCa1tP
                                                                                          MD5:99C84A1C2CF1ACD2DDEB621561789ACB
                                                                                          SHA1:C5EFA38A646B02EA2263DACD5A17586295C6FCD3
                                                                                          SHA-256:404E2B3ECD486CF7A533790EDBE22AB145C767F8C413A95570B0CC41C3B46143
                                                                                          SHA-512:C0D72A1189F09E9F67400E93CCD797618F9CC17F3A67C91F6E38FF99399F3A51452661BF133227D4991071BA1A402916BF46C049BA501CE69A80276F546EC5AF
                                                                                          Malicious:false
                                                                                          Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...N...:...;...<...=...>...?...@...A...D...C...K...E...F...G...H...I...J...""..L...M...e...O...P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                                                          C:\Windows\Installer\5f599e.msi

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {394343F4-E39C-409D-BD57-1C70A6E4B89C}, Number of Words: 10, Subject: Cave App, Author: Weqos Apps Industries, Name of Creating Application: Cave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Cave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 26 06:52:15 2024, Last Saved Time/Date: Thu Dec 26 06:52:15 2024, Last Printed: Thu Dec 26 06:52:15 2024, Number of Pages: 450
                                                                                          Category:dropped
                                                                                          Size (bytes):60336524
                                                                                          Entropy (8bit):7.202431493527563
                                                                                          Encrypted:false
                                                                                          SSDEEP:786432:zGZojVmrjV7eIAtehOTZ0oZ4sdUuzt/NCaY2ksCo:zGcVmrjV7eIvhOTZ5RjVCa1tP
                                                                                          MD5:99C84A1C2CF1ACD2DDEB621561789ACB
                                                                                          SHA1:C5EFA38A646B02EA2263DACD5A17586295C6FCD3
                                                                                          SHA-256:404E2B3ECD486CF7A533790EDBE22AB145C767F8C413A95570B0CC41C3B46143
                                                                                          SHA-512:C0D72A1189F09E9F67400E93CCD797618F9CC17F3A67C91F6E38FF99399F3A51452661BF133227D4991071BA1A402916BF46C049BA501CE69A80276F546EC5AF
                                                                                          Malicious:false
                                                                                          Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...N...:...;...<...=...>...?...@...A...D...C...K...E...F...G...H...I...J...""..L...M...e...O...P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                                                          C:\Windows\Installer\MSI62D2.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):1021792
                                                                                          Entropy (8bit):6.608727172078022
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                                          MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                                          SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                                          SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                                          SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                                          C:\Windows\Installer\MSI6360.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):1021792
                                                                                          Entropy (8bit):6.608727172078022
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                                          MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                                          SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                                          SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                                          SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                                          C:\Windows\Installer\MSI63BF.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):1021792
                                                                                          Entropy (8bit):6.608727172078022
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                                          MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                                          SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                                          SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                                          SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                                          C:\Windows\Installer\MSI63EF.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):1021792
                                                                                          Entropy (8bit):6.608727172078022
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                                          MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                                          SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                                          SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                                          SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                                          C:\Windows\Installer\MSI644D.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):1201504
                                                                                          Entropy (8bit):6.4557937684843365
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
                                                                                          MD5:E83D774F643972B8ECCDB3A34DA135C5
                                                                                          SHA1:A58ECCFB12D723C3460563C5191D604DEF235D15
                                                                                          SHA-256:D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
                                                                                          SHA-512:CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.|CF..@G.|DF..@G.|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Installer\MSI64CB.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):1021792
                                                                                          Entropy (8bit):6.608727172078022
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                                          MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                                          SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                                          SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                                          SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                                          C:\Windows\Installer\MSI650B.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):1021792
                                                                                          Entropy (8bit):6.608727172078022
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                                          MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                                          SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                                          SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                                          SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                                          C:\Windows\Installer\MSI8093.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):380520
                                                                                          Entropy (8bit):6.512348002260683
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
                                                                                          MD5:FFDAACB43C074A8CB9A608C612D7540B
                                                                                          SHA1:8F054A7F77853DE365A7763D93933660E6E1A890
                                                                                          SHA-256:7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
                                                                                          SHA-512:A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Installer\MSI8C3C.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):392957
                                                                                          Entropy (8bit):4.734169029743012
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:ZMc9rAVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOz4:ZMc90CANx6xPZX9mBx
                                                                                          MD5:7BA7BD412ADFE40ED87C27531361319A
                                                                                          SHA1:D1CFCAE10E023FFAE62EAE9497E3DA807C5D80B6
                                                                                          SHA-256:02FD7E7498DF1EFF3E6E72A110A909617924BE280692396BBD2FD43329C0D01E
                                                                                          SHA-512:563A06733089985E74D021E73F518DD2447BAA42F4C0F3A0E0C483288AECE800A358E5A2D20E70E3E095F956820FA8EE82B9A053092903C30ACE582A75DF807A
                                                                                          Malicious:false
                                                                                          Preview:...@IXOS.@.....@.:.Y.@.....@.....@.....@.....@.....@......&.{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}..Cave App..setup.msi.@.....@.....@.....@......icon_22.exe..&.{394343F4-E39C-409D-BD57-1C70A6E4B89C}.....@.....@.....@.....@.......@.....@.....@.......@......Cave App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@4....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F}A.C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}3.21:\Software\Weqos Apps Industries\Cave App\Version.@.......@.....@.....@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}L.C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll.@.......@.....@.....@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}S.C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll.@.......@.....@.....@......

                                                                                          C:\Windows\Installer\MSI8C5C.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):787808
                                                                                          Entropy (8bit):6.693392695195763
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
                                                                                          MD5:8CF47242B5DF6A7F6D2D7AF9CC3A7921
                                                                                          SHA1:B51595A8A113CF889B0D1DD4B04DF16B3E18F318
                                                                                          SHA-256:CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
                                                                                          SHA-512:748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Installer\SourceHash{1C4A5FBA-760B-4754-A971-45D0AA1EA01D}

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                          Category:dropped
                                                                                          Size (bytes):20480
                                                                                          Entropy (8bit):1.1625537714389433
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:JSbX72FjAAGiLIlHVRpMh/7777777777777777777777777vDHFdP9Blp3Xl0i8Q:JaQI5cZ56F
                                                                                          MD5:7E335C74904E04DB3E3AD6BD1781F2B3
                                                                                          SHA1:5E390863DD4785F97E64E07A442FDCAA5A9F70EA
                                                                                          SHA-256:0505EA1505BCDAD744CE8831679726E817F1019BD4B74857E9F4E55536AEC62E
                                                                                          SHA-512:749F9805E540FDDE27FA3B5AC0BBB9477C3FDE8F93666FC2A7C2A156F4FACE92FC775BD03F847C38E0E66483A162BEEEF7A0D6D364F2643F915592B53B610F88
                                                                                          Malicious:false
                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                          Category:dropped
                                                                                          Size (bytes):20480
                                                                                          Entropy (8bit):1.5780201330964805
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:c8PhduRc06WXJ4FT5/iwcSAEbCyISMcZoEMUXYcwSMcoT:zhd1bFTkh5wCnOvX5wO
                                                                                          MD5:6C9ECA577067C053B4B3AFCA9D6B1DA3
                                                                                          SHA1:F54BD7CFEE7D11E167E38180B90AC16E637590AE
                                                                                          SHA-256:C2D0C2BF0C52BA1CE18AB539B39B1C5D41C4983F8ABBA5195EE289C0B5C34339
                                                                                          SHA-512:29E026D06E252C780C0C5708A6E9B23DB30241F0B976D8148959B35F0C98618D9C5CC260138FA5E8CA940C5A9ED76C227D8B465137F03A6466BFC5C6E3B6EB33
                                                                                          Malicious:false
                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):360001
                                                                                          Entropy (8bit):5.362992417909592
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauC:zTtbmkExhMJCIpEr
                                                                                          MD5:85B49D06B26F6D684B06BB1D3B592AE4
                                                                                          SHA1:F0D05E8BCA581FED7FA1353D6E94A9B9426BEA03
                                                                                          SHA-256:2840DC7059B828E623D923FEBE31C4C10F76D38C26611573A0C8DF494DB32F2E
                                                                                          SHA-512:1C4B45CD359012D627A7F3A0DA3FD9058CF977ABB46DBFF4CB5223AF1A6CB76768ED0AA6C5E6B89DBB911CF1C92DB41995D13A62ED36E2538DABE39302562928
                                                                                          Malicious:false
                                                                                          Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                          C:\Windows\Temp\~DF0B49CCBA23EE7EB9.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                          Category:dropped
                                                                                          Size (bytes):32768
                                                                                          Entropy (8bit):1.2635411111922292
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:nqluvO+CFXJ9T5EVZiwcSAEbCyISMcZoEMUXYcwSMcoT:qlzVTuVsh5wCnOvX5wO
                                                                                          MD5:4CF95DCC4F66D21EAACD32159A849BE0
                                                                                          SHA1:AA6705529CECF41C38A87E5A5464885CF7C67853
                                                                                          SHA-256:8C13F15D9081EA390835187A1091D6DC6033358ADF93DF467AD24BB8BC1C7D9C
                                                                                          SHA-512:5B64A237A371ACB69911283BB773CE6D43D18647C83916332FC12AEAAD6C5EB9493D53FD99FD5C3FF6912DE38D2046CBD2412FB935B0329A031751DB01E35067
                                                                                          Malicious:false
                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DF287DBA3976560A5A.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                          Category:dropped
                                                                                          Size (bytes):20480
                                                                                          Entropy (8bit):1.5780201330964805
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:c8PhduRc06WXJ4FT5/iwcSAEbCyISMcZoEMUXYcwSMcoT:zhd1bFTkh5wCnOvX5wO
                                                                                          MD5:6C9ECA577067C053B4B3AFCA9D6B1DA3
                                                                                          SHA1:F54BD7CFEE7D11E167E38180B90AC16E637590AE
                                                                                          SHA-256:C2D0C2BF0C52BA1CE18AB539B39B1C5D41C4983F8ABBA5195EE289C0B5C34339
                                                                                          SHA-512:29E026D06E252C780C0C5708A6E9B23DB30241F0B976D8148959B35F0C98618D9C5CC260138FA5E8CA940C5A9ED76C227D8B465137F03A6466BFC5C6E3B6EB33
                                                                                          Malicious:false
                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DF39CF3C833818412B.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):512
                                                                                          Entropy (8bit):0.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3::
                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                          Malicious:false
                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DF418E16F63F8B764C.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):32768
                                                                                          Entropy (8bit):0.06936419649644883
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOd+/W9vZGyVky6l3X:2F0i8n0itFzDHFdP9BE3X
                                                                                          MD5:F7F615431B2CB0911937574AB63C5058
                                                                                          SHA1:3C363F52017DD5CF5261977D8CAC475705255566
                                                                                          SHA-256:A5BF3BDD83325741A14CAD81907198144DF89E01604B2C6EC77AA8E57E287ED3
                                                                                          SHA-512:EDEAA859E6BF3DA933A394DA913B2588867758B91B23438DDED2595C85B0A9882AF65367E4BBB202CC7466F819A54A57D1C60725FE59FC8FF7679FEF934DFCF6
                                                                                          Malicious:false
                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DF42C9C193E0DFE6A0.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):73728
                                                                                          Entropy (8bit):0.14268905094150539
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:HnTxkFcwipVkFcakFcSAEVkyjCyIipVkFcZVgwG5iZMU80O+HY3:HT4cwSMc/cSAEbCyISMcZoEMUXOt
                                                                                          MD5:5A0C24013F48C41A8196EC41123C0290
                                                                                          SHA1:DC24CF3DC7488C03B457B041EF8D90111FF23B77
                                                                                          SHA-256:E6170F8B24A174571D3C7533EE4B155972F7F8F9AAF95A003C32EEE92EC66D2E
                                                                                          SHA-512:FE67AEB5301360CF0487A78964B0018EAEF4498002D877D1258FE3323456FF44AE11F26BF3277C222B12F621F86C3C679CDEBC4F37AB4135C66C95B529A8BD0A
                                                                                          Malicious:false
                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DF7B7EA869F5086E88.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):512
                                                                                          Entropy (8bit):0.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3::
                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                          Malicious:false
                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DF83E642EC4719CBEB.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                          Category:dropped
                                                                                          Size (bytes):32768
                                                                                          Entropy (8bit):1.2635411111922292
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:nqluvO+CFXJ9T5EVZiwcSAEbCyISMcZoEMUXYcwSMcoT:qlzVTuVsh5wCnOvX5wO
                                                                                          MD5:4CF95DCC4F66D21EAACD32159A849BE0
                                                                                          SHA1:AA6705529CECF41C38A87E5A5464885CF7C67853
                                                                                          SHA-256:8C13F15D9081EA390835187A1091D6DC6033358ADF93DF467AD24BB8BC1C7D9C
                                                                                          SHA-512:5B64A237A371ACB69911283BB773CE6D43D18647C83916332FC12AEAAD6C5EB9493D53FD99FD5C3FF6912DE38D2046CBD2412FB935B0329A031751DB01E35067
                                                                                          Malicious:false
                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DF89C1DB451BD39A80.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):512
                                                                                          Entropy (8bit):0.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3::
                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                          Malicious:false
                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DF9BA85424D37BB6DB.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):512
                                                                                          Entropy (8bit):0.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3::
                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                          Malicious:false
                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DFC9DBA616F7219380.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                          Category:dropped
                                                                                          Size (bytes):32768
                                                                                          Entropy (8bit):1.2635411111922292
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:nqluvO+CFXJ9T5EVZiwcSAEbCyISMcZoEMUXYcwSMcoT:qlzVTuVsh5wCnOvX5wO
                                                                                          MD5:4CF95DCC4F66D21EAACD32159A849BE0
                                                                                          SHA1:AA6705529CECF41C38A87E5A5464885CF7C67853
                                                                                          SHA-256:8C13F15D9081EA390835187A1091D6DC6033358ADF93DF467AD24BB8BC1C7D9C
                                                                                          SHA-512:5B64A237A371ACB69911283BB773CE6D43D18647C83916332FC12AEAAD6C5EB9493D53FD99FD5C3FF6912DE38D2046CBD2412FB935B0329A031751DB01E35067
                                                                                          Malicious:false
                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DFDBBED6A2ABEE4AFE.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                          Category:dropped
                                                                                          Size (bytes):20480
                                                                                          Entropy (8bit):1.5780201330964805
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:c8PhduRc06WXJ4FT5/iwcSAEbCyISMcZoEMUXYcwSMcoT:zhd1bFTkh5wCnOvX5wO
                                                                                          MD5:6C9ECA577067C053B4B3AFCA9D6B1DA3
                                                                                          SHA1:F54BD7CFEE7D11E167E38180B90AC16E637590AE
                                                                                          SHA-256:C2D0C2BF0C52BA1CE18AB539B39B1C5D41C4983F8ABBA5195EE289C0B5C34339
                                                                                          SHA-512:29E026D06E252C780C0C5708A6E9B23DB30241F0B976D8148959B35F0C98618D9C5CC260138FA5E8CA940C5A9ED76C227D8B465137F03A6466BFC5C6E3B6EB33
                                                                                          Malicious:false
                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DFEE62185E1A838413.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):512
                                                                                          Entropy (8bit):0.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3::
                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                          Malicious:false
                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          \Device\ConDrv

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):638
                                                                                          Entropy (8bit):4.751962275036146
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
                                                                                          MD5:15CA959638E74EEC47E0830B90D0696E
                                                                                          SHA1:E836936738DCB6C551B6B76054F834CFB8CC53E5
                                                                                          SHA-256:57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
                                                                                          SHA-512:101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
                                                                                          Malicious:false
                                                                                          Preview:[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {394343F4-E39C-409D-BD57-1C70A6E4B89C}, Number of Words: 10, Subject: Cave App, Author: Weqos Apps Industries, Name of Creating Application: Cave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Cave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 26 06:52:15 2024, Last Saved Time/Date: Thu Dec 26 06:52:15 2024, Last Printed: Thu Dec 26 06:52:15 2024, Number of Pages: 450
                                                                                          Entropy (8bit):7.202431493527563
                                                                                          TrID:
                                                                                          • Windows SDK Setup Transform Script (63028/2) 88.73%
                                                                                          • Generic OLE2 / Multistream Compound File (8008/1) 11.27%
                                                                                          File name:setup.msi
                                                                                          File size:60'336'524 bytes
                                                                                          MD5:99c84a1c2cf1acd2ddeb621561789acb
                                                                                          SHA1:c5efa38a646b02ea2263dacd5a17586295c6fcd3
                                                                                          SHA256:404e2b3ecd486cf7a533790edbe22ab145c767f8c413a95570b0cc41c3b46143
                                                                                          SHA512:c0d72a1189f09e9f67400e93ccd797618f9cc17f3a67c91f6e38ff99399f3a51452661bf133227d4991071ba1a402916bf46c049ba501ce69a80276f546ec5af
                                                                                          SSDEEP:786432:zGZojVmrjV7eIAtehOTZ0oZ4sdUuzt/NCaY2ksCo:zGcVmrjV7eIvhOTZ5RjVCa1tP
                                                                                          TLSH:D9D76C01B3FA4148F2F75EB17EBA45A594BABD521B30C0EF1204A60E1B71BC25BB5763
                                                                                          File Content Preview:........................>............................................2..................................................................x......................................................................................................................

                                                                                          File Icon

                                                                                          Icon Hash:2d2e3797b32b2b99

                                                                                          Network Behavior

                                                                                          Suricata IDS Alerts

                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2024-12-26T13:21:50.246687+01002829202ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA1192.168.2.649737104.21.6.3443TCP

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 26, 2024 13:21:48.795574903 CET49737443192.168.2.6104.21.6.3
                                                                                          Dec 26, 2024 13:21:48.795671940 CET44349737104.21.6.3192.168.2.6
                                                                                          Dec 26, 2024 13:21:48.795768976 CET49737443192.168.2.6104.21.6.3
                                                                                          Dec 26, 2024 13:21:48.823015928 CET49737443192.168.2.6104.21.6.3
                                                                                          Dec 26, 2024 13:21:48.823055029 CET44349737104.21.6.3192.168.2.6
                                                                                          Dec 26, 2024 13:21:50.132424116 CET44349737104.21.6.3192.168.2.6
                                                                                          Dec 26, 2024 13:21:50.132503986 CET49737443192.168.2.6104.21.6.3
                                                                                          Dec 26, 2024 13:21:50.229407072 CET49737443192.168.2.6104.21.6.3
                                                                                          Dec 26, 2024 13:21:50.229425907 CET44349737104.21.6.3192.168.2.6
                                                                                          Dec 26, 2024 13:21:50.230767012 CET44349737104.21.6.3192.168.2.6
                                                                                          Dec 26, 2024 13:21:50.230839968 CET49737443192.168.2.6104.21.6.3
                                                                                          Dec 26, 2024 13:21:50.246351004 CET49737443192.168.2.6104.21.6.3
                                                                                          Dec 26, 2024 13:21:50.246462107 CET49737443192.168.2.6104.21.6.3
                                                                                          Dec 26, 2024 13:21:50.246510029 CET44349737104.21.6.3192.168.2.6
                                                                                          Dec 26, 2024 13:21:51.030409098 CET44349737104.21.6.3192.168.2.6
                                                                                          Dec 26, 2024 13:21:51.030489922 CET44349737104.21.6.3192.168.2.6
                                                                                          Dec 26, 2024 13:21:51.030488014 CET49737443192.168.2.6104.21.6.3
                                                                                          Dec 26, 2024 13:21:51.030565023 CET49737443192.168.2.6104.21.6.3
                                                                                          Dec 26, 2024 13:21:51.035330057 CET49737443192.168.2.6104.21.6.3
                                                                                          Dec 26, 2024 13:21:51.035346985 CET44349737104.21.6.3192.168.2.6
                                                                                          Dec 26, 2024 13:21:51.035360098 CET49737443192.168.2.6104.21.6.3
                                                                                          Dec 26, 2024 13:21:51.035393000 CET49737443192.168.2.6104.21.6.3

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 26, 2024 13:21:48.562377930 CET5621053192.168.2.61.1.1.1
                                                                                          Dec 26, 2024 13:21:48.789562941 CET53562101.1.1.1192.168.2.6

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Dec 26, 2024 13:21:48.562377930 CET192.168.2.61.1.1.10xac7dStandard query (0)successroadway.comA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Dec 26, 2024 13:21:34.978441000 CET1.1.1.1192.168.2.60x18d8No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                          Dec 26, 2024 13:21:34.978441000 CET1.1.1.1192.168.2.60x18d8No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                          Dec 26, 2024 13:21:48.789562941 CET1.1.1.1192.168.2.60xac7dNo error (0)successroadway.com104.21.6.3A (IP address)IN (0x0001)false
                                                                                          Dec 26, 2024 13:21:48.789562941 CET1.1.1.1192.168.2.60xac7dNo error (0)successroadway.com172.67.134.27A (IP address)IN (0x0001)false

                                                                                          HTTP Request Dependency Graph

                                                                                          • successroadway.com

                                                                                          HTTPS Proxied Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.649737104.21.6.34431016C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-26 12:21:50 UTC196OUTPOST /updater.php HTTP/1.1
                                                                                          Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                                                          User-Agent: AdvancedInstaller
                                                                                          Host: successroadway.com
                                                                                          Content-Length: 71
                                                                                          Cache-Control: no-cache
                                                                                          2024-12-26 12:21:50 UTC71OUTData Raw: 44 61 74 65 3d 32 36 25 32 46 31 32 25 32 46 32 30 32 34 26 54 69 6d 65 3d 30 37 25 33 41 32 31 25 33 41 34 37 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 38 2e 39 2e 39 26 53 6f 72 6f 71 56 69 6e 73 3d 54 72 75 65
                                                                                          Data Ascii: Date=26%2F12%2F2024&Time=07%3A21%3A47&BuildVersion=8.9.9&SoroqVins=True
                                                                                          2024-12-26 12:21:51 UTC837INHTTP/1.1 500 Internal Server Error
                                                                                          Date: Thu, 26 Dec 2024 12:21:50 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          Cache-Control: no-store
                                                                                          cf-cache-status: DYNAMIC
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FCcXKb7BATN6LuqPWWwDvXUCetlWFraa9O7VnTo4wbJ6F%2FmyTdJeKHGnHZs01ZoTNnIahRWU3i%2Bmgale1kmFFcbhs90Z48muP80bZqZtAoeMnGEoPL675LTp3GStkvoDmk%2FsECk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8f81086e1db57c7c-EWR
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2009&min_rtt=2009&rtt_var=755&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2845&recv_bytes=927&delivery_rate=1449131&cwnd=252&unsent_bytes=0&cid=b12b53a94da8407a&ts=909&x=0"
                                                                                          2024-12-26 12:21:51 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:1
                                                                                          Start time:07:21:37
                                                                                          Start date:26/12/2024
                                                                                          Path:C:\Windows\System32\msiexec.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
                                                                                          Imagebase:0x7ff74ca20000
                                                                                          File size:69'632 bytes
                                                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:07:21:37
                                                                                          Start date:26/12/2024
                                                                                          Path:C:\Windows\System32\msiexec.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                          Imagebase:0x7ff74ca20000
                                                                                          File size:69'632 bytes
                                                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:4
                                                                                          Start time:07:21:39
                                                                                          Start date:26/12/2024
                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 45E70E686A70EB9A9EBD77437EA9ABD2
                                                                                          Imagebase:0x540000
                                                                                          File size:59'904 bytes
                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:9
                                                                                          Start time:07:21:50
                                                                                          Start date:26/12/2024
                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss8D12.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi8CFF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr8D00.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr8D01.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                                                          Imagebase:0xc0000
                                                                                          File size:433'152 bytes
                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:10
                                                                                          Start time:07:21:50
                                                                                          Start date:26/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:14
                                                                                          Start time:07:21:59
                                                                                          Start date:26/12/2024
                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""
                                                                                          Imagebase:0x7ff70d570000
                                                                                          File size:289'792 bytes
                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:15
                                                                                          Start time:07:21:59
                                                                                          Start date:26/12/2024
                                                                                          Path:C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe"
                                                                                          Imagebase:0x7ff72d5c0000
                                                                                          File size:57'488 bytes
                                                                                          MD5 hash:71F796B486C7FAF25B9B16233A7CE0CD
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Antivirus matches:
                                                                                          • Detection: 0%, ReversingLabs
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:16
                                                                                          Start time:07:21:59
                                                                                          Start date:26/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:17
                                                                                          Start time:07:21:59
                                                                                          Start date:26/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:18
                                                                                          Start time:07:22:00
                                                                                          Start date:26/12/2024
                                                                                          Path:C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"
                                                                                          Imagebase:0x140000000
                                                                                          File size:117'496 bytes
                                                                                          MD5 hash:F67792E08586EA936EBCAE43AAB0388D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Antivirus matches:
                                                                                          • Detection: 0%, ReversingLabs
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:19
                                                                                          Start time:07:22:00
                                                                                          Start date:26/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Executed Functions

                                                                                            Function 035436B0 Relevance: .6, Instructions: 628COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2325283358.0000000003540000.00000040.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_3540000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 93c653a54663ccd44ba0c42b4a150bf53c2aa79436978b3b6743688be62a22d1
                                                                                            • Instruction ID: 95d2ee23ce50f8e468db47acea1c05bfaf21579402ac815bd315f1d66e4bcef1
                                                                                            • Opcode Fuzzy Hash: 93c653a54663ccd44ba0c42b4a150bf53c2aa79436978b3b6743688be62a22d1
                                                                                            • Instruction Fuzzy Hash: E4429F34705381CFC719CF68D490A6ABBF2FF89304B5489A9D4868B3A6DB35EC51CB51
                                                                                            Function 03548478 Relevance: .3, Instructions: 266COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2325283358.0000000003540000.00000040.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_3540000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2cf7ac555720a13580d696e92f8ccf7462a05e7e0ee37fe563ec3ba03660b14f
                                                                                            • Instruction ID: 8951665e183a5f66fe246efb5291155a39e5abaf10fd7aea0be87731ab034454
                                                                                            • Opcode Fuzzy Hash: 2cf7ac555720a13580d696e92f8ccf7462a05e7e0ee37fe563ec3ba03660b14f
                                                                                            • Instruction Fuzzy Hash: D7A18F35E00208DFDB18DFA4E584AADBBF2FF84314F158559D406AF268DB75AD89CB80
                                                                                            Function 07C01B50 Relevance: .2, Instructions: 204COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2330867086.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7c00000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3bd2af51e878ade12e6684d02d201312efb9230960239b1d05bd8b5ffd602930
                                                                                            • Instruction ID: 1ee9be9242c11849e6dd22948f2af6b6236320152535a5084629e86196374271
                                                                                            • Opcode Fuzzy Hash: 3bd2af51e878ade12e6684d02d201312efb9230960239b1d05bd8b5ffd602930
                                                                                            • Instruction Fuzzy Hash: CC6126B070425EDFDB158F69C88066EBBE6AF85310F18806AE945CB2D2DB35CE41C7E1
                                                                                            Function 03548BC8 Relevance: .2, Instructions: 189COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2325283358.0000000003540000.00000040.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_3540000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2ec5ed3d357baeb2270bad219bc8bcb3649c6314984a5253f8f7810202e160d2
                                                                                            • Instruction ID: 9b3ce6a1595dcedfc060c61b453ca529dfc4f8fad81b8479949dfa3ed1eaf5e5
                                                                                            • Opcode Fuzzy Hash: 2ec5ed3d357baeb2270bad219bc8bcb3649c6314984a5253f8f7810202e160d2
                                                                                            • Instruction Fuzzy Hash: 4571CE30A00249CFCB18DF68D884A9EFBF6BF85318F18C569D456DB261DB71AC46CB80
                                                                                            Function 03548D36 Relevance: .2, Instructions: 188COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2325283358.0000000003540000.00000040.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_3540000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 778fc44d2ae8ba0ab71052c2e6d52889e0905637f09a89bfa88bb75e499ad72a
                                                                                            • Instruction ID: 3546929d4f90cf2c889e6895e6ab05e81ed4ad30af25e29883f5a113de01d338
                                                                                            • Opcode Fuzzy Hash: 778fc44d2ae8ba0ab71052c2e6d52889e0905637f09a89bfa88bb75e499ad72a
                                                                                            • Instruction Fuzzy Hash: A1713B70E01258DFDB18DFB5D880AADBBF6BF88348F148529D412AB2A0DB75AC45CB51
                                                                                            Function 03548959 Relevance: .1, Instructions: 131COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2325283358.0000000003540000.00000040.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_3540000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cb8c8aba48c67161ea89aa971ab1ab2de6703e61d4f8e5aab6a237c8dcd06882
                                                                                            • Instruction ID: 87deece18d495deac2309110510a35da382f37a72a5cd5f8732c9b27aae8e691
                                                                                            • Opcode Fuzzy Hash: cb8c8aba48c67161ea89aa971ab1ab2de6703e61d4f8e5aab6a237c8dcd06882
                                                                                            • Instruction Fuzzy Hash: 0A51DD71A04600CFDB18EF74D894AAA7BF6FF89714F0845A9E852EB3A0CB359C04CB51
                                                                                            Function 03548BB3 Relevance: .1, Instructions: 116COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2325283358.0000000003540000.00000040.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_3540000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2d1f700785a655afaaad3ad01a6711eb1decad376286d9a7ccb2702a9cb6b736
                                                                                            • Instruction ID: 9092d2bea9ac74b41e059f3f8a79a7400e016f20fb9726c3510472fedbd3a65f
                                                                                            • Opcode Fuzzy Hash: 2d1f700785a655afaaad3ad01a6711eb1decad376286d9a7ccb2702a9cb6b736
                                                                                            • Instruction Fuzzy Hash: F6418D70A00208DFDB18DFA9D8846AEBBF6FF85344F148469D002AF3A4DB75A845CB80
                                                                                            Function 07C01B34 Relevance: .1, Instructions: 110COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2330867086.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7c00000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9d4310d06720c3b633c17080984038d496cbf8685e5de15bda34a06c669a56fb
                                                                                            • Instruction ID: c2b54c87f6fb9bd80f677adb608eb62672a66022bce8571c495af50a426a36e4
                                                                                            • Opcode Fuzzy Hash: 9d4310d06720c3b633c17080984038d496cbf8685e5de15bda34a06c669a56fb
                                                                                            • Instruction Fuzzy Hash: 0C416AF160420EDFDB24CE59C584AAEFBF5EF45351F1880AAE8058B291E731DA81CBD1
                                                                                            Function 0333D006 Relevance: .0, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2321765956.000000000333D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0333D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_333d000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f4bbdb4701140581ea957e5b4013e33ad07e042254b4d219ea35dba99f03b649
                                                                                            • Instruction ID: 528385021b48db76773d2ba2f86e0e9bbc92d21eba0b0fcc1c12262a41dff7b1
                                                                                            • Opcode Fuzzy Hash: f4bbdb4701140581ea957e5b4013e33ad07e042254b4d219ea35dba99f03b649
                                                                                            • Instruction Fuzzy Hash: B801297240D3809FE7128B25CD94792BFA8EF43624F1984DBE9888F1A7C2695845CB72
                                                                                            Function 0333D01D Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2321765956.000000000333D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0333D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_333d000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2818625a30d553f01742219b01442d0ba9448c887fe21e4eb61e9293eeb2cca7
                                                                                            • Instruction ID: 87b118cff3c3ab18d6d14890aa0624b6e37ed667ca181c5a228c853db680ccb1
                                                                                            • Opcode Fuzzy Hash: 2818625a30d553f01742219b01442d0ba9448c887fe21e4eb61e9293eeb2cca7
                                                                                            • Instruction Fuzzy Hash: 7401F2724043409AE7108A25CDC0BA6FF9CEF42B64F0CC05AED481A642C6BD9841CAB1
                                                                                            Function 035488ED Relevance: .0, Instructions: 24COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.2325283358.0000000003540000.00000040.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_3540000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fa96fe32a4ffe9cbc09496703baec502fb8d4546e69a631c0ffd3f21d22680dd
                                                                                            • Instruction ID: 57b4f6ee79e5a30b830f15b3541be221b8318ad7ae90b325ec1b34ce276b3309
                                                                                            • Opcode Fuzzy Hash: fa96fe32a4ffe9cbc09496703baec502fb8d4546e69a631c0ffd3f21d22680dd
                                                                                            • Instruction Fuzzy Hash: 45F03074A4060ACFEB08DBA4D595B6F7BB2EF81344F109918D2129F364DF799D498BC0

                                                                                            Execution Graph

                                                                                            Execution Coverage:3.4%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:1.7%
                                                                                            Total number of Nodes:701
                                                                                            Total number of Limit Nodes:1
                                                                                            execution_graph 2502 7ff72d5c2700 2503 7ff72d5c2710 2502->2503 2515 7ff72d5c2bd8 2503->2515 2505 7ff72d5c2ecc 7 API calls 2506 7ff72d5c27b5 2505->2506 2507 7ff72d5c2734 _RTC_Initialize 2513 7ff72d5c2797 2507->2513 2523 7ff72d5c2e64 InitializeSListHead 2507->2523 2513->2505 2514 7ff72d5c27a5 2513->2514 2516 7ff72d5c2c1b 2515->2516 2517 7ff72d5c2be9 2515->2517 2516->2507 2518 7ff72d5c2c58 2517->2518 2521 7ff72d5c2bee __scrt_release_startup_lock 2517->2521 2519 7ff72d5c2ecc 7 API calls 2518->2519 2520 7ff72d5c2c62 2519->2520 2521->2516 2522 7ff72d5c2c0b _initialize_onexit_table 2521->2522 2522->2516 2987 7ff72d5c1d39 2988 7ff72d5c1d40 2987->2988 2988->2988 2989 7ff72d5c2040 22 API calls 2988->2989 2990 7ff72d5c18a0 2988->2990 2989->2990 2992 7ff72d5c1dd0 2990->2992 2994 7ff72d5c20c0 21 API calls 2990->2994 2996 7ff72d5c1d76 2990->2996 2991 7ff72d5c2660 __GSHandlerCheck_EH 8 API calls 2995 7ff72d5c1d87 2991->2995 2993 7ff72d5c1450 6 API calls 2992->2993 2993->2996 2994->2990 2996->2991 2997 7ff72d5c733c _seh_filter_exe 2527 7ff72d5c7411 2528 7ff72d5c7495 2527->2528 2529 7ff72d5c7429 2527->2529 2529->2528 2534 7ff72d5c43d0 2529->2534 2531 7ff72d5c7476 2532 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2531->2532 2533 7ff72d5c748b terminate 2532->2533 2533->2528 2537 7ff72d5c43ec 2534->2537 2536 7ff72d5c43d9 2536->2531 2538 7ff72d5c4404 2537->2538 2539 7ff72d5c440b GetLastError 2537->2539 2538->2536 2551 7ff72d5c6678 2539->2551 2552 7ff72d5c6498 __vcrt_InitializeCriticalSectionEx 5 API calls 2551->2552 2553 7ff72d5c669f TlsGetValue 2552->2553 2561 7ff72d5c1510 2562 7ff72d5c3cc0 __std_exception_copy 2 API calls 2561->2562 2563 7ff72d5c1539 2562->2563 2555 7ff72d5c3490 2558 7ff72d5c3d50 2555->2558 2557 7ff72d5c34b2 2559 7ff72d5c3d5f free 2558->2559 2560 7ff72d5c3d67 2558->2560 2559->2560 2560->2557 2564 7ff72d5c3090 2565 7ff72d5c30c4 2564->2565 2566 7ff72d5c30a8 2564->2566 2566->2565 2571 7ff72d5c41c0 2566->2571 2570 7ff72d5c30e2 2572 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2571->2572 2573 7ff72d5c30d6 2572->2573 2574 7ff72d5c41d4 2573->2574 2575 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2574->2575 2576 7ff72d5c41dd 2575->2576 2576->2570 2577 7ff72d5c7090 2578 7ff72d5c70d2 __GSHandlerCheckCommon 2577->2578 2579 7ff72d5c70fa 2578->2579 2581 7ff72d5c3d78 2578->2581 2583 7ff72d5c3da8 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 2581->2583 2582 7ff72d5c3e99 2582->2579 2583->2582 2584 7ff72d5c3e64 RtlUnwindEx 2583->2584 2584->2583 2585 7ff72d5c7290 2586 7ff72d5c72b0 2585->2586 2587 7ff72d5c72a3 2585->2587 2589 7ff72d5c1e80 2587->2589 2590 7ff72d5c1e93 2589->2590 2592 7ff72d5c1eb7 2589->2592 2591 7ff72d5c1ed8 _invalid_parameter_noinfo_noreturn 2590->2591 2590->2592 2592->2586 3001 7ff72d5c1550 3002 7ff72d5c3d50 __std_exception_destroy free 3001->3002 3003 7ff72d5c1567 3002->3003 3004 7ff72d5c27d0 3008 7ff72d5c3074 SetUnhandledExceptionFilter 3004->3008 3009 7ff72d5c74d6 3010 7ff72d5c3b54 11 API calls 3009->3010 3012 7ff72d5c74e9 3010->3012 3011 7ff72d5c43d0 _CreateFrameInfo 10 API calls 3013 7ff72d5c752e 3011->3013 3015 7ff72d5c4104 10 API calls 3012->3015 3017 7ff72d5c751a __GSHandlerCheck_EH 3012->3017 3014 7ff72d5c43d0 _CreateFrameInfo 10 API calls 3013->3014 3016 7ff72d5c753b 3014->3016 3015->3017 3018 7ff72d5c43d0 _CreateFrameInfo 10 API calls 3016->3018 3017->3011 3019 7ff72d5c7548 3018->3019 3020 7ff72d5c48c7 abort 2599 7ff72d5c7260 2600 7ff72d5c7280 2599->2600 2601 7ff72d5c7273 2599->2601 2602 7ff72d5c1e80 _invalid_parameter_noinfo_noreturn 2601->2602 2602->2600 2603 7ff72d5c5860 2604 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2603->2604 2605 7ff72d5c58ad 2604->2605 2606 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2605->2606 2607 7ff72d5c58bb __except_validate_context_record 2606->2607 2608 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2607->2608 2609 7ff72d5c5914 2608->2609 2610 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2609->2610 2611 7ff72d5c591d 2610->2611 2612 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2611->2612 2613 7ff72d5c5926 2612->2613 2632 7ff72d5c3b18 2613->2632 2616 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2617 7ff72d5c5959 2616->2617 2618 7ff72d5c5aa9 abort 2617->2618 2619 7ff72d5c5991 2617->2619 2639 7ff72d5c3b54 2619->2639 2621 7ff72d5c5a5a __GSHandlerCheck_EH 2622 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2621->2622 2623 7ff72d5c5a6d 2622->2623 2625 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2623->2625 2627 7ff72d5c5a76 2625->2627 2628 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2627->2628 2629 7ff72d5c5a7f 2628->2629 2630 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2629->2630 2631 7ff72d5c5a8e 2630->2631 2633 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2632->2633 2634 7ff72d5c3b29 2633->2634 2635 7ff72d5c3b34 2634->2635 2636 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2634->2636 2637 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2635->2637 2636->2635 2638 7ff72d5c3b45 2637->2638 2638->2616 2638->2617 2640 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2639->2640 2641 7ff72d5c3b66 2640->2641 2642 7ff72d5c3ba1 abort 2641->2642 2643 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2641->2643 2644 7ff72d5c3b71 2643->2644 2644->2642 2645 7ff72d5c3b8d 2644->2645 2646 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2645->2646 2647 7ff72d5c3b92 2646->2647 2647->2621 2648 7ff72d5c4104 2647->2648 2649 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2648->2649 2650 7ff72d5c4112 2649->2650 2650->2621 2651 7ff72d5c1ce0 2652 7ff72d5c2688 5 API calls 2651->2652 2653 7ff72d5c1cea gethostname 2652->2653 2654 7ff72d5c1da9 WSAGetLastError 2653->2654 2655 7ff72d5c1d08 2653->2655 2656 7ff72d5c1450 6 API calls 2654->2656 2665 7ff72d5c2040 2655->2665 2658 7ff72d5c1d76 2656->2658 2659 7ff72d5c2660 __GSHandlerCheck_EH 8 API calls 2658->2659 2660 7ff72d5c1d87 2659->2660 2661 7ff72d5c18a0 2661->2658 2662 7ff72d5c1dd0 2661->2662 2664 7ff72d5c20c0 21 API calls 2661->2664 2663 7ff72d5c1450 6 API calls 2662->2663 2663->2658 2664->2661 2666 7ff72d5c20a2 2665->2666 2669 7ff72d5c2063 BuildCatchObjectHelperInternal 2665->2669 2670 7ff72d5c2230 2666->2670 2668 7ff72d5c20b5 2668->2661 2669->2661 2671 7ff72d5c225e 2670->2671 2672 7ff72d5c23ab 2670->2672 2673 7ff72d5c22be 2671->2673 2677 7ff72d5c22b1 2671->2677 2678 7ff72d5c22e6 2671->2678 2674 7ff72d5c17e0 21 API calls 2672->2674 2676 7ff72d5c2690 5 API calls 2673->2676 2675 7ff72d5c23b0 2674->2675 2679 7ff72d5c1720 Concurrency::cancel_current_task 4 API calls 2675->2679 2683 7ff72d5c22cf BuildCatchObjectHelperInternal 2676->2683 2677->2673 2677->2675 2682 7ff72d5c2690 5 API calls 2678->2682 2678->2683 2680 7ff72d5c23b6 2679->2680 2681 7ff72d5c2364 _invalid_parameter_noinfo_noreturn 2684 7ff72d5c2357 BuildCatchObjectHelperInternal 2681->2684 2682->2683 2683->2681 2683->2684 2684->2668 2688 7ff72d5c195f 2689 7ff72d5c196d 2688->2689 2689->2689 2690 7ff72d5c1a23 2689->2690 2704 7ff72d5c1ee0 2689->2704 2692 7ff72d5c2230 22 API calls 2690->2692 2693 7ff72d5c1a67 BuildCatchObjectHelperInternal 2690->2693 2692->2693 2694 7ff72d5c1da2 _invalid_parameter_noinfo_noreturn 2693->2694 2696 7ff72d5c18a0 2693->2696 2695 7ff72d5c1da9 WSAGetLastError 2694->2695 2697 7ff72d5c1450 6 API calls 2695->2697 2699 7ff72d5c1dd0 2696->2699 2701 7ff72d5c20c0 21 API calls 2696->2701 2703 7ff72d5c1d76 2696->2703 2697->2703 2698 7ff72d5c2660 __GSHandlerCheck_EH 8 API calls 2702 7ff72d5c1d87 2698->2702 2700 7ff72d5c1450 6 API calls 2699->2700 2700->2703 2701->2696 2703->2698 2707 7ff72d5c1f25 2704->2707 2717 7ff72d5c1f04 BuildCatchObjectHelperInternal 2704->2717 2705 7ff72d5c2031 2706 7ff72d5c17e0 21 API calls 2705->2706 2708 7ff72d5c2036 2706->2708 2707->2705 2709 7ff72d5c1f74 2707->2709 2710 7ff72d5c1fa9 2707->2710 2712 7ff72d5c1720 Concurrency::cancel_current_task 4 API calls 2708->2712 2709->2708 2711 7ff72d5c2690 5 API calls 2709->2711 2714 7ff72d5c2690 5 API calls 2710->2714 2716 7ff72d5c1f92 BuildCatchObjectHelperInternal 2710->2716 2711->2716 2715 7ff72d5c203c 2712->2715 2713 7ff72d5c202a _invalid_parameter_noinfo_noreturn 2713->2705 2714->2716 2716->2713 2716->2717 2717->2690 3024 7ff72d5c4024 3031 7ff72d5c642c 3024->3031 3027 7ff72d5c4031 3043 7ff72d5c6714 3031->3043 3034 7ff72d5c402d 3034->3027 3036 7ff72d5c44ac 3034->3036 3035 7ff72d5c6460 __vcrt_uninitialize_locks DeleteCriticalSection 3035->3034 3048 7ff72d5c65e8 3036->3048 3044 7ff72d5c6498 __vcrt_InitializeCriticalSectionEx 5 API calls 3043->3044 3045 7ff72d5c674a 3044->3045 3046 7ff72d5c675f InitializeCriticalSectionAndSpinCount 3045->3046 3047 7ff72d5c6444 3045->3047 3046->3047 3047->3034 3047->3035 3049 7ff72d5c6498 __vcrt_InitializeCriticalSectionEx 5 API calls 3048->3049 3050 7ff72d5c660d TlsAlloc 3049->3050 3052 7ff72d5c191a 3053 7ff72d5c194d 3052->3053 3059 7ff72d5c18a0 3052->3059 3054 7ff72d5c20c0 21 API calls 3053->3054 3054->3059 3055 7ff72d5c1d76 3056 7ff72d5c2660 __GSHandlerCheck_EH 8 API calls 3055->3056 3061 7ff72d5c1d87 3056->3061 3057 7ff72d5c1dd0 3058 7ff72d5c1450 6 API calls 3057->3058 3058->3055 3059->3055 3059->3057 3060 7ff72d5c20c0 21 API calls 3059->3060 3060->3059 3062 7ff72d5c291a 3063 7ff72d5c3020 __scrt_is_managed_app GetModuleHandleW 3062->3063 3064 7ff72d5c2921 3063->3064 3065 7ff72d5c2960 _exit 3064->3065 3066 7ff72d5c2925 3064->3066 2718 7ff72d5c7559 2721 7ff72d5c4158 2718->2721 2722 7ff72d5c4182 2721->2722 2723 7ff72d5c4170 2721->2723 2725 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2722->2725 2723->2722 2724 7ff72d5c4178 2723->2724 2726 7ff72d5c4180 2724->2726 2728 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2724->2728 2727 7ff72d5c4187 2725->2727 2727->2726 2730 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2727->2730 2729 7ff72d5c41a7 2728->2729 2731 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2729->2731 2730->2726 2732 7ff72d5c41b4 terminate 2731->2732 3067 7ff72d5c1b18 _time64 3068 7ff72d5c1b34 3067->3068 3068->3068 3069 7ff72d5c1bf1 3068->3069 3070 7ff72d5c1ee0 22 API calls 3068->3070 3071 7ff72d5c2230 22 API calls 3069->3071 3072 7ff72d5c1c34 BuildCatchObjectHelperInternal 3069->3072 3070->3069 3071->3072 3073 7ff72d5c1da2 _invalid_parameter_noinfo_noreturn 3072->3073 3075 7ff72d5c18a0 3072->3075 3074 7ff72d5c1da9 WSAGetLastError 3073->3074 3076 7ff72d5c1450 6 API calls 3074->3076 3078 7ff72d5c1dd0 3075->3078 3080 7ff72d5c20c0 21 API calls 3075->3080 3082 7ff72d5c1d76 3075->3082 3076->3082 3077 7ff72d5c2660 __GSHandlerCheck_EH 8 API calls 3081 7ff72d5c1d87 3077->3081 3079 7ff72d5c1450 6 API calls 3078->3079 3079->3082 3080->3075 3082->3077 2733 7ff72d5c7372 2734 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2733->2734 2735 7ff72d5c7389 2734->2735 2736 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2735->2736 2737 7ff72d5c73a4 2736->2737 2738 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2737->2738 2739 7ff72d5c73ad 2738->2739 2744 7ff72d5c5414 2739->2744 2742 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2743 7ff72d5c73f8 2742->2743 2745 7ff72d5c5443 __except_validate_context_record 2744->2745 2746 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2745->2746 2747 7ff72d5c5448 2746->2747 2748 7ff72d5c5498 2747->2748 2754 7ff72d5c55b2 __GSHandlerCheck_EH 2747->2754 2758 7ff72d5c5551 2747->2758 2749 7ff72d5c559f 2748->2749 2757 7ff72d5c54f3 __GSHandlerCheck_EH 2748->2757 2748->2758 2784 7ff72d5c3678 2749->2784 2750 7ff72d5c55f7 2750->2758 2791 7ff72d5c49a4 2750->2791 2753 7ff72d5c56a2 abort 2754->2750 2754->2758 2788 7ff72d5c3bbc 2754->2788 2755 7ff72d5c5543 2760 7ff72d5c5cf0 2755->2760 2757->2753 2757->2755 2758->2742 2844 7ff72d5c3ba8 2760->2844 2762 7ff72d5c5d40 __GSHandlerCheck_EH 2763 7ff72d5c5d72 2762->2763 2764 7ff72d5c5d5b 2762->2764 2766 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2763->2766 2765 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2764->2765 2767 7ff72d5c5d60 2765->2767 2768 7ff72d5c5d77 2766->2768 2769 7ff72d5c5fd0 abort 2767->2769 2774 7ff72d5c5d6a 2767->2774 2770 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2768->2770 2768->2774 2772 7ff72d5c5d82 2770->2772 2771 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2782 7ff72d5c5d96 __GSHandlerCheck_EH 2771->2782 2773 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2772->2773 2773->2774 2774->2771 2775 7ff72d5c5f92 2776 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2775->2776 2777 7ff72d5c5f97 2776->2777 2778 7ff72d5c5fa2 2777->2778 2780 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2777->2780 2779 7ff72d5c2660 __GSHandlerCheck_EH 8 API calls 2778->2779 2781 7ff72d5c5fb5 2779->2781 2780->2778 2781->2758 2782->2775 2847 7ff72d5c3bd0 2782->2847 2785 7ff72d5c368a 2784->2785 2786 7ff72d5c5cf0 __GSHandlerCheck_EH 19 API calls 2785->2786 2787 7ff72d5c36a5 2786->2787 2787->2758 2789 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2788->2789 2790 7ff72d5c3bc5 2789->2790 2790->2750 2792 7ff72d5c4a01 __GSHandlerCheck_EH 2791->2792 2793 7ff72d5c4a20 2792->2793 2794 7ff72d5c4a09 2792->2794 2796 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2793->2796 2795 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2794->2795 2804 7ff72d5c4a0e 2795->2804 2797 7ff72d5c4a25 2796->2797 2799 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2797->2799 2797->2804 2798 7ff72d5c4e99 abort 2800 7ff72d5c4a30 2799->2800 2801 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2800->2801 2801->2804 2802 7ff72d5c4b54 __GSHandlerCheck_EH 2803 7ff72d5c4def 2802->2803 2817 7ff72d5c4b90 __GSHandlerCheck_EH 2802->2817 2803->2798 2806 7ff72d5c4ded 2803->2806 2886 7ff72d5c4ea0 2803->2886 2804->2798 2804->2802 2805 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2804->2805 2808 7ff72d5c4ac0 2805->2808 2807 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2806->2807 2809 7ff72d5c4e30 2807->2809 2811 7ff72d5c4e37 2808->2811 2814 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2808->2814 2809->2798 2809->2811 2810 7ff72d5c4dd4 __GSHandlerCheck_EH 2810->2806 2819 7ff72d5c4e81 2810->2819 2813 7ff72d5c2660 __GSHandlerCheck_EH 8 API calls 2811->2813 2815 7ff72d5c4e43 2813->2815 2816 7ff72d5c4ad0 2814->2816 2815->2758 2818 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2816->2818 2817->2810 2829 7ff72d5c3bbc 10 API calls BuildCatchObjectHelperInternal 2817->2829 2864 7ff72d5c52d0 2817->2864 2878 7ff72d5c48d0 2817->2878 2820 7ff72d5c4ad9 2818->2820 2821 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2819->2821 2850 7ff72d5c3be8 2820->2850 2823 7ff72d5c4e86 2821->2823 2824 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2823->2824 2825 7ff72d5c4e8f terminate 2824->2825 2825->2798 2826 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2828 7ff72d5c4b16 2826->2828 2828->2802 2830 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2828->2830 2829->2817 2831 7ff72d5c4b22 2830->2831 2832 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2831->2832 2833 7ff72d5c4b2b 2832->2833 2853 7ff72d5c5fd8 2833->2853 2837 7ff72d5c4b3f 2860 7ff72d5c60c8 2837->2860 2839 7ff72d5c4e7b terminate 2839->2819 2841 7ff72d5c4b47 std::bad_alloc::bad_alloc __GSHandlerCheck_EH 2841->2839 2842 7ff72d5c3f84 Concurrency::cancel_current_task 2 API calls 2841->2842 2843 7ff72d5c4e7a 2842->2843 2843->2839 2845 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2844->2845 2846 7ff72d5c3bb1 2845->2846 2846->2762 2848 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2847->2848 2849 7ff72d5c3bde 2848->2849 2849->2782 2851 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2850->2851 2852 7ff72d5c3bf6 2851->2852 2852->2798 2852->2826 2854 7ff72d5c60bf abort 2853->2854 2859 7ff72d5c6003 2853->2859 2855 7ff72d5c4b3b 2855->2802 2855->2837 2856 7ff72d5c3bbc 10 API calls BuildCatchObjectHelperInternal 2856->2859 2857 7ff72d5c3ba8 BuildCatchObjectHelperInternal 10 API calls 2857->2859 2859->2855 2859->2856 2859->2857 2902 7ff72d5c5190 2859->2902 2861 7ff72d5c60e5 Is_bad_exception_allowed 2860->2861 2863 7ff72d5c6135 2860->2863 2862 7ff72d5c3ba8 10 API calls BuildCatchObjectHelperInternal 2861->2862 2861->2863 2862->2861 2863->2841 2865 7ff72d5c538d 2864->2865 2866 7ff72d5c52fd 2864->2866 2865->2817 2867 7ff72d5c3ba8 BuildCatchObjectHelperInternal 10 API calls 2866->2867 2868 7ff72d5c5306 2867->2868 2868->2865 2869 7ff72d5c3ba8 BuildCatchObjectHelperInternal 10 API calls 2868->2869 2870 7ff72d5c531f 2868->2870 2869->2870 2870->2865 2871 7ff72d5c3ba8 BuildCatchObjectHelperInternal 10 API calls 2870->2871 2872 7ff72d5c534c 2870->2872 2871->2872 2873 7ff72d5c3bbc BuildCatchObjectHelperInternal 10 API calls 2872->2873 2874 7ff72d5c5360 2873->2874 2874->2865 2875 7ff72d5c5379 2874->2875 2876 7ff72d5c3ba8 BuildCatchObjectHelperInternal 10 API calls 2874->2876 2877 7ff72d5c3bbc BuildCatchObjectHelperInternal 10 API calls 2875->2877 2876->2875 2877->2865 2879 7ff72d5c490d __GSHandlerCheck_EH 2878->2879 2880 7ff72d5c4933 2879->2880 2916 7ff72d5c480c 2879->2916 2882 7ff72d5c3ba8 BuildCatchObjectHelperInternal 10 API calls 2880->2882 2883 7ff72d5c4945 2882->2883 2925 7ff72d5c3838 RtlUnwindEx 2883->2925 2887 7ff72d5c4ef4 2886->2887 2888 7ff72d5c5169 2886->2888 2890 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2887->2890 2889 7ff72d5c2660 __GSHandlerCheck_EH 8 API calls 2888->2889 2891 7ff72d5c5175 2889->2891 2892 7ff72d5c4ef9 2890->2892 2891->2806 2893 7ff72d5c4f60 __GSHandlerCheck_EH 2892->2893 2894 7ff72d5c4f0e EncodePointer 2892->2894 2893->2888 2896 7ff72d5c5189 abort 2893->2896 2899 7ff72d5c4f82 __GSHandlerCheck_EH 2893->2899 2895 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2894->2895 2897 7ff72d5c4f1e 2895->2897 2897->2893 2949 7ff72d5c34f8 2897->2949 2899->2888 2900 7ff72d5c3ba8 10 API calls BuildCatchObjectHelperInternal 2899->2900 2901 7ff72d5c48d0 __GSHandlerCheck_EH 21 API calls 2899->2901 2900->2899 2901->2899 2903 7ff72d5c51bd 2902->2903 2914 7ff72d5c524c 2902->2914 2904 7ff72d5c3ba8 BuildCatchObjectHelperInternal 10 API calls 2903->2904 2905 7ff72d5c51c6 2904->2905 2906 7ff72d5c3ba8 BuildCatchObjectHelperInternal 10 API calls 2905->2906 2907 7ff72d5c51df 2905->2907 2905->2914 2906->2907 2908 7ff72d5c520b 2907->2908 2909 7ff72d5c3ba8 BuildCatchObjectHelperInternal 10 API calls 2907->2909 2907->2914 2910 7ff72d5c3bbc BuildCatchObjectHelperInternal 10 API calls 2908->2910 2909->2908 2911 7ff72d5c521f 2910->2911 2912 7ff72d5c5238 2911->2912 2913 7ff72d5c3ba8 BuildCatchObjectHelperInternal 10 API calls 2911->2913 2911->2914 2915 7ff72d5c3bbc BuildCatchObjectHelperInternal 10 API calls 2912->2915 2913->2912 2914->2859 2915->2914 2917 7ff72d5c482f 2916->2917 2928 7ff72d5c4608 2917->2928 2919 7ff72d5c4840 2920 7ff72d5c4881 __AdjustPointer 2919->2920 2921 7ff72d5c4845 __AdjustPointer 2919->2921 2922 7ff72d5c3bbc BuildCatchObjectHelperInternal 10 API calls 2920->2922 2924 7ff72d5c4864 BuildCatchObjectHelperInternal 2920->2924 2923 7ff72d5c3bbc BuildCatchObjectHelperInternal 10 API calls 2921->2923 2921->2924 2922->2924 2923->2924 2924->2880 2926 7ff72d5c2660 __GSHandlerCheck_EH 8 API calls 2925->2926 2927 7ff72d5c394e 2926->2927 2927->2817 2929 7ff72d5c4635 2928->2929 2931 7ff72d5c463e 2928->2931 2930 7ff72d5c3ba8 BuildCatchObjectHelperInternal 10 API calls 2929->2930 2930->2931 2932 7ff72d5c3ba8 BuildCatchObjectHelperInternal 10 API calls 2931->2932 2933 7ff72d5c465d 2931->2933 2940 7ff72d5c46c2 __AdjustPointer BuildCatchObjectHelperInternal 2931->2940 2932->2933 2934 7ff72d5c46aa 2933->2934 2935 7ff72d5c46ca 2933->2935 2933->2940 2937 7ff72d5c47e9 abort abort 2934->2937 2934->2940 2936 7ff72d5c3bbc BuildCatchObjectHelperInternal 10 API calls 2935->2936 2939 7ff72d5c474a 2935->2939 2935->2940 2936->2939 2938 7ff72d5c480c 2937->2938 2942 7ff72d5c4608 BuildCatchObjectHelperInternal 10 API calls 2938->2942 2939->2940 2941 7ff72d5c3bbc BuildCatchObjectHelperInternal 10 API calls 2939->2941 2940->2919 2941->2940 2943 7ff72d5c4840 2942->2943 2944 7ff72d5c4845 __AdjustPointer 2943->2944 2945 7ff72d5c4881 __AdjustPointer 2943->2945 2947 7ff72d5c3bbc BuildCatchObjectHelperInternal 10 API calls 2944->2947 2948 7ff72d5c4864 BuildCatchObjectHelperInternal 2944->2948 2946 7ff72d5c3bbc BuildCatchObjectHelperInternal 10 API calls 2945->2946 2945->2948 2946->2948 2947->2948 2948->2919 2950 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2949->2950 2951 7ff72d5c3524 2950->2951 2951->2893 2959 7ff72d5c2970 2962 7ff72d5c2da0 2959->2962 2963 7ff72d5c2dc3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 2962->2963 2964 7ff72d5c2979 2962->2964 2963->2964 3086 7ff72d5c7130 3087 7ff72d5c7168 __GSHandlerCheckCommon 3086->3087 3088 7ff72d5c7194 3087->3088 3090 7ff72d5c3c00 3087->3090 3091 7ff72d5c43d0 _CreateFrameInfo 10 API calls 3090->3091 3092 7ff72d5c3c42 3091->3092 3093 7ff72d5c43d0 _CreateFrameInfo 10 API calls 3092->3093 3094 7ff72d5c3c4f 3093->3094 3095 7ff72d5c43d0 _CreateFrameInfo 10 API calls 3094->3095 3096 7ff72d5c3c58 __GSHandlerCheck_EH 3095->3096 3097 7ff72d5c5414 __GSHandlerCheck_EH 31 API calls 3096->3097 3098 7ff72d5c3ca9 3097->3098 3098->3088 3099 7ff72d5c43b0 3100 7ff72d5c43ca 3099->3100 3101 7ff72d5c43b9 3099->3101 3101->3100 3102 7ff72d5c43c5 free 3101->3102 3102->3100 2965 7ff72d5c756f 2966 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2965->2966 2967 7ff72d5c757d 2966->2967 2968 7ff72d5c7588 2967->2968 2969 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2967->2969 2969->2968 2970 7ff72d5c5f75 2978 7ff72d5c5e35 __GSHandlerCheck_EH 2970->2978 2971 7ff72d5c5f92 2972 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2971->2972 2973 7ff72d5c5f97 2972->2973 2974 7ff72d5c5fa2 2973->2974 2976 7ff72d5c43d0 _CreateFrameInfo 10 API calls 2973->2976 2975 7ff72d5c2660 __GSHandlerCheck_EH 8 API calls 2974->2975 2977 7ff72d5c5fb5 2975->2977 2976->2974 2978->2971 2979 7ff72d5c3bd0 __GSHandlerCheck_EH 10 API calls 2978->2979 2979->2978 3103 7ff72d5c74a7 3106 7ff72d5c5cc0 3103->3106 3111 7ff72d5c5c38 3106->3111 3109 7ff72d5c5ce0 3110 7ff72d5c43d0 _CreateFrameInfo 10 API calls 3110->3109 3112 7ff72d5c5ca3 3111->3112 3113 7ff72d5c5c5a 3111->3113 3112->3109 3112->3110 3113->3112 3114 7ff72d5c43d0 _CreateFrameInfo 10 API calls 3113->3114 3114->3112 3115 7ff72d5c59ad 3116 7ff72d5c43d0 _CreateFrameInfo 10 API calls 3115->3116 3117 7ff72d5c59ba 3116->3117 3118 7ff72d5c43d0 _CreateFrameInfo 10 API calls 3117->3118 3120 7ff72d5c59c3 __GSHandlerCheck_EH 3118->3120 3119 7ff72d5c5a0a RaiseException 3121 7ff72d5c5a29 3119->3121 3120->3119 3122 7ff72d5c3b54 11 API calls 3121->3122 3124 7ff72d5c5a31 3122->3124 3123 7ff72d5c5a5a __GSHandlerCheck_EH 3125 7ff72d5c43d0 _CreateFrameInfo 10 API calls 3123->3125 3124->3123 3128 7ff72d5c4104 10 API calls 3124->3128 3126 7ff72d5c5a6d 3125->3126 3127 7ff72d5c43d0 _CreateFrameInfo 10 API calls 3126->3127 3129 7ff72d5c5a76 3127->3129 3128->3123 3130 7ff72d5c43d0 _CreateFrameInfo 10 API calls 3129->3130 3131 7ff72d5c5a7f 3130->3131 3132 7ff72d5c43d0 _CreateFrameInfo 10 API calls 3131->3132 3133 7ff72d5c5a8e 3132->3133 2256 7ff72d5c27ec 2279 7ff72d5c2b8c 2256->2279 2259 7ff72d5c2943 2319 7ff72d5c2ecc IsProcessorFeaturePresent 2259->2319 2260 7ff72d5c280d 2262 7ff72d5c294d 2260->2262 2268 7ff72d5c282b __scrt_release_startup_lock 2260->2268 2263 7ff72d5c2ecc 7 API calls 2262->2263 2264 7ff72d5c2958 2263->2264 2266 7ff72d5c2960 _exit 2264->2266 2265 7ff72d5c2850 2267 7ff72d5c28d6 _get_initial_narrow_environment __p___argv __p___argc 2285 7ff72d5c1060 2267->2285 2268->2265 2268->2267 2271 7ff72d5c28ce _register_thread_local_exe_atexit_callback 2268->2271 2271->2267 2274 7ff72d5c2903 2275 7ff72d5c2908 _cexit 2274->2275 2276 7ff72d5c290d 2274->2276 2275->2276 2315 7ff72d5c2d20 2276->2315 2326 7ff72d5c316c 2279->2326 2282 7ff72d5c2bbb __scrt_initialize_crt 2284 7ff72d5c2805 2282->2284 2328 7ff72d5c404c 2282->2328 2284->2259 2284->2260 2286 7ff72d5c1386 2285->2286 2310 7ff72d5c10b4 2285->2310 2355 7ff72d5c1450 __acrt_iob_func 2286->2355 2288 7ff72d5c1399 2313 7ff72d5c3020 GetModuleHandleW 2288->2313 2289 7ff72d5c1289 2289->2286 2290 7ff72d5c129f 2289->2290 2360 7ff72d5c2688 2290->2360 2292 7ff72d5c12a9 2294 7ff72d5c1325 2292->2294 2295 7ff72d5c12b9 GetTempPathA 2292->2295 2293 7ff72d5c1125 strcmp 2293->2310 2369 7ff72d5c23c0 2294->2369 2298 7ff72d5c12e9 strcat_s 2295->2298 2299 7ff72d5c12cb GetLastError 2295->2299 2296 7ff72d5c1151 strcmp 2296->2310 2298->2294 2302 7ff72d5c1304 2298->2302 2301 7ff72d5c1450 6 API calls 2299->2301 2305 7ff72d5c12df GetLastError 2301->2305 2306 7ff72d5c1450 6 API calls 2302->2306 2303 7ff72d5c1344 __acrt_iob_func fflush __acrt_iob_func fflush 2309 7ff72d5c1312 2303->2309 2304 7ff72d5c117d strcmp 2304->2310 2305->2309 2306->2309 2309->2288 2310->2289 2310->2293 2310->2296 2310->2304 2311 7ff72d5c1226 strcmp 2310->2311 2311->2310 2312 7ff72d5c1239 atoi 2311->2312 2312->2310 2314 7ff72d5c28ff 2313->2314 2314->2264 2314->2274 2317 7ff72d5c2d31 __scrt_initialize_crt 2315->2317 2316 7ff72d5c2916 2316->2265 2317->2316 2318 7ff72d5c404c __scrt_initialize_crt 7 API calls 2317->2318 2318->2316 2320 7ff72d5c2ef2 2319->2320 2321 7ff72d5c2f11 RtlCaptureContext RtlLookupFunctionEntry 2320->2321 2322 7ff72d5c2f76 2321->2322 2323 7ff72d5c2f3a RtlVirtualUnwind 2321->2323 2324 7ff72d5c2fa8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2322->2324 2323->2322 2325 7ff72d5c2ffa 2324->2325 2325->2262 2327 7ff72d5c2bae __scrt_dllmain_crt_thread_attach 2326->2327 2327->2282 2327->2284 2329 7ff72d5c4054 2328->2329 2330 7ff72d5c405e 2328->2330 2334 7ff72d5c44f4 2329->2334 2330->2284 2335 7ff72d5c4503 2334->2335 2337 7ff72d5c4059 2334->2337 2342 7ff72d5c6630 2335->2342 2338 7ff72d5c6460 2337->2338 2339 7ff72d5c648b 2338->2339 2340 7ff72d5c648f 2339->2340 2341 7ff72d5c646e DeleteCriticalSection 2339->2341 2340->2330 2341->2339 2346 7ff72d5c6498 2342->2346 2347 7ff72d5c65b2 TlsFree 2346->2347 2353 7ff72d5c64dc 2346->2353 2348 7ff72d5c650a LoadLibraryExW 2350 7ff72d5c6581 2348->2350 2351 7ff72d5c652b GetLastError 2348->2351 2349 7ff72d5c65a1 GetProcAddress 2349->2347 2350->2349 2352 7ff72d5c6598 FreeLibrary 2350->2352 2351->2353 2352->2349 2353->2347 2353->2348 2353->2349 2354 7ff72d5c654d LoadLibraryExW 2353->2354 2354->2350 2354->2353 2405 7ff72d5c1010 2355->2405 2357 7ff72d5c148a __acrt_iob_func 2408 7ff72d5c1000 2357->2408 2359 7ff72d5c14a2 __stdio_common_vfprintf __acrt_iob_func fflush 2359->2288 2363 7ff72d5c2690 2360->2363 2361 7ff72d5c26aa malloc 2362 7ff72d5c26b4 2361->2362 2361->2363 2362->2292 2363->2361 2364 7ff72d5c26ba 2363->2364 2367 7ff72d5c26c5 2364->2367 2410 7ff72d5c2b30 2364->2410 2414 7ff72d5c1720 2367->2414 2368 7ff72d5c26cb 2368->2292 2370 7ff72d5c2688 5 API calls 2369->2370 2371 7ff72d5c23f5 OpenProcess 2370->2371 2372 7ff72d5c2458 K32GetModuleBaseNameA 2371->2372 2373 7ff72d5c243b GetLastError 2371->2373 2375 7ff72d5c2492 2372->2375 2376 7ff72d5c2470 GetLastError 2372->2376 2374 7ff72d5c1450 6 API calls 2373->2374 2385 7ff72d5c2453 2374->2385 2431 7ff72d5c1800 2375->2431 2378 7ff72d5c1450 6 API calls 2376->2378 2380 7ff72d5c2484 CloseHandle 2378->2380 2380->2385 2381 7ff72d5c25b3 CloseHandle 2381->2385 2382 7ff72d5c24ae 2384 7ff72d5c13c0 6 API calls 2382->2384 2383 7ff72d5c25fa 2442 7ff72d5c2660 2383->2442 2386 7ff72d5c24cf CreateFileA 2384->2386 2385->2383 2387 7ff72d5c25f3 _invalid_parameter_noinfo_noreturn 2385->2387 2388 7ff72d5c250f GetLastError 2386->2388 2389 7ff72d5c2543 2386->2389 2387->2383 2391 7ff72d5c1450 6 API calls 2388->2391 2392 7ff72d5c2550 MiniDumpWriteDump 2389->2392 2398 7ff72d5c258a CloseHandle CloseHandle 2389->2398 2394 7ff72d5c2538 CloseHandle 2391->2394 2395 7ff72d5c2576 GetLastError 2392->2395 2392->2398 2394->2385 2395->2389 2397 7ff72d5c258c 2395->2397 2399 7ff72d5c1450 6 API calls 2397->2399 2398->2385 2399->2398 2400 7ff72d5c13c0 __acrt_iob_func 2401 7ff72d5c1010 fprintf __stdio_common_vfprintf 2400->2401 2402 7ff72d5c13fa __acrt_iob_func 2401->2402 2501 7ff72d5c1000 2402->2501 2404 7ff72d5c1412 __stdio_common_vfprintf __acrt_iob_func fflush 2404->2303 2409 7ff72d5c1000 2405->2409 2407 7ff72d5c1036 __stdio_common_vfprintf 2407->2357 2408->2359 2409->2407 2411 7ff72d5c2b3e std::bad_alloc::bad_alloc 2410->2411 2420 7ff72d5c3f84 2411->2420 2413 7ff72d5c2b4f 2415 7ff72d5c172e Concurrency::cancel_current_task 2414->2415 2416 7ff72d5c3f84 Concurrency::cancel_current_task 2 API calls 2415->2416 2417 7ff72d5c173f 2416->2417 2425 7ff72d5c3cc0 2417->2425 2421 7ff72d5c3fc0 RtlPcToFileHeader 2420->2421 2422 7ff72d5c3fa3 2420->2422 2423 7ff72d5c3fd8 2421->2423 2424 7ff72d5c3fe7 RaiseException 2421->2424 2422->2421 2423->2424 2424->2413 2426 7ff72d5c3ce1 2425->2426 2427 7ff72d5c176d 2425->2427 2426->2427 2428 7ff72d5c3cf6 malloc 2426->2428 2427->2368 2429 7ff72d5c3d23 free 2428->2429 2430 7ff72d5c3d07 2428->2430 2429->2427 2430->2429 2432 7ff72d5c1850 2431->2432 2433 7ff72d5c1863 WSAStartup 2431->2433 2434 7ff72d5c1450 6 API calls 2432->2434 2439 7ff72d5c187f 2433->2439 2441 7ff72d5c185c 2433->2441 2434->2441 2435 7ff72d5c2660 __GSHandlerCheck_EH 8 API calls 2436 7ff72d5c1d87 2435->2436 2436->2381 2436->2382 2437 7ff72d5c1dd0 2438 7ff72d5c1450 6 API calls 2437->2438 2438->2441 2439->2437 2439->2441 2451 7ff72d5c20c0 2439->2451 2441->2435 2443 7ff72d5c2669 2442->2443 2444 7ff72d5c1334 2443->2444 2445 7ff72d5c29c0 IsProcessorFeaturePresent 2443->2445 2444->2303 2444->2400 2446 7ff72d5c29d8 2445->2446 2496 7ff72d5c2a94 RtlCaptureContext 2446->2496 2452 7ff72d5c20e9 2451->2452 2453 7ff72d5c2218 2451->2453 2456 7ff72d5c2137 2452->2456 2459 7ff72d5c2144 2452->2459 2460 7ff72d5c216c 2452->2460 2475 7ff72d5c17e0 2453->2475 2455 7ff72d5c221d 2458 7ff72d5c1720 Concurrency::cancel_current_task 4 API calls 2455->2458 2456->2455 2456->2459 2461 7ff72d5c2223 2458->2461 2466 7ff72d5c2690 2459->2466 2463 7ff72d5c2690 5 API calls 2460->2463 2464 7ff72d5c2155 BuildCatchObjectHelperInternal 2460->2464 2462 7ff72d5c21e0 _invalid_parameter_noinfo_noreturn 2465 7ff72d5c21d3 BuildCatchObjectHelperInternal 2462->2465 2463->2464 2464->2462 2464->2465 2465->2439 2467 7ff72d5c26aa malloc 2466->2467 2468 7ff72d5c26b4 2467->2468 2469 7ff72d5c269b 2467->2469 2468->2464 2469->2467 2470 7ff72d5c26ba 2469->2470 2471 7ff72d5c26c5 2470->2471 2472 7ff72d5c2b30 Concurrency::cancel_current_task 2 API calls 2470->2472 2473 7ff72d5c1720 Concurrency::cancel_current_task 4 API calls 2471->2473 2472->2471 2474 7ff72d5c26cb 2473->2474 2474->2464 2488 7ff72d5c34d4 2475->2488 2493 7ff72d5c33f8 2488->2493 2491 7ff72d5c3f84 Concurrency::cancel_current_task 2 API calls 2492 7ff72d5c34f6 2491->2492 2494 7ff72d5c3cc0 __std_exception_copy 2 API calls 2493->2494 2495 7ff72d5c342c 2494->2495 2495->2491 2497 7ff72d5c2aae RtlLookupFunctionEntry 2496->2497 2498 7ff72d5c2ac4 RtlVirtualUnwind 2497->2498 2499 7ff72d5c29eb 2497->2499 2498->2497 2498->2499 2500 7ff72d5c2984 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2499->2500 2501->2404

                                                                                            Executed Functions

                                                                                            Function 00007FF72D5C1060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214stringCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 7ff72d5c1060-7ff72d5c10ae 1 7ff72d5c1386-7ff72d5c1394 call 7ff72d5c1450 0->1 2 7ff72d5c10b4-7ff72d5c10c6 0->2 7 7ff72d5c1399 1->7 3 7ff72d5c10d0-7ff72d5c10d6 2->3 5 7ff72d5c127f-7ff72d5c1283 3->5 6 7ff72d5c10dc-7ff72d5c10df 3->6 5->3 9 7ff72d5c1289-7ff72d5c1299 5->9 10 7ff72d5c10e1-7ff72d5c10e5 6->10 11 7ff72d5c10ed 6->11 8 7ff72d5c139e-7ff72d5c13b7 7->8 9->1 12 7ff72d5c129f-7ff72d5c12b7 call 7ff72d5c2688 9->12 10->11 13 7ff72d5c10e7-7ff72d5c10eb 10->13 14 7ff72d5c10f0-7ff72d5c10fc 11->14 26 7ff72d5c132a-7ff72d5c1336 call 7ff72d5c23c0 12->26 27 7ff72d5c12b9-7ff72d5c12c9 GetTempPathA 12->27 13->11 16 7ff72d5c1104-7ff72d5c110b 13->16 17 7ff72d5c1110-7ff72d5c1113 14->17 18 7ff72d5c10fe-7ff72d5c1102 14->18 20 7ff72d5c127b 16->20 21 7ff72d5c1125-7ff72d5c1136 strcmp 17->21 22 7ff72d5c1115-7ff72d5c1119 17->22 18->14 18->16 20->5 24 7ff72d5c1267-7ff72d5c126e 21->24 25 7ff72d5c113c-7ff72d5c113f 21->25 22->21 23 7ff72d5c111b-7ff72d5c111f 22->23 23->21 23->24 28 7ff72d5c1276 24->28 29 7ff72d5c1151-7ff72d5c1162 strcmp 25->29 30 7ff72d5c1141-7ff72d5c1145 25->30 41 7ff72d5c1346 26->41 42 7ff72d5c1338-7ff72d5c1344 call 7ff72d5c13c0 26->42 32 7ff72d5c12e9-7ff72d5c1302 strcat_s 27->32 33 7ff72d5c12cb-7ff72d5c12e7 GetLastError call 7ff72d5c1450 GetLastError 27->33 28->20 36 7ff72d5c1258-7ff72d5c1265 29->36 37 7ff72d5c1168-7ff72d5c116b 29->37 30->29 34 7ff72d5c1147-7ff72d5c114b 30->34 39 7ff72d5c1325 32->39 40 7ff72d5c1304-7ff72d5c1312 call 7ff72d5c1450 32->40 52 7ff72d5c1313-7ff72d5c1323 call 7ff72d5c2680 33->52 34->29 34->36 36->20 43 7ff72d5c117d-7ff72d5c118e strcmp 37->43 44 7ff72d5c116d-7ff72d5c1171 37->44 39->26 40->52 49 7ff72d5c134b-7ff72d5c1384 __acrt_iob_func fflush __acrt_iob_func fflush call 7ff72d5c2680 41->49 42->49 50 7ff72d5c1194-7ff72d5c1197 43->50 51 7ff72d5c1247-7ff72d5c1256 43->51 44->43 48 7ff72d5c1173-7ff72d5c1177 44->48 48->43 48->51 49->8 57 7ff72d5c11a5-7ff72d5c11af 50->57 58 7ff72d5c1199-7ff72d5c119d 50->58 51->28 52->8 62 7ff72d5c11b0-7ff72d5c11bb 57->62 58->57 61 7ff72d5c119f-7ff72d5c11a3 58->61 61->57 63 7ff72d5c11c3-7ff72d5c11d2 61->63 64 7ff72d5c11d7-7ff72d5c11da 62->64 65 7ff72d5c11bd-7ff72d5c11c1 62->65 63->28 66 7ff72d5c11ec-7ff72d5c11f6 64->66 67 7ff72d5c11dc-7ff72d5c11e0 64->67 65->62 65->63 69 7ff72d5c1200-7ff72d5c120b 66->69 67->66 68 7ff72d5c11e2-7ff72d5c11e6 67->68 68->20 68->66 70 7ff72d5c1215-7ff72d5c1218 69->70 71 7ff72d5c120d-7ff72d5c1211 69->71 73 7ff72d5c1226-7ff72d5c1237 strcmp 70->73 74 7ff72d5c121a-7ff72d5c121e 70->74 71->69 72 7ff72d5c1213 71->72 72->20 73->20 76 7ff72d5c1239-7ff72d5c1245 atoi 73->76 74->73 75 7ff72d5c1220-7ff72d5c1224 74->75 75->20 75->73 76->20
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
                                                                                            • String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
                                                                                            • API String ID: 2647627392-2367407095
                                                                                            • Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                                                            • Instruction ID: e0b8817097d44afd30df1812f81ba7c5a29058a77427e7071afa888b84d12f3c
                                                                                            • Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                                                            • Instruction Fuzzy Hash: 28A15061D0C68245FB61AB23EC407B9AAE4EF56B55F844131CD4E46695FEBCE444CF30
                                                                                            Function 00007FF72D5C27EC Relevance: 13.6, APIs: 9, Instructions: 102COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                                                            • String ID:
                                                                                            • API String ID: 2308368977-0
                                                                                            • Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                                                            • Instruction ID: e7d8a247b7c5e56ed0a9e3c002cd4b7d88047884f32fefcd11d6ffddec87b7a1
                                                                                            • Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                                                            • Instruction Fuzzy Hash: 7A31F521A0C20742FA14BB279D113B9A691EF45F84FC49039EE4D472A7FEEDA845CA74
                                                                                            Function 00007FF72D5C1450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                                                            • String ID: [createdump]
                                                                                            • API String ID: 3735572767-2657508301
                                                                                            • Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                                                            • Instruction ID: 2d76c8fe907cbf1ccc049d1ec5d37e3daa14194a138405e69b2d03fdfcbb534b
                                                                                            • Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                                                            • Instruction Fuzzy Hash: 78014B21A0CB9182E600AB52FC0966AE764EB84BD1F804539EE8D03765EFBCD455CB30

                                                                                            Non-executed Functions

                                                                                            Function 00007FF72D5C2ECC Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 3140674995-0
                                                                                            • Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                                                            • Instruction ID: c63409ae6aed27fecb581f0b62e70edbb7ae4d3a96ce88372176b6da3164d752
                                                                                            • Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                                                            • Instruction Fuzzy Hash: C3316072608A8186EB609F61E8403EDB761FB44745F80403ADA4E57B94EF7CD548CB30
                                                                                            Function 00007FF72D5C3074 Relevance: .0, Instructions: 2COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                                                            • Instruction ID: 1cc5c64c8c3ef6281da819b03928c86081e9e9662b14ae1f2bae5f50319e893b
                                                                                            • Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                                                            • Instruction Fuzzy Hash: EFA0022690CD16D0F644AB12EC54171A730FF50302FC00432D84D610A0BFBDA444CB74
                                                                                            Function 00007FF72D5C23C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF72D5C242D
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF72D5C243B
                                                                                              • Part of subcall function 00007FF72D5C1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF72D5C1475
                                                                                              • Part of subcall function 00007FF72D5C1450: fprintf.MSPDB140-MSVCRT ref: 00007FF72D5C1485
                                                                                              • Part of subcall function 00007FF72D5C1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF72D5C1494
                                                                                              • Part of subcall function 00007FF72D5C1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF72D5C14B3
                                                                                              • Part of subcall function 00007FF72D5C1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF72D5C14BE
                                                                                              • Part of subcall function 00007FF72D5C1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF72D5C14C7
                                                                                            • K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF72D5C2466
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF72D5C2470
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF72D5C2487
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF72D5C25F3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
                                                                                            • String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
                                                                                            • API String ID: 3971781330-1292085346
                                                                                            • Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                                                            • Instruction ID: e3e57e726ae76d1ee04ab9975c0d8282c22770096fc16305b6ae98ec1acdf449
                                                                                            • Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                                                            • Instruction Fuzzy Hash: 75619331A0CA4181E620AB17EC5067EB761FB85B95F904134EE9E07AA5EFBDE445CF30
                                                                                            Function 00007FF72D5C49A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316COMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 177 7ff72d5c49a4-7ff72d5c4a07 call 7ff72d5c4518 180 7ff72d5c4a20-7ff72d5c4a29 call 7ff72d5c43d0 177->180 181 7ff72d5c4a09-7ff72d5c4a12 call 7ff72d5c43d0 177->181 188 7ff72d5c4a3f-7ff72d5c4a42 180->188 189 7ff72d5c4a2b-7ff72d5c4a38 call 7ff72d5c43d0 * 2 180->189 186 7ff72d5c4e99-7ff72d5c4e9f abort 181->186 187 7ff72d5c4a18-7ff72d5c4a1e 181->187 187->188 188->186 191 7ff72d5c4a48-7ff72d5c4a54 188->191 189->188 192 7ff72d5c4a7f 191->192 193 7ff72d5c4a56-7ff72d5c4a7d 191->193 195 7ff72d5c4a81-7ff72d5c4a83 192->195 193->195 195->186 197 7ff72d5c4a89-7ff72d5c4a8f 195->197 199 7ff72d5c4a95-7ff72d5c4a99 197->199 200 7ff72d5c4b59-7ff72d5c4b6f call 7ff72d5c5724 197->200 199->200 202 7ff72d5c4a9f-7ff72d5c4aaa 199->202 205 7ff72d5c4def-7ff72d5c4df3 200->205 206 7ff72d5c4b75-7ff72d5c4b79 200->206 202->200 204 7ff72d5c4ab0-7ff72d5c4ab5 202->204 204->200 207 7ff72d5c4abb-7ff72d5c4ac5 call 7ff72d5c43d0 204->207 210 7ff72d5c4df5-7ff72d5c4dfc 205->210 211 7ff72d5c4e2b-7ff72d5c4e35 call 7ff72d5c43d0 205->211 206->205 208 7ff72d5c4b7f-7ff72d5c4b8a 206->208 219 7ff72d5c4e37-7ff72d5c4e56 call 7ff72d5c2660 207->219 220 7ff72d5c4acb-7ff72d5c4af1 call 7ff72d5c43d0 * 2 call 7ff72d5c3be8 207->220 208->205 213 7ff72d5c4b90-7ff72d5c4b94 208->213 210->186 215 7ff72d5c4e02-7ff72d5c4e26 call 7ff72d5c4ea0 210->215 211->186 211->219 217 7ff72d5c4dd4-7ff72d5c4dd8 213->217 218 7ff72d5c4b9a-7ff72d5c4bd1 call 7ff72d5c36d0 213->218 215->211 217->211 223 7ff72d5c4dda-7ff72d5c4de7 call 7ff72d5c3670 217->223 218->217 231 7ff72d5c4bd7-7ff72d5c4be2 218->231 246 7ff72d5c4b11-7ff72d5c4b1b call 7ff72d5c43d0 220->246 247 7ff72d5c4af3-7ff72d5c4af7 220->247 233 7ff72d5c4e81-7ff72d5c4e98 call 7ff72d5c43d0 * 2 terminate 223->233 234 7ff72d5c4ded 223->234 235 7ff72d5c4be6-7ff72d5c4bf6 231->235 233->186 234->211 238 7ff72d5c4d2f-7ff72d5c4dce 235->238 239 7ff72d5c4bfc-7ff72d5c4c02 235->239 238->217 238->235 239->238 243 7ff72d5c4c08-7ff72d5c4c31 call 7ff72d5c56a8 239->243 243->238 252 7ff72d5c4c37-7ff72d5c4c7e call 7ff72d5c3bbc * 2 243->252 246->200 256 7ff72d5c4b1d-7ff72d5c4b3d call 7ff72d5c43d0 * 2 call 7ff72d5c5fd8 246->256 247->246 250 7ff72d5c4af9-7ff72d5c4b04 247->250 250->246 253 7ff72d5c4b06-7ff72d5c4b0b 250->253 263 7ff72d5c4c80-7ff72d5c4ca5 call 7ff72d5c3bbc call 7ff72d5c52d0 252->263 264 7ff72d5c4cba-7ff72d5c4cd0 call 7ff72d5c5ab0 252->264 253->186 253->246 275 7ff72d5c4b3f-7ff72d5c4b49 call 7ff72d5c60c8 256->275 276 7ff72d5c4b54 256->276 280 7ff72d5c4cd7-7ff72d5c4d26 call 7ff72d5c48d0 263->280 281 7ff72d5c4ca7-7ff72d5c4cb3 263->281 272 7ff72d5c4cd2 264->272 273 7ff72d5c4d2b 264->273 272->252 273->238 282 7ff72d5c4b4f-7ff72d5c4e7a call 7ff72d5c4090 call 7ff72d5c5838 call 7ff72d5c3f84 275->282 283 7ff72d5c4e7b-7ff72d5c4e80 terminate 275->283 276->200 280->273 281->263 285 7ff72d5c4cb5 281->285 282->283 283->233 285->264
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                                            • String ID: csm$csm$csm
                                                                                            • API String ID: 695522112-393685449
                                                                                            • Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                                                            • Instruction ID: a0d4e540b39ebc55b53b952bd7070fb77540c4e76d8a3f14ff60b052bbe70603
                                                                                            • Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                                                            • Instruction Fuzzy Hash: 65E1B07290C6868AE720AF26D8407ADB7B0FB54B48F914135DE8D47695EFB8E481CB30
                                                                                            Function 00007FF72D5C13C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                                                            • String ID: [createdump]
                                                                                            • API String ID: 3735572767-2657508301
                                                                                            • Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                                                            • Instruction ID: 692d5a4e8224c1339f6d1212afd45cb8d1045cbe60d623b464bb92ff022d16c4
                                                                                            • Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                                                            • Instruction Fuzzy Hash: 60014B31A0CB9182E700AB52FC186AAE760EB84BD1F804135EE8D03765EFBCD495CB70
                                                                                            Function 00007FF72D5C1800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92networkCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • WSAStartup.WS2_32 ref: 00007FF72D5C186C
                                                                                              • Part of subcall function 00007FF72D5C1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF72D5C1475
                                                                                              • Part of subcall function 00007FF72D5C1450: fprintf.MSPDB140-MSVCRT ref: 00007FF72D5C1485
                                                                                              • Part of subcall function 00007FF72D5C1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF72D5C1494
                                                                                              • Part of subcall function 00007FF72D5C1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF72D5C14B3
                                                                                              • Part of subcall function 00007FF72D5C1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF72D5C14BE
                                                                                              • Part of subcall function 00007FF72D5C1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF72D5C14C7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
                                                                                            • String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
                                                                                            • API String ID: 3378602911-3973674938
                                                                                            • Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                                                            • Instruction ID: 7a184b0d01091bc7420e0bdaf615e3838b41353848591797693ad8d880257da9
                                                                                            • Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                                                            • Instruction Fuzzy Hash: 7C31F262E0CA8186E759AF569C54BF9A7A1FB55785FC44032DE4D03391EEBCE045CB30
                                                                                            Function 00007FF72D5C6498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF72D5C669F,?,?,?,00007FF72D5C441E,?,?,?,00007FF72D5C43D9), ref: 00007FF72D5C651D
                                                                                            • GetLastError.KERNEL32(?,00000000,00007FF72D5C669F,?,?,?,00007FF72D5C441E,?,?,?,00007FF72D5C43D9,?,?,?,?,00007FF72D5C3524), ref: 00007FF72D5C652B
                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00007FF72D5C669F,?,?,?,00007FF72D5C441E,?,?,?,00007FF72D5C43D9,?,?,?,?,00007FF72D5C3524), ref: 00007FF72D5C6555
                                                                                            • FreeLibrary.KERNEL32(?,00000000,00007FF72D5C669F,?,?,?,00007FF72D5C441E,?,?,?,00007FF72D5C43D9,?,?,?,?,00007FF72D5C3524), ref: 00007FF72D5C659B
                                                                                            • GetProcAddress.KERNEL32(?,00000000,00007FF72D5C669F,?,?,?,00007FF72D5C441E,?,?,?,00007FF72D5C43D9,?,?,?,?,00007FF72D5C3524), ref: 00007FF72D5C65A7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                            • String ID: api-ms-
                                                                                            • API String ID: 2559590344-2084034818
                                                                                            • Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                                                            • Instruction ID: 8a32285f2120163fa446b9610e1aa74e9c7e5523d40c82a54605fd81ce0732e3
                                                                                            • Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                                                            • Instruction Fuzzy Hash: D831B021A1E68295EE21BB139C00575A2D4FF48BA0FE94634DD1D0A3A8FFBCE144CB30
                                                                                            Function 00007FF72D5C1B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 360 7ff72d5c1b18-7ff72d5c1b32 _time64 361 7ff72d5c1b80-7ff72d5c1ba8 360->361 362 7ff72d5c1b34-7ff72d5c1b37 360->362 361->361 363 7ff72d5c1baa-7ff72d5c1bd8 361->363 364 7ff72d5c1b40-7ff72d5c1b68 362->364 366 7ff72d5c1bfa-7ff72d5c1c32 363->366 367 7ff72d5c1bda-7ff72d5c1bf5 call 7ff72d5c1ee0 363->367 364->364 365 7ff72d5c1b6a-7ff72d5c1b71 364->365 365->363 369 7ff72d5c1c64-7ff72d5c1c78 call 7ff72d5c2230 366->369 370 7ff72d5c1c34-7ff72d5c1c43 366->370 367->366 378 7ff72d5c1c7d-7ff72d5c1c88 369->378 372 7ff72d5c1c45 370->372 373 7ff72d5c1c48-7ff72d5c1c62 call 7ff72d5c68c0 370->373 372->373 373->378 379 7ff72d5c1c8a-7ff72d5c1c98 378->379 380 7ff72d5c1cbb-7ff72d5c1cde 378->380 381 7ff72d5c1cb3-7ff72d5c1cb6 call 7ff72d5c2680 379->381 382 7ff72d5c1c9a-7ff72d5c1cad 379->382 383 7ff72d5c1d55-7ff72d5c1d70 380->383 381->380 382->381 384 7ff72d5c1da2-7ff72d5c1dce _invalid_parameter_noinfo_noreturn WSAGetLastError call 7ff72d5c1450 call 7ff72d5c2680 382->384 388 7ff72d5c18a0-7ff72d5c18a3 383->388 389 7ff72d5c1d76 383->389 392 7ff72d5c1d78-7ff72d5c1da1 call 7ff72d5c2660 384->392 390 7ff72d5c18a5-7ff72d5c18b7 388->390 391 7ff72d5c18f3-7ff72d5c18fe 388->391 389->392 395 7ff72d5c18e2-7ff72d5c18ee call 7ff72d5c20c0 390->395 396 7ff72d5c18b9-7ff72d5c18c8 390->396 398 7ff72d5c1dd0-7ff72d5c1dde call 7ff72d5c1450 391->398 399 7ff72d5c1904-7ff72d5c1915 391->399 395->383 402 7ff72d5c18ca 396->402 403 7ff72d5c18cd-7ff72d5c18dd 396->403 398->392 399->383 402->403 403->383
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID: _time64
                                                                                            • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                                            • API String ID: 1670930206-4114407318
                                                                                            • Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                                                            • Instruction ID: 7074e4033a73d0a16e6051e9736badfe039b94edb985571f8f247b4634f28aed
                                                                                            • Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                                                            • Instruction Fuzzy Hash: F851E562A1CB8186EB00DB2AD8447ADA7A0EB517D4F800131EE5D13BA9EF7CD041DB70
                                                                                            Function 00007FF72D5C4EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID: EncodePointerabort
                                                                                            • String ID: MOC$RCC
                                                                                            • API String ID: 1188231555-2084237596
                                                                                            • Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                                                            • Instruction ID: fd384a063448754dfdd3f7247a5d9cb823ed512482aa6b1c2ab439aef49164e7
                                                                                            • Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                                                            • Instruction Fuzzy Hash: 3091C473A08B868AE710DF66D8802ADB7B0FB44788F544129EE8D57754EF7CD195CB20
                                                                                            Function 00007FF72D5C5414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 459 7ff72d5c5414-7ff72d5c5461 call 7ff72d5c63f4 call 7ff72d5c43d0 464 7ff72d5c5463-7ff72d5c5469 459->464 465 7ff72d5c548e-7ff72d5c5492 459->465 464->465 468 7ff72d5c546b-7ff72d5c546e 464->468 466 7ff72d5c55b2-7ff72d5c55c7 call 7ff72d5c5724 465->466 467 7ff72d5c5498-7ff72d5c549b 465->467 480 7ff72d5c55d2-7ff72d5c55d8 466->480 481 7ff72d5c55c9-7ff72d5c55cc 466->481 469 7ff72d5c54a1-7ff72d5c54d1 467->469 470 7ff72d5c5680 467->470 472 7ff72d5c5480-7ff72d5c5483 468->472 473 7ff72d5c5470-7ff72d5c5474 468->473 469->470 474 7ff72d5c54d7-7ff72d5c54de 469->474 475 7ff72d5c5685-7ff72d5c56a1 470->475 472->465 478 7ff72d5c5485-7ff72d5c5488 472->478 477 7ff72d5c5476-7ff72d5c547e 473->477 473->478 474->470 479 7ff72d5c54e4-7ff72d5c54e8 474->479 477->465 477->472 478->465 478->470 482 7ff72d5c559f-7ff72d5c55ad call 7ff72d5c3678 479->482 483 7ff72d5c54ee-7ff72d5c54f1 479->483 484 7ff72d5c55da-7ff72d5c55de 480->484 485 7ff72d5c5647-7ff72d5c567b call 7ff72d5c49a4 480->485 481->470 481->480 482->470 487 7ff72d5c5556-7ff72d5c5559 483->487 488 7ff72d5c54f3-7ff72d5c5508 call 7ff72d5c4520 483->488 484->485 490 7ff72d5c55e0-7ff72d5c55e7 484->490 485->470 487->482 491 7ff72d5c555b-7ff72d5c5563 487->491 495 7ff72d5c56a2-7ff72d5c56a7 abort 488->495 500 7ff72d5c550e-7ff72d5c5511 488->500 490->485 494 7ff72d5c55e9-7ff72d5c55f0 490->494 491->495 496 7ff72d5c5569-7ff72d5c5593 491->496 494->485 498 7ff72d5c55f2-7ff72d5c5605 call 7ff72d5c3bbc 494->498 496->495 499 7ff72d5c5599-7ff72d5c559d 496->499 498->485 506 7ff72d5c5607-7ff72d5c5645 498->506 503 7ff72d5c5546-7ff72d5c5551 call 7ff72d5c5cf0 499->503 504 7ff72d5c5513-7ff72d5c5538 500->504 505 7ff72d5c553a-7ff72d5c553d 500->505 503->470 504->505 505->495 507 7ff72d5c5543 505->507 506->475 507->503
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID: __except_validate_context_recordabort
                                                                                            • String ID: csm$csm
                                                                                            • API String ID: 746414643-3733052814
                                                                                            • Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                                                            • Instruction ID: fcdc2e5342d4727fe4b094fb70861136d8a082379d696a3c6fa937a1130895f6
                                                                                            • Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                                                            • Instruction Fuzzy Hash: 0D71C13260C6828AD721AF669840779BBA0FB40B89F948135DE9D47A85EF7CD491CF30
                                                                                            Function 00007FF72D5C195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                                            • API String ID: 0-4114407318
                                                                                            • Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                                                            • Instruction ID: 60eb05dcd255515a3d0024ffb3444822d7986dbfe72dd812c3c6bb949d22395e
                                                                                            • Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                                                            • Instruction Fuzzy Hash: A851E872A1CB8546D710DF2AE840BAAA761EB917D0F800135EE9D13B99EF7DD041DB70
                                                                                            Function 00007FF72D5C5860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFrameInfo__except_validate_context_record
                                                                                            • String ID: csm
                                                                                            • API String ID: 2558813199-1018135373
                                                                                            • Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                                                            • Instruction ID: 333b2271b9ecd460c68f2307b3cf3eca0b15b6cf96612a8b6b3209069bd0fc07
                                                                                            • Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                                                            • Instruction Fuzzy Hash: 02513C3261C74686E620AB16E84066EB7B4FB88B94F540134DF8D07B55EFBCE4A0CB30
                                                                                            Function 00007FF72D5C17E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00007FF72D5C17EB
                                                                                            • WSAStartup.WS2_32 ref: 00007FF72D5C186C
                                                                                              • Part of subcall function 00007FF72D5C1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF72D5C1475
                                                                                              • Part of subcall function 00007FF72D5C1450: fprintf.MSPDB140-MSVCRT ref: 00007FF72D5C1485
                                                                                              • Part of subcall function 00007FF72D5C1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF72D5C1494
                                                                                              • Part of subcall function 00007FF72D5C1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF72D5C14B3
                                                                                              • Part of subcall function 00007FF72D5C1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF72D5C14BE
                                                                                              • Part of subcall function 00007FF72D5C1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF72D5C14C7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
                                                                                            • String ID: --name$Pipe syntax in dump name not supported$string too long
                                                                                            • API String ID: 1412700758-3183687674
                                                                                            • Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                                                            • Instruction ID: 08cb62aa23028cfc99a919f0cacd1589991554ea47012c8e5ed07424db493415
                                                                                            • Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                                                            • Instruction Fuzzy Hash: 2901B522A1C98195F761AF13EC81BBAA350FB58794F800035EE4D07651EE7CD496CB30
                                                                                            Function 00007FF72D5C1CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastgethostname
                                                                                            • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                                            • API String ID: 3782448640-4114407318
                                                                                            • Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                                                            • Instruction ID: d150ddfc34bfa9cde8f95110b940d6506d0273735beb9b7d836035cee85c7ce2
                                                                                            • Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                                                            • Instruction Fuzzy Hash: 0511A321E0C54245EA59BB23AC507FAA290DF86BB4F901135DEAF172D6FD7CD0828B70
                                                                                            Function 00007FF72D5C4158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID: terminate
                                                                                            • String ID: MOC$RCC$csm
                                                                                            • API String ID: 1821763600-2671469338
                                                                                            • Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                                                            • Instruction ID: c76a67e946d36a2b2a696777e9245d9cacdf836466c45bd9d01460f942aa4f65
                                                                                            • Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                                                            • Instruction Fuzzy Hash: E8F0813691C24A81E3247B52A94146CB274EF98B84F895031DF4806252EFFCF4A0CE71
                                                                                            Function 00007FF72D5C20C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF72D5C18EE), ref: 00007FF72D5C21E0
                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF72D5C221E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                                            • String ID: Invalid process id '%d' error %d
                                                                                            • API String ID: 73155330-4244389950
                                                                                            • Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                                                            • Instruction ID: fb20cac3d10ae0b0f9fbf5b7c54fd78fbf8c475894b80ac45e864515f08c940d
                                                                                            • Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                                                            • Instruction Fuzzy Hash: 5B31B12270D78195EA14AF1799442A9B7A1EB05FD0F988631DF6D07BD5EEBCE0908730
                                                                                            Function 00007FF72D5C3F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF72D5C173F), ref: 00007FF72D5C3FC8
                                                                                            • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF72D5C173F), ref: 00007FF72D5C400E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.2399704679.00007FF72D5C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF72D5C0000, based on PE: true
                                                                                            • Associated: 0000000F.00000002.2399673532.00007FF72D5C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399748518.00007FF72D5C8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399779193.00007FF72D5CC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 0000000F.00000002.2399805233.00007FF72D5CD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_7ff72d5c0000_createdump.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFileHeaderRaise
                                                                                            • String ID: csm
                                                                                            • API String ID: 2573137834-1018135373
                                                                                            • Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                                                            • Instruction ID: a8df720cbe23892e138fce619a7e0f1042b38b99c9cc717a7ff4e4f8cdc48064
                                                                                            • Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                                                            • Instruction Fuzzy Hash: 5011303261CB4582EB209B16F840259B7A0FB84B84F584631DECD07764EF7DD555CB20

                                                                                            Non-executed Functions

                                                                                            Function 00007FFD9448C0C0 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModule
                                                                                            • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                                                            • API String ID: 667068680-295688737
                                                                                            • Opcode ID: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                                                            • Instruction ID: 7d977003f272d016d20d525573799253c57659c0b66e78ab18dba4a971bae5bc
                                                                                            • Opcode Fuzzy Hash: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                                                            • Instruction Fuzzy Hash: 71A18464B0AB0791EF248F95B9F41742365BB4AB85B94C235C84E0722AEFFCB159C390
                                                                                            Function 00007FFDAC127508 Relevance: 90.2, APIs: 36, Strings: 15, Instructions: 913COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Name::operator+
                                                                                            • String ID: /$[thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
                                                                                            • API String ID: 2943138195-2884338863
                                                                                            • Opcode ID: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
                                                                                            • Instruction ID: 08450c7263cf73598d7430097aa26d28286dabd50ef347b9b80122f9d6494830
                                                                                            • Opcode Fuzzy Hash: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
                                                                                            • Instruction Fuzzy Hash: A392B277B1978286EB42DB24E4A03AEB7A0FB843A4F401135FA8D4279ADF7CD544CB45
                                                                                            Function 00007FFD9448F9DA Relevance: 34.3, APIs: 16, Strings: 3, Instructions: 1065COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                            • API String ID: 2003779279-1866435925
                                                                                            • Opcode ID: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
                                                                                            • Instruction ID: 6f7953f0cf102b678ea34d853ec2aa04328c28d4ae3880275c013d313b650ec0
                                                                                            • Opcode Fuzzy Hash: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
                                                                                            • Instruction Fuzzy Hash: 0FA26F22709B8581EB24CF59E4A03A9B760FB86F84F598036DB8D47B6ADFBDD445C700
                                                                                            Function 00007FFD94482D70 Relevance: 27.7, APIs: 14, Strings: 1, Instructions: 1490COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memchr.VCRUNTIME140 ref: 00007FFD944830AA
                                                                                            • memchr.VCRUNTIME140 ref: 00007FFD94483470
                                                                                            • memchr.VCRUNTIME140 ref: 00007FFD944836A5
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9448410D
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD94484114
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9448411B
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD94484122
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD94484129
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD94484130
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD94484137
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9448413E
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD94484145
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9448414C
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944842D3
                                                                                              • Part of subcall function 00007FFD94461DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFD9445C320), ref: 00007FFD94461DFB
                                                                                              • Part of subcall function 00007FFD94461DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFD9445C320), ref: 00007FFD94461E08
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$memchr$memmovememset
                                                                                            • String ID: 0123456789-
                                                                                            • API String ID: 3572500260-3850129594
                                                                                            • Opcode ID: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
                                                                                            • Instruction ID: e045d0e5b4e9afec7986936bb5a90603c64f3f668f7e3a29c135a55e4548d659
                                                                                            • Opcode Fuzzy Hash: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
                                                                                            • Instruction Fuzzy Hash: 91E2C022B09A8585EBA08FA9D4A437C3761FB46B94F55C131DA5E077EADFBED480C700
                                                                                            Function 0000000140008390 Relevance: 19.7, APIs: 13, Instructions: 152fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00000001400078C0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                                                              • Part of subcall function 00000001400078C0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                                                              • Part of subcall function 00000001400078C0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                                                              • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                                                              • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                                                              • Part of subcall function 00000001400078C0: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                                                              • Part of subcall function 00000001400078C0: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                                                            • OpenEventA.KERNEL32 ref: 00000001400083D0
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008411
                                                                                            • OpenEventA.KERNEL32 ref: 0000000140008454
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008495
                                                                                            • CloseHandle.KERNEL32 ref: 00000001400084B4
                                                                                              • Part of subcall function 0000000140007A80: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                                                              • Part of subcall function 0000000140007A80: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                                                              • Part of subcall function 0000000140007A80: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                                                              • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                                                              • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                                                              • Part of subcall function 0000000140007A80: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                                                              • Part of subcall function 0000000140007A80: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                                                            • OpenFileMappingA.KERNEL32 ref: 00000001400084F4
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008535
                                                                                            • CloseHandle.KERNEL32 ref: 0000000140008554
                                                                                            • CloseHandle.KERNEL32 ref: 0000000140008561
                                                                                            • MapViewOfFile.KERNEL32 ref: 0000000140008592
                                                                                            • CloseHandle.KERNEL32 ref: 00000001400085AB
                                                                                            • CloseHandle.KERNEL32 ref: 00000001400085B8
                                                                                            • CloseHandle.KERNEL32 ref: 00000001400085C5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: U?$char_traits@$D@std@@@std@@$CloseHandle$??6?$basic_ostream@V01@$Open_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@D@std@@@1@_EventFileV?$basic_streambuf@$MappingView
                                                                                            • String ID:
                                                                                            • API String ID: 1089015687-0
                                                                                            • Opcode ID: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                                                            • Instruction ID: fd742db5588232a2ef73a73be7c7ffe6f8b637fdc8693f60d02eba1a373aa13c
                                                                                            • Opcode Fuzzy Hash: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                                                            • Instruction Fuzzy Hash: 93613DB1210A4482FB17DB27F85539963A2BB8EBE4F404215FB9E4B7B6DE3DC1818700
                                                                                            Function 0000000140007FC0 Relevance: 18.2, APIs: 12, Instructions: 159fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandleMappingView_invalid_parameter_noinfo_noreturnmemcpymemset$Unmap
                                                                                            • String ID:
                                                                                            • API String ID: 2074253140-0
                                                                                            • Opcode ID: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                                                            • Instruction ID: c383ff2e5a2ae1bd4c41fba5bb50c967b221784ccd91ddafc61d096c64d59825
                                                                                            • Opcode Fuzzy Hash: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                                                            • Instruction Fuzzy Hash: F471AA71305A4185FB22CB56F8907E973A2FB8DBD4F404225ABAD4B7B9DE3DC0818704
                                                                                            Function 00007FFD9448B698 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 225COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: iswdigit$btowclocaleconv
                                                                                            • String ID: 0$0
                                                                                            • API String ID: 240710166-203156872
                                                                                            • Opcode ID: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                                                            • Instruction ID: ddfe1aa78649ae89f9bc757dbeb29763418cc66129443f196580758fee9a6d07
                                                                                            • Opcode Fuzzy Hash: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                                                            • Instruction Fuzzy Hash: F4814D72B186864AE7758F65D8A027973A1FF91B44F088135EE8A4639ADFBCE845C700
                                                                                            Function 00007FFD9445C780 Relevance: 17.0, APIs: 8, Strings: 1, Instructions: 1257COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 0123456789-+Ee
                                                                                            • API String ID: 0-1347306980
                                                                                            • Opcode ID: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
                                                                                            • Instruction ID: 9142998430a7b8ec4d38e789afc4026989c8ce8a8c0adaeffff29aea380fcf60
                                                                                            • Opcode Fuzzy Hash: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
                                                                                            • Instruction Fuzzy Hash: BAC2AE66B19A8185EF608FA9D5E027C3761EF52B84F54C031DA5E077AACF7DE866C300
                                                                                            Function 00007FFD9448A27C Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 247COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memchr$isdigit$localeconv
                                                                                            • String ID: 0$0123456789abcdefABCDEF
                                                                                            • API String ID: 1981154758-1185640306
                                                                                            • Opcode ID: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                                                            • Instruction ID: 7bf57aff40ec8fb6da88da5726b96faaa65074444cc34be6ef04f03a3b1d8587
                                                                                            • Opcode Fuzzy Hash: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                                                            • Instruction Fuzzy Hash: EE915A32B0859647EB758B64E4B037A7B90FB46B48F48D130CE8A5774ADABCE845C740
                                                                                            Function 00007FFD9445D810 Relevance: 15.3, APIs: 7, Strings: 1, Instructions: 1307COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memchr$_invalid_parameter_noinfo_noreturn$localeconv
                                                                                            • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                                                            • API String ID: 2141594249-3606100449
                                                                                            • Opcode ID: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
                                                                                            • Instruction ID: b09542406f38240606d5ed84ad8348912abf68abfd274c6432a5f8a8b6888bf7
                                                                                            • Opcode Fuzzy Hash: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
                                                                                            • Instruction Fuzzy Hash: D8D28C62B19A8185EF658FD9C5E017C3761AF52F84B68C031DA5E077AACFBDE852D300
                                                                                            Function 00007FFD94470C60 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1497COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _Find_elem.LIBCPMT ref: 00007FFD94471660
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD94472011
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD94472018
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9447201F
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944721CE
                                                                                              • Part of subcall function 00007FFD94461DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFD9445C320), ref: 00007FFD94461DFB
                                                                                              • Part of subcall function 00007FFD94461DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFD9445C320), ref: 00007FFD94461E08
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
                                                                                            • String ID: 0123456789-
                                                                                            • API String ID: 2779821303-3850129594
                                                                                            • Opcode ID: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
                                                                                            • Instruction ID: 326fe4e77f2cd867a14dda423e2eba69628919657d90d1322b95b28342b17ee9
                                                                                            • Opcode Fuzzy Hash: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
                                                                                            • Instruction Fuzzy Hash: 6CE28F36B19A9585EB608FA9D0A027D3B74FB46B84F54D035DA4E077AACF7DD882C700
                                                                                            Function 00007FFD94472208 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1497COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _Find_elem.LIBCPMT ref: 00007FFD94472C08
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944735B9
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944735C0
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944735C7
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD94473776
                                                                                              • Part of subcall function 00007FFD94461DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFD9445C320), ref: 00007FFD94461DFB
                                                                                              • Part of subcall function 00007FFD94461DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFD9445C320), ref: 00007FFD94461E08
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
                                                                                            • String ID: 0123456789-
                                                                                            • API String ID: 2779821303-3850129594
                                                                                            • Opcode ID: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
                                                                                            • Instruction ID: 7ac6bdea7ead367b14436a39ae4f825de0be1a6a666e915967c8357d7eb15b94
                                                                                            • Opcode Fuzzy Hash: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
                                                                                            • Instruction Fuzzy Hash: 04E27136B1AA9585EB608FA9D0A027D3774FB46B84F54D035DA4E077AACF7DD882C700
                                                                                            Function 00007FFD9448BDA0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 239COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: iswdigit$localeconv
                                                                                            • String ID: 0$0$0123456789abcdefABCDEF
                                                                                            • API String ID: 2634821343-613610638
                                                                                            • Opcode ID: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                                                            • Instruction ID: 75c43deb7ceb641adfd9a5163c08d532dd87635bf87a2c346cc77325b7e4eb15
                                                                                            • Opcode Fuzzy Hash: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                                                            • Instruction Fuzzy Hash: 43812C62F085964BEBB58F64D8B027976A0FB56B44F08C131EF894B78ADB7CE845C740
                                                                                            Function 00007FFD9445A330 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Findmemmove$CloseFileFirst_invalid_parameter_noinfo_noreturnwcscpy_s
                                                                                            • String ID: .$.
                                                                                            • API String ID: 479945582-3769392785
                                                                                            • Opcode ID: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                                                            • Instruction ID: 45f85469d24f73fa55cd15407923f89af7965b93c0e3c7e76bd7beb0c386e1b1
                                                                                            • Opcode Fuzzy Hash: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                                                            • Instruction Fuzzy Hash: 49419622B1864185EF30DFE5E4A52796360FB467A4F408231EB9D13AD9DFBCD485C700
                                                                                            Function 00007FFD9446BCD0 Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1289COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 0123456789-+Ee
                                                                                            • API String ID: 0-1347306980
                                                                                            • Opcode ID: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
                                                                                            • Instruction ID: 1d6b06c155d48d7cbe4d8c73658acd5e91a9ad891cfb0425044cb518cc1bdf67
                                                                                            • Opcode Fuzzy Hash: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
                                                                                            • Instruction Fuzzy Hash: C6C27D26B49A8285EB648F99D1B017C3761FB56B94B54C031DE4E0779ACFBEE8A5C300
                                                                                            Function 00007FFD9446ABB0 Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1289COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 0123456789-+Ee
                                                                                            • API String ID: 0-1347306980
                                                                                            • Opcode ID: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
                                                                                            • Instruction ID: 2d12840ff217487de9a614804c6a9d7e9650d31c71b3b9a1adddf52b445e322f
                                                                                            • Opcode Fuzzy Hash: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
                                                                                            • Instruction Fuzzy Hash: 32C26C26B09A9285EB648F99D1A017C37A1FB52B94B54C031DF4E0779ACFBDE8A5C300
                                                                                            Function 00007FFD94476C84 Relevance: 9.6, APIs: 6, Instructions: 626COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD94476EF7
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD94476F89
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9447702C
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944774E8
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9447753A
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD94477581
                                                                                              • Part of subcall function 00007FFD9447EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFD9446923E), ref: 00007FFD9447EC08
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                                                            • String ID:
                                                                                            • API String ID: 15630516-0
                                                                                            • Opcode ID: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
                                                                                            • Instruction ID: 1f5d392fe9ad8032b67ad5bde8c8e11a24604d16e6be1f303efe1b3deb9dc50d
                                                                                            • Opcode Fuzzy Hash: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
                                                                                            • Instruction Fuzzy Hash: F952C132B08B8585EB208FA9D4941BD67A1FB85B98F54D131EB4D03B9AEF7CE591C340
                                                                                            Function 00007FFD94476338 Relevance: 9.6, APIs: 6, Instructions: 626COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944765AB
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9447663D
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944766E0
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD94476B9C
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD94476BEE
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD94476C35
                                                                                              • Part of subcall function 00007FFD9447EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFD9446923E), ref: 00007FFD9447EC08
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                                                            • String ID:
                                                                                            • API String ID: 15630516-0
                                                                                            • Opcode ID: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
                                                                                            • Instruction ID: 8a56c4a2a7035a3316e7c7f3f1876b2776074fb0830ae8f0642371197b1909e3
                                                                                            • Opcode Fuzzy Hash: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
                                                                                            • Instruction Fuzzy Hash: 5152D232B08B8585EB208F69D4942BD6762FB56BA8F04C131DB4D47B9AEF7CE581C340
                                                                                            Function 0000000140012220 Relevance: 8.9, APIs: 7, Instructions: 138COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionThrow$MemoryRecycle@Recycler@allocator@dvacore@@$_invalid_parameter_noinfo_noreturn
                                                                                            • String ID:
                                                                                            • API String ID: 1799700165-0
                                                                                            • Opcode ID: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                                                            • Instruction ID: 3a6b280c2881091f38a62e61b74d670a019ca3ad59059a788fa850ef2ffa55ac
                                                                                            • Opcode Fuzzy Hash: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                                                            • Instruction Fuzzy Hash: D52112B5611A80CAE71DEE37A8523EA1362E79C7C4F149536BF594FAAEDE31C4218340
                                                                                            Function 00007FFD9446CDF0 Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 1331COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$localeconv
                                                                                            • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                                                            • API String ID: 1825414929-3606100449
                                                                                            • Opcode ID: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
                                                                                            • Instruction ID: 72716441c1b9601a9159d7674fb231b77ff0fa1645e173c290f2d54863d9598a
                                                                                            • Opcode Fuzzy Hash: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
                                                                                            • Instruction Fuzzy Hash: 1ED29DA6B19A8685EB648F99D9E017C3360FB52F94B54C031DE5E0779ACFBDE891C300
                                                                                            Function 00007FFD9446DF10 Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 1331COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$localeconv
                                                                                            • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                                                            • API String ID: 1825414929-3606100449
                                                                                            • Opcode ID: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
                                                                                            • Instruction ID: 5abde9bdffc16ae78913aef4bfb50717723725242c9a3a71e752ed5c4b34711d
                                                                                            • Opcode Fuzzy Hash: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
                                                                                            • Instruction Fuzzy Hash: A3D25B36B09A4685EB648F99D1A017C33A1FB52F94B64D031DB4E0779ACFBDE896D300
                                                                                            Function 00007FFD94469460 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                                                            • String ID:
                                                                                            • API String ID: 1326169664-0
                                                                                            • Opcode ID: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                                                            • Instruction ID: fbf81c66eecda9d893950458fe243a0356087c00ea47bc161118b7c97cb06a4e
                                                                                            • Opcode Fuzzy Hash: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                                                            • Instruction Fuzzy Hash: 56E19F22B09B4685EB20CFA5D5A01AC7372FB49B98B558136DE4D17B9EDFBCD44AC300
                                                                                            Function 00007FFD94468FB0 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                                                            • String ID:
                                                                                            • API String ID: 1326169664-0
                                                                                            • Opcode ID: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                                                            • Instruction ID: 0f8438674dff0d8ade16cf520cf416e31cbea58f440d8a9661f038ca9d12e189
                                                                                            • Opcode Fuzzy Hash: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                                                            • Instruction Fuzzy Hash: 48E1AD32B09B4595FB20CBA5D5A01AC7371FB49B98B558136CE4D17B9EDFB8D44AC300
                                                                                            Function 00007FFD9445E8B0 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 634COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$memchr
                                                                                            • String ID: 0123456789ABCDEFabcdef-+Xx
                                                                                            • API String ID: 2740501399-2799312399
                                                                                            • Opcode ID: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
                                                                                            • Instruction ID: fe5ee239253c5db5a450a325bd1213c6cda3ab45076fdc29fb27f7857fcc6a45
                                                                                            • Opcode Fuzzy Hash: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
                                                                                            • Instruction Fuzzy Hash: 40529222B0968289FF658FE9C1E017C3761BB16B94B64C431CE5D1779ACFB9E856E300
                                                                                            Function 00007FFD94475470 Relevance: 5.3, APIs: 3, Instructions: 815COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFD94487600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFD94453887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD9448760F
                                                                                              • Part of subcall function 00007FFD9445F6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FFD94484C66,?,?,0000003F,00000000,?,0000003F,?,00007FFD9445FE66), ref: 00007FFD9445F6FC
                                                                                            • _W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFD9445FE77), ref: 00007FFD94475F35
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFD9445FE77), ref: 00007FFD94475F4A
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFD9445FE77), ref: 00007FFD94475F58
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$Gettnames_lock_localesrealloc
                                                                                            • String ID:
                                                                                            • API String ID: 3705959680-0
                                                                                            • Opcode ID: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
                                                                                            • Instruction ID: d8bde56eff995d6f820fcc685add76ced7f6420e0764df73e9dcfd7e4bde12d3
                                                                                            • Opcode Fuzzy Hash: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
                                                                                            • Instruction Fuzzy Hash: 2D823B21B09A0285EB79DFA598F02B827A0AF46784F44C135E90E5B79FDFBCB456C740
                                                                                            Function 00007FFD94474780 Relevance: 5.3, APIs: 3, Instructions: 815COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFD94487600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFD94453887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD9448760F
                                                                                              • Part of subcall function 00007FFD9445F6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FFD94484C66,?,?,0000003F,00000000,?,0000003F,?,00007FFD9445FE66), ref: 00007FFD9445F6FC
                                                                                            • _W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFD9445FE88), ref: 00007FFD94475245
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFD9445FE88), ref: 00007FFD9447525A
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFD9445FE88), ref: 00007FFD94475268
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$Gettnames_lock_localesrealloc
                                                                                            • String ID:
                                                                                            • API String ID: 3705959680-0
                                                                                            • Opcode ID: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
                                                                                            • Instruction ID: d926d07bb133c7f34ae987631b51aa75531cc93aacba783f390566daf5f89cbf
                                                                                            • Opcode Fuzzy Hash: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
                                                                                            • Instruction Fuzzy Hash: E6823E21B09A0285EB75EFA5D8F02B927A0AF46784F44C235E90E5779BDFBCB456C340
                                                                                            Function 0000000140010BE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFormatLastMessage
                                                                                            • String ID: GetLastError() = 0x%X
                                                                                            • API String ID: 3479602957-3384952017
                                                                                            • Opcode ID: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                                                            • Instruction ID: 03957f339625c86e619908699dc07c15f857aa178ffe48bb474e222578fe156c
                                                                                            • Opcode Fuzzy Hash: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                                                            • Instruction Fuzzy Hash: 63219032A18BC083E7118B2AE400399B7A4F7D97A4F159315EBE8036E9EB78C545CB40
                                                                                            Function 00007FFD944844E0 Relevance: 5.0, APIs: 3, Instructions: 509COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFD94481E70: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD94481F72
                                                                                              • Part of subcall function 00007FFD94487600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFD94453887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD9448760F
                                                                                            • _Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFD9445FE66,?,?,?,?,?,?,?,00007FFD9445F7E7), ref: 00007FFD94484BCF
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFD9445FE66,?,?,?,?,?,?,?,00007FFD9445F7E7), ref: 00007FFD94484BE4
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFD9445FE66,?,?,?,?,?,?,?,00007FFD9445F7E7), ref: 00007FFD94484BF3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$Gettnames_invalid_parameter_noinfo_noreturn_lock_locales
                                                                                            • String ID:
                                                                                            • API String ID: 962949324-0
                                                                                            • Opcode ID: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
                                                                                            • Instruction ID: 14b9d9e6ae9630af468237a6b51b07e6fc2cc87717e20137f6a52106642d0313
                                                                                            • Opcode Fuzzy Hash: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
                                                                                            • Instruction Fuzzy Hash: A4325C25B09A0281EBB5EFA1D8F01B967A0AF46785B48C135DA0E5739FEEBCF455C340
                                                                                            Function 00007FFD94473F00 Relevance: 3.3, APIs: 2, Instructions: 297COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944742AD
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944742FB
                                                                                              • Part of subcall function 00007FFD9447EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFD9446923E), ref: 00007FFD9447EC08
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                                                            • String ID:
                                                                                            • API String ID: 15630516-0
                                                                                            • Opcode ID: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
                                                                                            • Instruction ID: 51db9ef785cb357ec17e2b29154debc85b9ad67652f7ca2a441d5e9564d1f734
                                                                                            • Opcode Fuzzy Hash: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
                                                                                            • Instruction Fuzzy Hash: 7AD19F32B09B4295FB20DFA5D5902BC63B2EB49B98F448132DE4D27B9ADF78D446C340
                                                                                            Function 00007FFD94474340 Relevance: 3.3, APIs: 2, Instructions: 297COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD944746ED
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9447473B
                                                                                              • Part of subcall function 00007FFD9447EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFD9446923E), ref: 00007FFD9447EC08
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                                                            • String ID:
                                                                                            • API String ID: 15630516-0
                                                                                            • Opcode ID: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
                                                                                            • Instruction ID: cf5be59d297061bfb710cec9f1d87a79719aec8bb1e8b98fff295fde88bac6ae
                                                                                            • Opcode Fuzzy Hash: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
                                                                                            • Instruction Fuzzy Hash: 4DD18E32B09B4185FB20CFA5D5902BC6372EB49B98F458132DE5D27B9ADF78E45AC340
                                                                                            Function 00007FFD944660D0 Relevance: 3.3, APIs: 2, Instructions: 251COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                                                            • String ID:
                                                                                            • API String ID: 1654775311-0
                                                                                            • Opcode ID: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
                                                                                            • Instruction ID: 54b673d333f4d3f96b38032966980b5eeba40adab50795139f5ca566b665987d
                                                                                            • Opcode Fuzzy Hash: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
                                                                                            • Instruction Fuzzy Hash: FCA1C462F0969185FB209BE5D5A06BC27B1BB56BA8F55C035DE4D1BB8ACF7CD482C300
                                                                                            Function 00007FFD94466440 Relevance: 3.3, APIs: 2, Instructions: 251COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                                                            • String ID:
                                                                                            • API String ID: 1654775311-0
                                                                                            • Opcode ID: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
                                                                                            • Instruction ID: a4ce9bee33589f0c5726416360d47442894f532b39e1233f6617a1c3a735bdda
                                                                                            • Opcode Fuzzy Hash: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
                                                                                            • Instruction Fuzzy Hash: 87A1B462F0969285FB208BE5E5A06BC27B1BB16BA8F54C035DE4D1BB8ADF789451C300
                                                                                            Function 00007FFD9445A7B0 Relevance: 3.1, APIs: 2, Instructions: 98COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: DiskFreeSpace_invalid_parameter_noinfo_noreturnmemcpymemmove
                                                                                            • String ID:
                                                                                            • API String ID: 1762017149-0
                                                                                            • Opcode ID: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                                                            • Instruction ID: 11c568255c5f92c87b21e7367e0b0541832f06a7f2f526a49d2924d875af3cd0
                                                                                            • Opcode Fuzzy Hash: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                                                            • Instruction Fuzzy Hash: C8414822B15B4598FB10CFE1D8902AC37B5BB49BA8F549626CE5D23B9DDF78D085C340
                                                                                            Function 00007FFD9447EFC0 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale___lc_locale_name_func
                                                                                            • String ID:
                                                                                            • API String ID: 3366915261-0
                                                                                            • Opcode ID: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                                                            • Instruction ID: 5b1e7f3d8475b01b83573f5a16c653ef2a398e2ee9e35e035e62967c19655a10
                                                                                            • Opcode Fuzzy Hash: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                                                            • Instruction Fuzzy Hash: 0DF05832B2D08282E3B85B98D4B97382260FB46309F40C432E60F4339ACEACD546E741
                                                                                            Function 00007FFD94470710 Relevance: .4, Instructions: 410COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
                                                                                            • Instruction ID: cda8fa5f63a038cefb1b0b7ad220c75352bca9b1fb9f6ec48a586a5f2450e0e6
                                                                                            • Opcode Fuzzy Hash: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
                                                                                            • Instruction Fuzzy Hash: D3021976B0AA4685EF608FA5C4A037933A1EB56F88F55D031DA4E1779ACEBCD846C310
                                                                                            Function 00007FFD94482880 Relevance: .4, Instructions: 391COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
                                                                                            • Instruction ID: 48c6620564a6cc21a8fac9667f0275b7d94133e6c619d16461e28cad95ed0406
                                                                                            • Opcode Fuzzy Hash: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
                                                                                            • Instruction Fuzzy Hash: 6D025326B09A4585EBA18F69D4A037C37A1FB56F98F58D131CA4D473AACFBDD842C310
                                                                                            Function 00007FFD9445F9B0 Relevance: .3, Instructions: 331COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _lock_locales
                                                                                            • String ID:
                                                                                            • API String ID: 3756862740-0
                                                                                            • Opcode ID: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
                                                                                            • Instruction ID: c0f50b56c88e34f0b12ba77350a7755e4beecc519819ae8ff9954f4d9520857e
                                                                                            • Opcode Fuzzy Hash: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
                                                                                            • Instruction Fuzzy Hash: D8E16B21B09B0281EB7ADFE598F01B962A1AF467C0B44C235D90E537AFDEBCB455C741
                                                                                            Function 0000000140004730 Relevance: 67.0, APIs: 5, Strings: 33, Instructions: 470COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.VCRUNTIME140 ref: 000000014000475B
                                                                                              • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                                                              • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                                                              • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                                                            • ?RationalApproximation@utility@dvacore@@YA?AV?$rational@H@boost@@N@Z.DVACORE ref: 0000000140004866
                                                                                              • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140004A15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$memcmp$Approximation@utility@dvacore@@H@boost@@RationalV?$rational@memset
                                                                                            • String ID: brightness$camera_firmware_version$camera_id$channel_mask$clip_id$contrast$digital_gain_blue$digital_gain_green$digital_gain_red$exposure_compensation$exposure_time$framerate_denominator$framerate_numerator$genlock_setting$gmt_date$gmt_time$iso$jamsync_setting$local_date$local_time$pixel_aspect_ratio$reel_id_full$sample_size$samplerate$saturation$sensor_id$sensor_name$shutter_degrees$shutter_fractions$shutter_phase_offset$user_timecode_preference$white_balance_kelvin$white_balance_tint
                                                                                            • API String ID: 2423274481-1946953090
                                                                                            • Opcode ID: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                                                            • Instruction ID: 3df9d643723a61ec3293b9608ef6f05312d7ec0c5a500361e19cd6c4bd00b042
                                                                                            • Opcode Fuzzy Hash: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                                                            • Instruction Fuzzy Hash: 2C32FAB1204A4091EB07EF27E5913EA2762AB8EBD8F444522FB5D4F7B7EE39C5458340
                                                                                            Function 00007FFDAC128C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Name::operator+
                                                                                            • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
                                                                                            • API String ID: 2943138195-1388207849
                                                                                            • Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                                                            • Instruction ID: 715b8a4a032554f043f2f6238c44f0f303b9008a12e291e9ee86aa17f6cdb5e6
                                                                                            • Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                                                            • Instruction Fuzzy Hash: 1EF19077F0AA1684F7569B68D4643BC27A0FB113E8F404535CA1D16BAAEF3DE604C34A
                                                                                            Function 00007FFDAC12C3C8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Name::operator+
                                                                                            • String ID: `anonymous namespace'
                                                                                            • API String ID: 2943138195-3062148218
                                                                                            • Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                                                            • Instruction ID: e28c079929c83ea9281f6c59542f785adf31ed43518035661076df145c003a1b
                                                                                            • Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                                                            • Instruction Fuzzy Hash: DDE18A7BB0AB8295EB12CF24E4A02AD77A0FB447A8F408035EB8D17B56DF38E555C705
                                                                                            Function 0000000140002630 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 290COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400026F4
                                                                                            • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002732
                                                                                            • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 000000014000274E
                                                                                            • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002782
                                                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00000001400027D4
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400028A8
                                                                                            • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00000001400028DE
                                                                                            • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 00000001400028FA
                                                                                            • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 000000014000292E
                                                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z.MSVCP140 ref: 000000014000295A
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002A28
                                                                                            • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A68
                                                                                            • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A72
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: U?$char_traits@$D@std@@@std@@$_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??6?$basic_ostream@D@std@@@1@@V01@V?$basic_streambuf@$??1?$basic_ios@??1?$basic_iostream@
                                                                                            • String ID: (
                                                                                            • API String ID: 703713002-3887548279
                                                                                            • Opcode ID: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                                                            • Instruction ID: baf078011914228b1285121be46ed74d2e86fc5146668a69ad3868f5cbe279a1
                                                                                            • Opcode Fuzzy Hash: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                                                            • Instruction Fuzzy Hash: 38D18DB2214B8495EB11CF6AE4903EE7761F789BD4F509206EB8E57BA9DF39C085C700
                                                                                            Function 00000001400107F0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 268libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$Library$ByteCharErrorLastLoadMultiWide$AddressFreeProc
                                                                                            • String ID: [NOT FOUND ] %s
                                                                                            • API String ID: 2350601386-3340296899
                                                                                            • Opcode ID: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                                                            • Instruction ID: 89755aee4be5230680617513bdac96f2938001ccf8c1f4c7198f5862e1eb9078
                                                                                            • Opcode Fuzzy Hash: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                                                            • Instruction Fuzzy Hash: 84B1BE32605B9481FB169B26E54039D6761F788BE4F048615FBE90BBE6DFBAC5D0C340
                                                                                            Function 00007FFDAC12A83C Relevance: 22.9, APIs: 15, Instructions: 358COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Name::operator+
                                                                                            • String ID:
                                                                                            • API String ID: 2943138195-0
                                                                                            • Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                                                            • Instruction ID: f30add03308146b47404fda087e9206fbf5401e304f82e62df19b2994d3dd14b
                                                                                            • Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                                                            • Instruction Fuzzy Hash: 4FF17C7BB09A829AE712DF64D4A02EC37B0FB0479CB448036DA4D67B96DF38D519C345
                                                                                            Function 000000014001189C Relevance: 22.6, APIs: 15, Instructions: 94COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__p___argc__p___argv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                                                            • String ID:
                                                                                            • API String ID: 1818695170-0
                                                                                            • Opcode ID: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                                                            • Instruction ID: 023b0e87761b9852ca56ff973ea6cc8ec164607202ff5c8f9f76f90c0a7f0558
                                                                                            • Opcode Fuzzy Hash: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                                                            • Instruction Fuzzy Hash: BA315E3120520192FA5BEB67E5223E927A1AB9D7C4F444025BB994F2F7DE7FC805C351
                                                                                            Function 00007FFDAC12D20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Name::operator+
                                                                                            • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
                                                                                            • API String ID: 2943138195-2309034085
                                                                                            • Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                                                            • Instruction ID: 7b79c3677db95c5626d2a7c5587934bf8d5d256880497ff72a5bfcfc9860fdd6
                                                                                            • Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                                                            • Instruction Fuzzy Hash: ECE19E6BF0A74284FB16AB64C9742BC27A1BF057E8F444535CA0D2AB97DE3CE505C34A
                                                                                            Function 0000000140003320 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 422COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcmp$_invalid_parameter_noinfo_noreturn$clockmemcpymemset
                                                                                            • String ID: B8RB$MRDH$SideCarLut$flip_horizontal$flip_vertical
                                                                                            • API String ID: 140832405-680935841
                                                                                            • Opcode ID: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                                                            • Instruction ID: 18037ac5236aebefbc83965bda8a7e26ab6d0ca403e2fb1aff30bf3622b6eda0
                                                                                            • Opcode Fuzzy Hash: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                                                            • Instruction Fuzzy Hash: BD2270B2605BC485EB22DF2AE8413E93364F799798F449215EB9C5B7A6EF35C285C300
                                                                                            Function 00007FFDAC122CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                            • String ID: csm$csm$csm
                                                                                            • API String ID: 3436797354-393685449
                                                                                            • Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                                                            • Instruction ID: 72566b4b84d2ca015acdc34394895c697051bfddffe19c27869f4304a5abe608
                                                                                            • Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                                                            • Instruction Fuzzy Hash: 45D17F7BB09B418AEB218B69E4503AD77A4FB457E8F400135DE8D57B96CF38E090C70A
                                                                                            Function 00007FFD944526E0 Relevance: 18.2, APIs: 12, Instructions: 238COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$__strncntfreemalloc$CompareInfoString
                                                                                            • String ID:
                                                                                            • API String ID: 3420081407-0
                                                                                            • Opcode ID: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                                                            • Instruction ID: bad33a07af6c2587504ecb1dd4a0470cbea3150936dda13b3d4f73bae55b7e7d
                                                                                            • Opcode Fuzzy Hash: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                                                            • Instruction Fuzzy Hash: 20A1C462B0968246FF358FD095A03BA6691FB46BA4F44C232C95D567CEDFBCE844CB40
                                                                                            Function 00007FFD9446692C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFD9448B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B0
                                                                                              • Part of subcall function 00007FFD9448B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B8
                                                                                              • Part of subcall function 00007FFD9448B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0C1
                                                                                              • Part of subcall function 00007FFD9448B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0DD
                                                                                            • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9446A87E), ref: 00007FFD94466971
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9446A87E), ref: 00007FFD9446698E
                                                                                            • _Maklocstr.LIBCPMT ref: 00007FFD944669AA
                                                                                            • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9446A87E), ref: 00007FFD944669B3
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9446A87E), ref: 00007FFD944669D0
                                                                                            • _Maklocstr.LIBCPMT ref: 00007FFD944669EC
                                                                                            • _Maklocstr.LIBCPMT ref: 00007FFD94466A01
                                                                                              • Part of subcall function 00007FFD94454D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD94462124,?,?,?,00007FFD944543DB,?,?,?,00007FFD94455B31), ref: 00007FFD94454D72
                                                                                              • Part of subcall function 00007FFD94454D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD94462124,?,?,?,00007FFD944543DB,?,?,?,00007FFD94455B31), ref: 00007FFD94454D98
                                                                                              • Part of subcall function 00007FFD94454D50: memcpy.VCRUNTIME140(?,?,?,00007FFD94462124,?,?,?,00007FFD944543DB,?,?,?,00007FFD94455B31), ref: 00007FFD94454DB0
                                                                                            Strings
                                                                                            • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFD94466999
                                                                                            • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFD944669DB
                                                                                            • :AM:am:PM:pm, xrefs: 00007FFD944669FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Maklocstrfree$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                                                            • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                                            • API String ID: 2460671452-35662545
                                                                                            • Opcode ID: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                                                            • Instruction ID: 66276c813af213c775f6ebd5c0808163cbccd0e0f083f2ca1101d701fd255108
                                                                                            • Opcode Fuzzy Hash: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                                                            • Instruction Fuzzy Hash: 31218232B05B4182EB20DF61E5A02A973A1FB9AF94F488235DA4D0775BDF7CE585C380
                                                                                            Function 00007FFD94452B20 Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiStringWide$freemalloc$__strncnt
                                                                                            • String ID:
                                                                                            • API String ID: 1733283546-0
                                                                                            • Opcode ID: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                                                            • Instruction ID: 715e39a2fd588304abf1fe0406b2e7442ef060a2faa55325b6d1115aa5e23572
                                                                                            • Opcode Fuzzy Hash: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                                                            • Instruction Fuzzy Hash: 0491A132709B4186EB748F91D4A037A76A1FB45BA4F048235EA5D17BC9DFBCE449CB00
                                                                                            Function 00007FFD94489350 Relevance: 16.7, APIs: 11, Instructions: 168COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Xp_setw$Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                                                            • String ID:
                                                                                            • API String ID: 3166507417-0
                                                                                            • Opcode ID: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                                                            • Instruction ID: 9d2155916f83f7d2dbf8670d7e5b54185d44d23e63c93025e73e1b37383319c0
                                                                                            • Opcode Fuzzy Hash: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                                                            • Instruction Fuzzy Hash: 9661D522F089429AFBA1DEE1D4E11FD2721AB56748F518235DE0D2379FEE78E54AC700
                                                                                            Function 00000001400071E0 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetDllDirectoryW.KERNEL32 ref: 000000014000721A
                                                                                            • ?AppDir@Dir@filesupport@dvacore@@SA?AV123@XZ.DVACORE ref: 0000000140007225
                                                                                            • ?FullPath@Dir@filesupport@dvacore@@QEBA?AV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@std@@XZ.DVACORE ref: 0000000140007236
                                                                                            • ?UTF16to8@string@dvacore@@YA?AV?$basic_string@EU?$char_traits@E@std@@U?$SBAAllocator@E@allocator@dvacore@@@std@@AEBV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@4@@Z.DVACORE ref: 0000000140007245
                                                                                            • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140007275
                                                                                            • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 00000001400072A6
                                                                                            • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400072B6
                                                                                            • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007362
                                                                                            • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007372
                                                                                            • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 000000014000738A
                                                                                              • Part of subcall function 0000000140008300: WaitForMultipleObjects.KERNEL32 ref: 0000000140008346
                                                                                              • Part of subcall function 0000000140008300: ResetEvent.KERNEL32 ref: 0000000140008355
                                                                                              • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007859
                                                                                              • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007866
                                                                                              • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007873
                                                                                              • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007880
                                                                                              • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000788D
                                                                                              • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000789A
                                                                                            • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400073F6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Dir@filesupport@dvacore@@$CloseHandle$Allocator@_Allocator@allocator@dvacore@@BlockDispose@FileSmallU?$char_traits@_UnmapV?$basic_string@_ViewW@std@@atoi$Allocator@Dir@DirectoryE@allocator@dvacore@@@std@@E@std@@EventF16to8@string@dvacore@@FullMultipleObjectsPath@ResetU?$char_traits@V123@V?$basic_string@W@allocator@dvacore@@@4@@W@allocator@dvacore@@@std@@Wait
                                                                                            • String ID:
                                                                                            • API String ID: 2702579277-0
                                                                                            • Opcode ID: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                                                            • Instruction ID: 4e02132fa2518a481f17a5c3ad5963577c23686a774b89ce01035fe16d76d46e
                                                                                            • Opcode Fuzzy Hash: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                                                            • Instruction Fuzzy Hash: 09618EB2608A4082FB12CB26F8947EA67A2F78EBD0F505121FB9D476B5DF3DC5498700
                                                                                            Function 00007FFD94499BC0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 229COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                            • API String ID: 2003779279-1866435925
                                                                                            • Opcode ID: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                                                            • Instruction ID: d626e26147bbcea511948558677540c5f078dbdba34ee7e6d47d23c234fe2240
                                                                                            • Opcode Fuzzy Hash: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                                                            • Instruction Fuzzy Hash: E991B022B19A4691EF748B95D4E13B92760FB56F84F48C036CA4E077AAEFADD446C300
                                                                                            Function 00007FFDAC12E350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                                                            • API String ID: 0-3207858774
                                                                                            • Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                                                            • Instruction ID: cb773f62d3d9f4b06fcc403f4d4c52ac06288a6db9d00805af9c7cd7e253af41
                                                                                            • Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                                                            • Instruction Fuzzy Hash: 05919E2BB1AA8685FB52CB20D4606F837A4BF45BE9F884031DA5D07396DF3CE905C749
                                                                                            Function 00007FFDAC12A13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Name::operator+$Name::operator+=
                                                                                            • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                                                            • API String ID: 179159573-1464470183
                                                                                            • Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                                                            • Instruction ID: 33a80bf793bd6d406e7b621cbde53ac1cbd8ad3aabde654c1312d86a4462408f
                                                                                            • Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                                                            • Instruction Fuzzy Hash: 2F51693AF1AA1289FB56DB64E8A02BC37B0BB143E8F504135DE0D66B5ADF2DE551C304
                                                                                            Function 00007FFD9448B440 Relevance: 15.2, APIs: 10, Instructions: 167COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Xp_setw$Xp_setn$Xp_addx$iswspaceiswxdigit
                                                                                            • String ID:
                                                                                            • API String ID: 3781602613-0
                                                                                            • Opcode ID: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                                                            • Instruction ID: e94c97e6c85cb82689287d6440d8bae6e79d5cf7dfa141b79dacc3c81745a9d1
                                                                                            • Opcode Fuzzy Hash: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                                                            • Instruction Fuzzy Hash: 6B61B122F085829AF760DAE1C4E11FD2721AB56748F51C236EE0D27B9FDE78E54AC700
                                                                                            Function 00007FFDAC1288E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Name::operator+
                                                                                            • String ID:
                                                                                            • API String ID: 2943138195-0
                                                                                            • Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                                                            • Instruction ID: b233c94b675f2f72fea757c9abb17a1ad4611d0c53b5832cc92a3f29a19847c7
                                                                                            • Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                                                            • Instruction Fuzzy Hash: 25616D67B05B5298FB02DBA0D8A12ED23B1FB447A8F404436DE4D2BB8ADF78D545C345
                                                                                            Function 00007FFDAC1231A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                                                            • String ID: csm$csm$csm
                                                                                            • API String ID: 211107550-393685449
                                                                                            • Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                                                            • Instruction ID: bdd20d2bd4c445bf5407ec0efaa9ea046f99b3d6ba0333efa0e78d1d793336b7
                                                                                            • Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                                                            • Instruction Fuzzy Hash: FCE1E47BB096818AE712DF38D4A03AD77A5FB44BA8F544136DA8C53796CF38E181C705
                                                                                            Function 00007FFD9448A080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 148COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memchrtolower$_errnoisspace
                                                                                            • String ID: 0$0123456789abcdefghijklmnopqrstuvwxyz
                                                                                            • API String ID: 3508154992-2692187688
                                                                                            • Opcode ID: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                                                            • Instruction ID: 8c616cf306aeb1b63d51d22031ee78cbfefe1fb67faac9fafa7b132ef9bb1412
                                                                                            • Opcode Fuzzy Hash: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                                                            • Instruction Fuzzy Hash: 6A51D912B0E6C645EBB58FA4A4A43B966906B47795F48C230CD9D1679FDEFCE842C700
                                                                                            Function 00007FFDAC12BE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Name::operator+
                                                                                            • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                                                            • API String ID: 2943138195-2239912363
                                                                                            • Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                                                            • Instruction ID: ddbaa3ec777fedc20c03cb5132e02093295405b71db40b752fa1686797b38bed
                                                                                            • Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                                                            • Instruction Fuzzy Hash: 28516D67F1AB4688FB529B60D8A12BC77B0BB087A8F444075DE4E12796DF3CD444C719
                                                                                            Function 00000001400078C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                                                            • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                                                            • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                                                              • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                                              • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                                              • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                                              • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                                                              • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                                              • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                                              • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                                                            • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                                                            • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                                                            • String ID: ImptRED_CEvent_
                                                                                            • API String ID: 2242036409-942587184
                                                                                            • Opcode ID: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                                                            • Instruction ID: 9b405900c275d478bf9193c59fc3990d56eeb31e22b03c6e117ca8d8066cf312
                                                                                            • Opcode Fuzzy Hash: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                                                            • Instruction Fuzzy Hash: 1D519AB2204B8096EB11CB6AE89079E7B70F389B98F504111EF8D57BA9DF3DC549CB00
                                                                                            Function 0000000140007E00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E41
                                                                                            • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007E60
                                                                                            • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E94
                                                                                              • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                                              • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                                              • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                                              • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007ECB
                                                                                              • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                                              • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                                              • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007EE5
                                                                                            • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F92
                                                                                            • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F9C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                                                            • String ID: ImptRED_SEvent_
                                                                                            • API String ID: 2242036409-1609572862
                                                                                            • Opcode ID: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                                                            • Instruction ID: 8a97eb910a4fcdb6b4de6865597d3f36b8df7ed7ebbeccb018c797ebbaee1b0b
                                                                                            • Opcode Fuzzy Hash: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                                                            • Instruction Fuzzy Hash: 15519A72204B8096EB11CB6AE8907AE7B70F389B98F504111EF8D17BA8DF3DC549CB40
                                                                                            Function 0000000140007A80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                                                            • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                                                            • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                                                              • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                                              • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                                              • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                                              • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                                                              • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                                              • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                                              • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                                                            • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                                                            • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                                                            • String ID: ImptRED_CmdMap_
                                                                                            • API String ID: 2242036409-3276274529
                                                                                            • Opcode ID: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                                                            • Instruction ID: 80f30c22282736ca9dbe0986c54b36137faedd7c3a9fa85d2e807ed86ae44cad
                                                                                            • Opcode Fuzzy Hash: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                                                            • Instruction Fuzzy Hash: BC518972204B8096EB11CB6AE8907DE7B70F389B98F504111EF8D17BA8DF79C449CB00
                                                                                            Function 0000000140007C40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007C81
                                                                                            • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007CA0
                                                                                            • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007CD4
                                                                                              • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                                              • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                                              • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                                              • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D0B
                                                                                              • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                                              • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                                              • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                                            • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D25
                                                                                            • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DD2
                                                                                            • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DDC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                                                            • String ID: ImptRED_DMap_
                                                                                            • API String ID: 2242036409-2879874026
                                                                                            • Opcode ID: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                                                            • Instruction ID: 0bc148500ed73b7892a49071eae52613f37d732fbc5d9ce32192ec441dd01905
                                                                                            • Opcode Fuzzy Hash: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                                                            • Instruction Fuzzy Hash: F9518BB2204B4096EB11CB56E8807AE7B70F789B98F504116EF8D17BA8DF7DC549CB00
                                                                                            Function 00007FFD94456C20 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                            • API String ID: 1099746521-1866435925
                                                                                            • Opcode ID: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                                                            • Instruction ID: 49b0ee7292dda05a349b6fea1537bb605f71eb2f865d6670538b096a1d42a5ab
                                                                                            • Opcode Fuzzy Hash: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                                                            • Instruction Fuzzy Hash: 2721E251B1A50AA5EF75D7C0D8E26F91321EF52340F98C036D54E0A6AFEFADE249C740
                                                                                            Function 0000000140004FF0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 275stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                                                              • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                                                              • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00000001400050DF
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140005233
                                                                                              • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                                                            • memcmp.VCRUNTIME140 ref: 00000001400052B4
                                                                                            • memcmp.VCRUNTIME140 ref: 0000000140005325
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400053DA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturnmemcmp$strcmp
                                                                                            • String ID: MRDH$SideCarLut
                                                                                            • API String ID: 916663099-3852011117
                                                                                            • Opcode ID: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                                                            • Instruction ID: 38950fd8b35224f21f2e144008351fd49fe11793fcade85143d264d05d5c62af
                                                                                            • Opcode Fuzzy Hash: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                                                            • Instruction Fuzzy Hash: 4DD192B2204A8496EB62DF26E8843DE2761F74A7D5F841212FB5D4BAF6EF74C645C300
                                                                                            Function 00007FFD94499940 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                            • API String ID: 2003779279-1866435925
                                                                                            • Opcode ID: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                                                            • Instruction ID: 257a9c02d5c4295ef28ff6ca727962de7f0129ecdf5a3bed113352f259b06e5b
                                                                                            • Opcode Fuzzy Hash: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                                                            • Instruction Fuzzy Hash: 23618E22709A4685EF74CB95D4E13B96760FB82F84F54C036CA4E477AAEFADD446D300
                                                                                            Function 00007FFD944643F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionThrowfputwcfwritestd::ios_base::failure::failure
                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                            • API String ID: 1428583292-1866435925
                                                                                            • Opcode ID: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                                                            • Instruction ID: 6169e71a01d841b78b2a292e8e6264dc4f652f90c6c1fdefe074f1194a7be6b1
                                                                                            • Opcode Fuzzy Hash: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                                                            • Instruction Fuzzy Hash: DE71AE72709A8295EF70CFA5E0A02A933A0FB45B98F848032EA4D47B5ADF7CD555C744
                                                                                            Function 00007FFDAC125F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
                                                                                            • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                                                            • API String ID: 1852475696-928371585
                                                                                            • Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                                                            • Instruction ID: fc4e7361384542d7af473b47c1a2ecdaed0d6de79319345b03d1e84024a25a2b
                                                                                            • Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                                                            • Instruction Fuzzy Hash: CE51B46BB0AA4692EF61CB14E4A06B9A360FF54BE8F404431DA4E477A7DF3CE505C309
                                                                                            Function 00007FFD944996E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 160COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::ios_base::failure::failure.LIBCPMT ref: 00007FFD944998D3
                                                                                            • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD9448C678), ref: 00007FFD944998E4
                                                                                            • std::ios_base::failure::failure.LIBCPMT ref: 00007FFD94499927
                                                                                            • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD9448C678), ref: 00007FFD94499938
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                            • API String ID: 2003779279-1866435925
                                                                                            • Opcode ID: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                                                            • Instruction ID: fff6594bd2e84081de46f977b58c85e5def29fd16e0f7f32f03946184a5146d6
                                                                                            • Opcode Fuzzy Hash: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                                                            • Instruction Fuzzy Hash: 8A616C22B19A4595EF74CB99D4E13B92760EB82F84F44C036CA4E473AAEFBDD446C740
                                                                                            Function 00007FFD94489E70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memchrtolower$_errnoisspace
                                                                                            • String ID: 0123456789abcdefghijklmnopqrstuvwxyz
                                                                                            • API String ID: 3508154992-4256519037
                                                                                            • Opcode ID: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                                                            • Instruction ID: 93202378b5498f831e8ee6555a07c464cfb1ec10a074551d53302b832d133ad0
                                                                                            • Opcode Fuzzy Hash: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                                                            • Instruction Fuzzy Hash: 3651D912B0DA8646FBB58EA494A43797A906F47754F488134DF8D4279FEFBCD842D700
                                                                                            Function 00007FFDAC12E148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Name::operator+$Name::operator+=
                                                                                            • String ID: {for
                                                                                            • API String ID: 179159573-864106941
                                                                                            • Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                                                            • Instruction ID: cebc0d9166264353a7cadc6ba62459bece269291b343b0636c60b9a7dc1b7882
                                                                                            • Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                                                            • Instruction Fuzzy Hash: 10517A77B0AA85AAE7029F24D4613ED33A5FB057A8F808031EA5D0BB96DF3CD550C349
                                                                                            Function 00007FFD9445B280 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                            • API String ID: 2003779279-1866435925
                                                                                            • Opcode ID: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                                                            • Instruction ID: 17c36392b92bd27a92bd927df971a93f7092371a2b8932a63ef9579cdbbb524e
                                                                                            • Opcode Fuzzy Hash: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                                                            • Instruction Fuzzy Hash: A651AE22B0994991EF70CB99D4E02A9A360FF45F84F548032DA1D837BADFBCD442C300
                                                                                            Function 00007FFDAC1268AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FFDAC126A6B,?,?,00000000,00007FFDAC12689C,?,?,?,?,00007FFDAC1265E5), ref: 00007FFDAC126931
                                                                                            • GetLastError.KERNEL32(?,?,?,00007FFDAC126A6B,?,?,00000000,00007FFDAC12689C,?,?,?,?,00007FFDAC1265E5), ref: 00007FFDAC12693F
                                                                                            • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDAC126A6B,?,?,00000000,00007FFDAC12689C,?,?,?,?,00007FFDAC1265E5), ref: 00007FFDAC126958
                                                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FFDAC126A6B,?,?,00000000,00007FFDAC12689C,?,?,?,?,00007FFDAC1265E5), ref: 00007FFDAC12696A
                                                                                            • FreeLibrary.KERNEL32(?,?,?,00007FFDAC126A6B,?,?,00000000,00007FFDAC12689C,?,?,?,?,00007FFDAC1265E5), ref: 00007FFDAC1269B0
                                                                                            • GetProcAddress.KERNEL32(?,?,?,00007FFDAC126A6B,?,?,00000000,00007FFDAC12689C,?,?,?,?,00007FFDAC1265E5), ref: 00007FFDAC1269BC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                                                            • String ID: api-ms-
                                                                                            • API String ID: 916704608-2084034818
                                                                                            • Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                                                            • Instruction ID: efc6918b11b262ea74cf92b53053e25b8305be66c1376e1eaba013300e10734f
                                                                                            • Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                                                            • Instruction Fuzzy Hash: 6A31C12BB0BB4285EE17DB0298206B56294BF14BF4FA90535DD2D0B396EF3CE144D349
                                                                                            Function 00007FFD944812C4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFD9448B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B0
                                                                                              • Part of subcall function 00007FFD9448B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B8
                                                                                              • Part of subcall function 00007FFD9448B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0C1
                                                                                              • Part of subcall function 00007FFD9448B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0DD
                                                                                            • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9448243E), ref: 00007FFD94481309
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9448243E), ref: 00007FFD94481326
                                                                                            • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9448243E), ref: 00007FFD9448134B
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9448243E), ref: 00007FFD94481368
                                                                                              • Part of subcall function 00007FFD94454D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD94462124,?,?,?,00007FFD944543DB,?,?,?,00007FFD94455B31), ref: 00007FFD94454D72
                                                                                              • Part of subcall function 00007FFD94454D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD94462124,?,?,?,00007FFD944543DB,?,?,?,00007FFD94455B31), ref: 00007FFD94454D98
                                                                                              • Part of subcall function 00007FFD94454D50: memcpy.VCRUNTIME140(?,?,?,00007FFD94462124,?,?,?,00007FFD944543DB,?,?,?,00007FFD94455B31), ref: 00007FFD94454DB0
                                                                                            Strings
                                                                                            • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFD94481331
                                                                                            • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFD94481373
                                                                                            • :AM:am:PM:pm, xrefs: 00007FFD94481392
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                                                            • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                                            • API String ID: 1539549574-35662545
                                                                                            • Opcode ID: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                                                            • Instruction ID: f009068a1ae174043ef39df22b7674bf78e4be333e4cad14fd4423e153a625e5
                                                                                            • Opcode Fuzzy Hash: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                                                            • Instruction Fuzzy Hash: 66218236B05B4181EB20DF61E5A02A873A1FB9AF84F448135DA4D0775BEF7CE585C340
                                                                                            Function 00007FFD94466A20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFD9448B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B0
                                                                                              • Part of subcall function 00007FFD9448B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B8
                                                                                              • Part of subcall function 00007FFD9448B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0C1
                                                                                              • Part of subcall function 00007FFD9448B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0DD
                                                                                            • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9446A96E), ref: 00007FFD94466A5E
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9446A96E), ref: 00007FFD94466A7B
                                                                                            • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9446A96E), ref: 00007FFD94466A9B
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9446A96E), ref: 00007FFD94466AB8
                                                                                              • Part of subcall function 00007FFD94454DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD94466AB5,?,?,?,?,?,?,?,?,?,00007FFD9446A96E), ref: 00007FFD94454DF9
                                                                                              • Part of subcall function 00007FFD94454DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD94466AB5,?,?,?,?,?,?,?,?,?,00007FFD9446A96E), ref: 00007FFD94454E28
                                                                                              • Part of subcall function 00007FFD94454DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FFD94466AB5,?,?,?,?,?,?,?,?,?,00007FFD9446A96E), ref: 00007FFD94454E3F
                                                                                            Strings
                                                                                            • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFD94466AC3
                                                                                            • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFD94466A86
                                                                                            • :AM:am:PM:pm, xrefs: 00007FFD94466AD4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                                                            • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                                            • API String ID: 1539549574-3743323925
                                                                                            • Opcode ID: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                                                            • Instruction ID: 872f64a2ecf566bcbe43e6b30f8b5c51004c583643d74fe875e7315c237d2f85
                                                                                            • Opcode Fuzzy Hash: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                                                            • Instruction Fuzzy Hash: 2E214F22A09B4182EB30DF61E5A427973B1FB9AB94F448134DA4E4775BEFBCE494C740
                                                                                            Function 00007FFDAC1227CC Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort$AdjustPointer
                                                                                            • String ID:
                                                                                            • API String ID: 1501936508-0
                                                                                            • Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                                                            • Instruction ID: ad4b97ba8c98c54192c29ea686b6a9477f415eb3e326289ec3a0278fbfece605
                                                                                            • Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                                                            • Instruction Fuzzy Hash: 4551AA2BF0BA9381EE6B8B11946477C63E4EF44BF4F198439DA4D06386CF6CE451930A
                                                                                            Function 00007FFDAC1225E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort$AdjustPointer
                                                                                            • String ID:
                                                                                            • API String ID: 1501936508-0
                                                                                            • Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                                                            • Instruction ID: bb95c3174d5b4c42a66aa4f6e81709276fc8874ccc83716890cf365e6f2e2ff6
                                                                                            • Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                                                            • Instruction Fuzzy Hash: B251AF2BB0FA4281EE679B119564B3C6390AF64FF4F198435DE8D06797DE2CE442C30A
                                                                                            Function 00007FFD944890D0 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                                                            • String ID:
                                                                                            • API String ID: 578106097-0
                                                                                            • Opcode ID: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                                                            • Instruction ID: 4fc23ff06aca73abbeacf5eb9831e458a120181191a559cb6d0c36140836dfeb
                                                                                            • Opcode Fuzzy Hash: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                                                            • Instruction Fuzzy Hash: 7961C622B1C94292EAB1DF91E4E05AE6760FF96744F508532EA4D1378FEEBCE546C700
                                                                                            Function 00007FFD94489950 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                                                            • String ID:
                                                                                            • API String ID: 578106097-0
                                                                                            • Opcode ID: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                                                            • Instruction ID: df4a45ccb481533c78515c81aaa028183295207eceee3eebafbaf433b6cb33f7
                                                                                            • Opcode Fuzzy Hash: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                                                            • Instruction Fuzzy Hash: 3361A322B1894286EAA1DF91E8E05BE6760FB96744F508132EA4D1778FEEBCD549C700
                                                                                            Function 000000014000C2E0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 164COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                                                              • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                                                              • Part of subcall function 000000014000C8A0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000014000C98E
                                                                                            • memmove.VCRUNTIME140 ref: 000000014000C3C8
                                                                                            • memmove.VCRUNTIME140 ref: 000000014000C427
                                                                                              • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0B6
                                                                                              • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0C4
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000C52F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$memmove$__acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturn
                                                                                            • String ID: REDR3D-x64.dll$[LOAD PATH ] %s$[TEST TEST] IGNORING REDIRECT %s
                                                                                            • API String ID: 1084872782-103080910
                                                                                            • Opcode ID: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                                                            • Instruction ID: cfd617ef930489ab8aca6008b2e9167fc097850ba9bca21f1b358ae0caa8a91c
                                                                                            • Opcode Fuzzy Hash: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                                                            • Instruction Fuzzy Hash: 8E719AB2721A4086EB12CF66E8443DD37B1F749BD8F484622EF195BBA9DB38C181C340
                                                                                            Function 00007FFDAC125520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileHeader_local_unwind
                                                                                            • String ID: MOC$RCC$csm$csm
                                                                                            • API String ID: 2627209546-1441736206
                                                                                            • Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                                                            • Instruction ID: c874176b5269d40505c7d95cebc4cee18c4317fbbee8f1c716f8077a486e9f9f
                                                                                            • Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                                                            • Instruction Fuzzy Hash: 6F51817BB0B65186EE629F2590A177D76A0FF44BE8F540031EA4D52387DF3CE4428B46
                                                                                            Function 00000001400074F0 Relevance: 10.6, APIs: 7, Instructions: 131COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                                            • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                                            • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                                            • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                                            • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                                            • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                                            • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                                                                            • String ID:
                                                                                            • API String ID: 1492985063-0
                                                                                            • Opcode ID: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                                                            • Instruction ID: c8404d0b7dac135a461826d57f818375c200501a51cfbfcecc82e8383ca51cf8
                                                                                            • Opcode Fuzzy Hash: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                                                            • Instruction Fuzzy Hash: 11515F72600A4082EB62CF1BE5947A9A7A0F789FE5F15C611EF9E477F1CB7AC5468300
                                                                                            Function 00007FFD9445BA68 Relevance: 10.6, APIs: 7, Instructions: 110COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFD94481347), ref: 00007FFD9445BB38
                                                                                            • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFD94481347), ref: 00007FFD9445BB48
                                                                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFD94481347), ref: 00007FFD9445BB5D
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFD94481347), ref: 00007FFD9445BB91
                                                                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFD94481347), ref: 00007FFD9445BB9B
                                                                                            • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFD94481347), ref: 00007FFD9445BBAB
                                                                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFD94481347), ref: 00007FFD9445BBBB
                                                                                              • Part of subcall function 00007FFD944A25AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD94455AF8), ref: 00007FFD944A25C6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$memset$_invalid_parameter_noinfo_noreturnmalloc
                                                                                            • String ID:
                                                                                            • API String ID: 2538139528-0
                                                                                            • Opcode ID: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                                                            • Instruction ID: b2615f57a5299315b8ade11662a0da149b53304f264780f184517156bae129f1
                                                                                            • Opcode Fuzzy Hash: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                                                            • Instruction Fuzzy Hash: 6B41B222B09A8191EF24DBD6E5942A9A311FB46BC4F548532EE1D0BB9FCEBCD541D340
                                                                                            Function 00007FFD94462FAC Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$xtime_get
                                                                                            • String ID:
                                                                                            • API String ID: 1104475336-0
                                                                                            • Opcode ID: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                                                            • Instruction ID: fec15731898764f1403f5559809abfe32fa785a5007d686abe44ad414b260b7d
                                                                                            • Opcode Fuzzy Hash: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                                                            • Instruction Fuzzy Hash: EB414231B0868A96EB74CF95D4E423973A0EB06755F14C036CB4E426AEDFBDE489CB00
                                                                                            Function 00007FFD944658B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionThrowsetvbufstd::ios_base::failure::failure
                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                            • API String ID: 2924853686-1866435925
                                                                                            • Opcode ID: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                                                            • Instruction ID: 78f674c693d49c1f8b28d7d40c4a84b1761e6db409088724dc42e5d2eaa24702
                                                                                            • Opcode Fuzzy Hash: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                                                            • Instruction Fuzzy Hash: E241E272B15B4696EB74CFA4E0A03AC33A0FB15BA8F448131CA4C4B65ADFBCD1A4C740
                                                                                            Function 00007FFD94473B28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD94473B56
                                                                                              • Part of subcall function 00007FFD9448B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B0
                                                                                              • Part of subcall function 00007FFD9448B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B8
                                                                                              • Part of subcall function 00007FFD9448B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0C1
                                                                                              • Part of subcall function 00007FFD9448B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0DD
                                                                                            • _Maklocstr.LIBCPMT ref: 00007FFD94473BCF
                                                                                            • _Maklocstr.LIBCPMT ref: 00007FFD94473BE5
                                                                                            • _Getvals.LIBCPMT ref: 00007FFD94473C8A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Maklocstr$Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                                                            • String ID: false$true
                                                                                            • API String ID: 2626534690-2658103896
                                                                                            • Opcode ID: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                                                            • Instruction ID: 6f158b54c48690811c7cd1b99b7cdd6ba4d0b5d1c418f985fedd94a91eda9e83
                                                                                            • Opcode Fuzzy Hash: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                                                            • Instruction Fuzzy Hash: 3E418F26B08B8199F720CFB4D4501ED33B0FB9974CB409226EE4D27A5AEF78D256C380
                                                                                            Function 00007FFDAC12D740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: NameName::atol
                                                                                            • String ID: `template-parameter$void
                                                                                            • API String ID: 2130343216-4057429177
                                                                                            • Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                                                            • Instruction ID: 4307fb4935a2157f9f536fae10b70b16686bda12957e39b151f7b8193fad8579
                                                                                            • Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                                                            • Instruction Fuzzy Hash: 2541392BB0AB5688FB429BA4D8613EC23B1BB047E8F945435CE0D1AB56DF7CD505C345
                                                                                            Function 00007FFDAC128624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Name::operator+
                                                                                            • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                                                            • API String ID: 2943138195-2211150622
                                                                                            • Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                                                            • Instruction ID: 269dade5e9fa737f88bbff99c121884893228788119f673a355efe0e8dd4e217
                                                                                            • Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                                                            • Instruction Fuzzy Hash: 15415D7BF1AB4688FB528B24D8A12AC37E0FB187A8F848131DA8D16356DF3CD545C749
                                                                                            Function 00007FFDAC12A31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Name::operator+
                                                                                            • String ID: char $int $long $short $unsigned
                                                                                            • API String ID: 2943138195-3894466517
                                                                                            • Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                                                            • Instruction ID: a7bfebef3d73734580170cc8c3a898fcb190476a6bb5e8303ddb8fbd07914d4a
                                                                                            • Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                                                            • Instruction Fuzzy Hash: 23417C7BF1AA5688EB568F68D8642BC37A1BB047A8F448031CA0C26B5ADF3CD544C709
                                                                                            Function 00007FFD9445C0A0 Relevance: 9.3, APIs: 6, Instructions: 318stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturnmemsetstrcspn$localeconvmemmove
                                                                                            • String ID:
                                                                                            • API String ID: 3009415009-0
                                                                                            • Opcode ID: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                                                            • Instruction ID: 685fd12be974a2d3eb06d7ee029fe8d4ed3781c91e6ed28f569d08366902a0b3
                                                                                            • Opcode Fuzzy Hash: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                                                            • Instruction Fuzzy Hash: E0E17F22B09B8585FB20DBE5D5A02AC2371FB4AB88F548125DE5D27B9ADF7CD44AC300
                                                                                            Function 00007FFD944886F0 Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Dunscale$_errno
                                                                                            • String ID:
                                                                                            • API String ID: 2900277114-0
                                                                                            • Opcode ID: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                                                            • Instruction ID: 54b456c9df87d33caa2e2588cf573b4c141dc1648a6fdf0ac49dc0e76e5807e6
                                                                                            • Opcode Fuzzy Hash: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                                                            • Instruction Fuzzy Hash: 93A1B427F18E4A86D761DFB485E01BD2362FF577D4F50C235E64A2668AEF78A092C301
                                                                                            Function 00007FFD944800EC Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Dunscale$_errno
                                                                                            • String ID:
                                                                                            • API String ID: 2900277114-0
                                                                                            • Opcode ID: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                                                            • Instruction ID: f200136088a630eb2b3ed4d70426fa60db6fec4bce7fe176fd2b15a2972c8944
                                                                                            • Opcode Fuzzy Hash: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                                                            • Instruction Fuzzy Hash: 52A1E232B286469AE7A0DEA685E10BC6351FF1675CF55C230EB091229FDFB8B496C300
                                                                                            Function 000000014000AF60 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 192COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memmove$memcpy$_invalid_parameter_noinfo_noreturn
                                                                                            • String ID: R3DAPI 7.3.1-44A14 (20200513 W64S)
                                                                                            • API String ID: 100741404-1215215629
                                                                                            • Opcode ID: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                                                            • Instruction ID: 1f94f83d43c849715069b53280c3cf1e8531b19b99bc01c412034d7b6d4e24df
                                                                                            • Opcode Fuzzy Hash: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                                                            • Instruction Fuzzy Hash: B19122B1211A8499EB22DF27F8503DA7361F74ABD4F884222EB490B7B9DB7EC141C701
                                                                                            Function 00007FFD94458F20 Relevance: 9.2, APIs: 6, Instructions: 185COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: fgetc
                                                                                            • String ID:
                                                                                            • API String ID: 2807381905-0
                                                                                            • Opcode ID: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                                                            • Instruction ID: 49e803bc5a673acc655ff51b7d4efecd1d529006f2672eb172efc10dc0528637
                                                                                            • Opcode Fuzzy Hash: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                                                            • Instruction Fuzzy Hash: B4914973706A4188EF208FA5C4E42AC33A1FB59B98F559632EA4D43B9EDF79D454C300
                                                                                            Function 00007FFD9448B1C0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                                                            • String ID:
                                                                                            • API String ID: 3490103321-0
                                                                                            • Opcode ID: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                                                            • Instruction ID: c5dfa07fc78f31c0124340ca08eb9505cad59352fcecd50bf2de92e54037cd8a
                                                                                            • Opcode Fuzzy Hash: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                                                            • Instruction Fuzzy Hash: 3E61A322B1898286E6B1DE91E4E05AE6760FB96744F508532EE4D5378FDEBCE44AC700
                                                                                            Function 00007FFD9448B960 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                                                            • String ID:
                                                                                            • API String ID: 3490103321-0
                                                                                            • Opcode ID: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                                                            • Instruction ID: b3c0f84446d29dbbc7f5f40746bbef3093d3bbfd5e70c1cac7b7387a7a5f3e6b
                                                                                            • Opcode Fuzzy Hash: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                                                            • Instruction Fuzzy Hash: 8961A422B1868286E6A1DE91E8E05BE6720FB96344F508532FE4D17B9FDEBCD545C700
                                                                                            Function 00007FFD94459A58 Relevance: 9.1, APIs: 6, Instructions: 112COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                                            • String ID:
                                                                                            • API String ID: 1775671525-0
                                                                                            • Opcode ID: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                                                            • Instruction ID: ccd3656f78c31ea2adf76ed6ebe860b9ad5c8f9722888aceceb0486a8cce8bc0
                                                                                            • Opcode Fuzzy Hash: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                                                            • Instruction Fuzzy Hash: E4412461B1864191EE249BD6E5942A96351FB06FE0F588631EF6D0BBDFEEBCE041D300
                                                                                            Function 00007FFD9445A000 Relevance: 9.1, APIs: 6, Instructions: 93fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileHandle$CloseCreateInformation
                                                                                            • String ID:
                                                                                            • API String ID: 1240749428-0
                                                                                            • Opcode ID: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                                                            • Instruction ID: 2bcb11c2da026a0e855fe13c2d808beeda2c75a8899395cf046651ac021b0a6b
                                                                                            • Opcode Fuzzy Hash: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                                                            • Instruction Fuzzy Hash: 2841C132F086418AFB20CFB1A8A07AD33A0AB597ACF019335DD1C12A99DF78D595C740
                                                                                            Function 00007FFDAC1262D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                                                            • String ID:
                                                                                            • API String ID: 3741236498-0
                                                                                            • Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                                                            • Instruction ID: 5a2235a9b88ac698d38a3afc51c3f471ceef7d8716ae319af85bc02aeec76101
                                                                                            • Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                                                            • Instruction Fuzzy Hash: D831D72BB1AB9180EB12CB26A8146A93394FF19FF4B958535DD2D033C1EE3DD441C345
                                                                                            Function 00000001400117B8 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_configthreadlocale_initialize_narrow_environment_initialize_onexit_table_onexit
                                                                                            • String ID:
                                                                                            • API String ID: 2153537742-0
                                                                                            • Opcode ID: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                                                            • Instruction ID: 534899ad21150968aac174715d7514135b35f9473fc5e80356d1b8ef46292b69
                                                                                            • Opcode Fuzzy Hash: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                                                            • Instruction Fuzzy Hash: 95115E38A0024155FA5FB7F398173EC11969FAC3C4F454524BB498F2F3EE7B88658662
                                                                                            Function 00007FFD94452F50 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFD94455F96), ref: 00007FFD94452F59
                                                                                            • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD94455F96), ref: 00007FFD94452F6B
                                                                                            • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFD94455F96), ref: 00007FFD94452F7A
                                                                                            • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFD94455F96), ref: 00007FFD94452FE0
                                                                                            • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFD94455F96), ref: 00007FFD94452FEE
                                                                                            • _wcsdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFD94455F96), ref: 00007FFD94453001
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: __pctype_func$___lc_codepage_func___lc_locale_name_func_wcsdupcalloc
                                                                                            • String ID:
                                                                                            • API String ID: 490008815-0
                                                                                            • Opcode ID: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                                                            • Instruction ID: 776ad1ecf70ecc6925d1faeceac9f295511ec668aeaf05b18fc1896c564cab39
                                                                                            • Opcode Fuzzy Hash: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                                                            • Instruction Fuzzy Hash: 06216022E09B8583E7158F78D65127837A0FBAAB48F15E224CF8C16217EF79E1D5C340
                                                                                            Function 0000000140007850 Relevance: 9.0, APIs: 6, Instructions: 21fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$FileUnmapView
                                                                                            • String ID:
                                                                                            • API String ID: 260491571-0
                                                                                            • Opcode ID: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                                                            • Instruction ID: e4157fc547da492297a5d265050bc8fab675aa544c6886f43f24823cbbcadd6d
                                                                                            • Opcode Fuzzy Hash: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                                                            • Instruction Fuzzy Hash: 1DF01438616E00D5FA07DB63ECA83A427A1BB8DBD9F440211EB4E4B331DE3F85998300
                                                                                            Function 00007FFDAC1238A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort$CallEncodePointerTranslator
                                                                                            • String ID: MOC$RCC
                                                                                            • API String ID: 2889003569-2084237596
                                                                                            • Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                                                            • Instruction ID: baa2c34b101329aa109b727f15aad72bfe44d0d8ea6b517264fe7e5b26e97e3b
                                                                                            • Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                                                            • Instruction Fuzzy Hash: 6691BC77B09B818AE712CB68E4903AD7BA4FB087D8F10413AEA8D57756DF38D091CB05
                                                                                            Function 00007FFDAC12BB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Name::operator+
                                                                                            • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                                                            • API String ID: 2943138195-757766384
                                                                                            • Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                                                            • Instruction ID: f48731b3f67330786067ce27b9317268f032cd42ede56a4c0860cfeea12581b0
                                                                                            • Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                                                            • Instruction Fuzzy Hash: 4671917BB0AA4684F7568F14D8A02BC63A0BB057E4F848135DA5E17B9BDF3CE560C345
                                                                                            Function 000000014000ABD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 150COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memcmp.VCRUNTIME140 ref: 000000014000AD12
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000ADD5
                                                                                              • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                                                              • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: __acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnmemcmp
                                                                                            • String ID: @$[FAIL INT. ] path '%s' already exists at index %u$[FAIL INT. ] too many paths
                                                                                            • API String ID: 3207467095-2931640462
                                                                                            • Opcode ID: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                                                            • Instruction ID: 2da19ac7c4dfbac8c42f28ebd32a6b72bd3b2cb838895640dc67fbc0c8e08b7c
                                                                                            • Opcode Fuzzy Hash: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                                                            • Instruction Fuzzy Hash: DC5169B2B10A5489EB11CF6AE8407DD37B1F709BA8F504216EF2A67BE9DB74C581C740
                                                                                            Function 00007FFDAC123690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort$CallEncodePointerTranslator
                                                                                            • String ID: MOC$RCC
                                                                                            • API String ID: 2889003569-2084237596
                                                                                            • Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                                                            • Instruction ID: 03aea4825edec903c462531b0b099845460a48711b5506935fe50f9a667148a0
                                                                                            • Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                                                            • Instruction Fuzzy Hash: 7461683BB09B858AEB158F69D0903AD77A4FB44B98F440235EE8D17B5ACF38E055C705
                                                                                            Function 00007FFD94489CD4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94489122), ref: 00007FFD94489CFA
                                                                                            • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94489122), ref: 00007FFD94489D0B
                                                                                            • isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94489122), ref: 00007FFD94489D64
                                                                                            • isalnum.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD94489122), ref: 00007FFD94489E14
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: isspace$isalnumisxdigit
                                                                                            • String ID: (
                                                                                            • API String ID: 3355161242-3887548279
                                                                                            • Opcode ID: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                                                            • Instruction ID: f204de0ed103d6080bc6bdb1b122d602a007e73c30816fd2c49120fa509a5a53
                                                                                            • Opcode Fuzzy Hash: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                                                            • Instruction Fuzzy Hash: 0B419316F0898256FFB54FB5A5B12B6AB919F12B84F08D030CB9C0769BEA7DA805D710
                                                                                            Function 00007FFD9448BBD8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD9448B212), ref: 00007FFD9448BBFE
                                                                                            • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD9448B212), ref: 00007FFD9448BC0F
                                                                                            • iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD9448B212), ref: 00007FFD9448BC76
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: iswspace$iswxdigit
                                                                                            • String ID: (
                                                                                            • API String ID: 3812816871-3887548279
                                                                                            • Opcode ID: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                                                            • Instruction ID: 7e1b02a67e33e0d2d96c388b4137315f892cfd18dda21ed8c8f7fd4c5aa9cd7b
                                                                                            • Opcode Fuzzy Hash: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                                                            • Instruction Fuzzy Hash: A751C656F04593D9EBB45FA195A02F972E1EF22B84F48C035FE490629EEFBDE841C210
                                                                                            Function 00007FFD944739E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFD9448B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B0
                                                                                              • Part of subcall function 00007FFD9448B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B8
                                                                                              • Part of subcall function 00007FFD9448B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0C1
                                                                                              • Part of subcall function 00007FFD9448B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0DD
                                                                                            • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFD9446A22C), ref: 00007FFD94473A25
                                                                                              • Part of subcall function 00007FFD9445B794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD94481347,?,?,?,?,?,?,?,?,?,00007FFD9448243E), ref: 00007FFD9445B7BF
                                                                                              • Part of subcall function 00007FFD9445B794: memcpy.VCRUNTIME140(?,?,00000000,00007FFD94481347,?,?,?,?,?,?,?,?,?,00007FFD9448243E), ref: 00007FFD9445B7DB
                                                                                            • _Getvals.LIBCPMT ref: 00007FFD94473A61
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                                                            • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                                                            • API String ID: 3848194746-3573081731
                                                                                            • Opcode ID: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                                                            • Instruction ID: f414723033694b19bc5e065a07d3f6cadcf766a2551d2994d21159fba1b1ae96
                                                                                            • Opcode Fuzzy Hash: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                                                            • Instruction Fuzzy Hash: 4F41AF72B08B8197E734CF6195A156D7BA0FB86B81704C135DB4943E16DFB8F666CB00
                                                                                            Function 00007FFD94473CB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD94473CE2
                                                                                              • Part of subcall function 00007FFD9448B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B0
                                                                                              • Part of subcall function 00007FFD9448B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B8
                                                                                              • Part of subcall function 00007FFD9448B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0C1
                                                                                              • Part of subcall function 00007FFD9448B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0DD
                                                                                            • _Maklocstr.LIBCPMT ref: 00007FFD94473D5B
                                                                                            • _Maklocstr.LIBCPMT ref: 00007FFD94473D71
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                                                            • String ID: false$true
                                                                                            • API String ID: 309754672-2658103896
                                                                                            • Opcode ID: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                                                            • Instruction ID: b3ab0bf4abf3a50d56076d8e1dd9ff281ac23ad0e39b882b0decbb7bebe13327
                                                                                            • Opcode Fuzzy Hash: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                                                            • Instruction Fuzzy Hash: B3417D27B18B559AE720CFB0E4901ED33B0FB49748B408126EE4D27B1AEF78D555C390
                                                                                            Function 00007FFD944583E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                            • API String ID: 2003779279-1866435925
                                                                                            • Opcode ID: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                                                            • Instruction ID: fd0308fffefbbdf140886abd883db796128933475cc17355a37001303781142d
                                                                                            • Opcode Fuzzy Hash: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                                                            • Instruction Fuzzy Hash: 3721C462B0864692EF30DB91E5E13B96360FB52784F848031DA4D4769BEFBCE1A5C700
                                                                                            Function 00007FFD94458D10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                            • API String ID: 2003779279-1866435925
                                                                                            • Opcode ID: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                                                            • Instruction ID: 45b97a6f61be931097754c4c1cab1e42a965eebc1d08368677bf3c65494a55f9
                                                                                            • Opcode Fuzzy Hash: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                                                            • Instruction Fuzzy Hash: DEF0F221B1910AA5EF34CB80D4E16F82321FB51744F948431D20D0A1AFEFBDE15AC741
                                                                                            Function 0000000140006B70 Relevance: 7.8, APIs: 5, Instructions: 255COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ?Recycle@MemoryRecycler@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140006CC6
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140006CF5
                                                                                            • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006D52
                                                                                            • memcpy.VCRUNTIME140 ref: 0000000140006DD5
                                                                                            • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006E6E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: D@std@@@std@@Pninc@?$basic_streambuf@U?$char_traits@$MemoryRecycle@Recycler@allocator@dvacore@@_invalid_parameter_noinfo_noreturnmemcpy
                                                                                            • String ID:
                                                                                            • API String ID: 3275830057-0
                                                                                            • Opcode ID: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                                                            • Instruction ID: 3173563bc62d35887f7c9779bdd612006aafe20ffacca945d5b8f48763ffbb63
                                                                                            • Opcode Fuzzy Hash: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                                                            • Instruction Fuzzy Hash: 5CA16BB2704B8485EB16CF2AE5443A977A2F389FE8F584516EF8D177A4DB38C895C340
                                                                                            Function 00007FFD94464A60 Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: fgetwc
                                                                                            • String ID:
                                                                                            • API String ID: 2948136663-0
                                                                                            • Opcode ID: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                                                            • Instruction ID: 7e1c1a3f6455ceebf9c82b783136a49fc56df25a21bb9a6fc24f93de37ad54be
                                                                                            • Opcode Fuzzy Hash: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                                                            • Instruction Fuzzy Hash: 85814972705A4188EB708FA5C4E03AC33A5FB49B98F529632EA4E47B9EDF79C454C344
                                                                                            Function 0000000140009FD0 Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                                                                            • String ID:
                                                                                            • API String ID: 2665656946-0
                                                                                            • Opcode ID: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                                                            • Instruction ID: 6f8685d0ee64a854513a2710a76b76ebba126a19a16799565d604b2c87d49ee9
                                                                                            • Opcode Fuzzy Hash: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                                                            • Instruction Fuzzy Hash: 884191B2304B8495EE16DB27B9043D9A395A74EBE0F440625BF6D0B7E5DE7CC081C304
                                                                                            Function 00007FFD9445B90C Relevance: 7.6, APIs: 5, Instructions: 101COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFD94481347), ref: 00007FFD9445B9D3
                                                                                            • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFD94481347), ref: 00007FFD9445B9E1
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FFD94481347), ref: 00007FFD9445BA1A
                                                                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFD94481347), ref: 00007FFD9445BA24
                                                                                            • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFD94481347), ref: 00007FFD9445BA32
                                                                                              • Part of subcall function 00007FFD944A25AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD94455AF8), ref: 00007FFD944A25C6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpymemset$_invalid_parameter_noinfo_noreturnmalloc
                                                                                            • String ID:
                                                                                            • API String ID: 3375828981-0
                                                                                            • Opcode ID: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                                                            • Instruction ID: ed4d9cd751ee58088603e51a0f8f878024e2fd03f89a6252b0b9382150b8cdfd
                                                                                            • Opcode Fuzzy Hash: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                                                            • Instruction Fuzzy Hash: 0F31C721709AC251EE249FD6A5A436A6351FB06BD0F548531EF5D0BB9FDEBCE441D300
                                                                                            Function 00007FFDAC129FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: NameName::$Name::operator+
                                                                                            • String ID:
                                                                                            • API String ID: 826178784-0
                                                                                            • Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                                                            • Instruction ID: df129884f745bf3689b04c7a9bfaca325e398abcc856e3bb97e7ff521b3a61e0
                                                                                            • Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                                                            • Instruction Fuzzy Hash: B741913BB0AB56C4E712DB21D8A02BC73A4BB15BE4B944032DA5D23796DF3CE855C309
                                                                                            Function 00007FFD94454C30 Relevance: 7.5, APIs: 6, Instructions: 38COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFD94462160: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FFD94454C3E,?,?,00000000,00007FFD94455B5B), ref: 00007FFD9446216F
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD94455B5B), ref: 00007FFD94454C47
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD94455B5B), ref: 00007FFD94454C5B
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD94455B5B), ref: 00007FFD94454C6F
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD94455B5B), ref: 00007FFD94454C83
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD94455B5B), ref: 00007FFD94454C97
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD94455B5B), ref: 00007FFD94454CAB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$setlocale
                                                                                            • String ID:
                                                                                            • API String ID: 294139027-0
                                                                                            • Opcode ID: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                                                            • Instruction ID: 4908fe552be0c8b853022746e0e373ffa2101b7d1edc5c3d5dfedea8648d310d
                                                                                            • Opcode Fuzzy Hash: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                                                            • Instruction Fuzzy Hash: E3119622B0AA0595EF7A9FE1D4F533963A1EF85F49F188234C90A0954ECEFD9894D3D0
                                                                                            Function 00007FFD94463380 Relevance: 7.5, APIs: 5, Instructions: 17COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: __acrt_iob_func$abortfputcfputs
                                                                                            • String ID:
                                                                                            • API String ID: 2697642930-0
                                                                                            • Opcode ID: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                                                            • Instruction ID: b182bda02e3b1df9035216704e13d3669038e785ed937590709fe4910ccb8fc9
                                                                                            • Opcode Fuzzy Hash: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                                                            • Instruction Fuzzy Hash: 3EE0E664B0654197E72C6BE1EDBD33453169F4EB51F148038C90F4635ECDBC5448C211
                                                                                            Function 00007FFD9447C480 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                                                            • String ID: %.0Lf$0123456789-
                                                                                            • API String ID: 4032823789-3094241602
                                                                                            • Opcode ID: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                                                            • Instruction ID: 9b36e0afdb062e18b22fd20632c15cbd40b5d174de980804701309e0ab515893
                                                                                            • Opcode Fuzzy Hash: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                                                            • Instruction Fuzzy Hash: C8717A72B49B5589EB20CFA5D4A42AC2371FB4AB88F448136DE4D17B9ADE78D44AC340
                                                                                            Function 00007FFD94486E40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturnmemchrmemmove
                                                                                            • String ID: 0123456789-
                                                                                            • API String ID: 2457263114-3850129594
                                                                                            • Opcode ID: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                                                            • Instruction ID: 886d65b79b89f44510d86987f86f9236b3f44061a1e9435c1fd581d1ddefa71e
                                                                                            • Opcode Fuzzy Hash: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                                                            • Instruction Fuzzy Hash: 4971A022B09B8599FB61CBE5D5A02AC3770EB56B88F448035DF4D17B9ECE78D459C300
                                                                                            Function 000000014000CA70 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 174COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CB86
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CCD1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                                            • String ID: gfffffff$gfffffff
                                                                                            • API String ID: 3668304517-161084747
                                                                                            • Opcode ID: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                                                            • Instruction ID: 0937b4d6cc115db4af66b3ecbb46b401b0ea56f4de858bbb036e92e46f157e0a
                                                                                            • Opcode Fuzzy Hash: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                                                            • Instruction Fuzzy Hash: D151B5B2311B8942EE25CB17F945799B355E748BE4F048226AFAD8B7E4DF38D081C301
                                                                                            Function 00007FFD944870C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$_invalid_parameter_noinfo_noreturnswprintf_s
                                                                                            • String ID: %.0Lf
                                                                                            • API String ID: 1248405305-1402515088
                                                                                            • Opcode ID: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                                                            • Instruction ID: 5c01ae095fc8cd2c9e7b20acdd19e086d9226ca0101fd292ea00e8c99ff3d991
                                                                                            • Opcode Fuzzy Hash: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                                                            • Instruction Fuzzy Hash: 0161B222B09B8185EB21DBF5E8A02AD7761FB56B94F048135EE4D27B6EDE7CD055C300
                                                                                            Function 00007FFDAC124044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDAC126710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDAC12239E), ref: 00007FFDAC12671E
                                                                                            • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDAC1241C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort
                                                                                            • String ID: $csm$csm
                                                                                            • API String ID: 4206212132-1512788406
                                                                                            • Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                                                            • Instruction ID: e481440964ab038b4acc6fc7ad414752a5b76d0d9590946c64465e5321d665da
                                                                                            • Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                                                            • Instruction Fuzzy Hash: 8771913770969186D7668F25E4607B97BA0FB05BE8F148135DF8807B86CF2CE491C74A
                                                                                            Function 00007FFDAC123E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDAC126710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDAC12239E), ref: 00007FFDAC12671E
                                                                                            • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDAC123F13
                                                                                            • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFDAC123F23
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Frameabort$EmptyHandler3::StateUnwind
                                                                                            • String ID: csm$csm
                                                                                            • API String ID: 4108983575-3733052814
                                                                                            • Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                                                            • Instruction ID: c79e563d54fe8a582063bdd19859788de4e8407b8ebbd4817abf5595b0ff4a8b
                                                                                            • Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                                                            • Instruction Fuzzy Hash: F751AF3BB0968286EB758F19A06436876A4FB40BE4F544136DB8D43BD6CF3CE450C70A
                                                                                            Function 00007FFD94452500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Exception$RaiseThrowabort
                                                                                            • String ID: csm
                                                                                            • API String ID: 3758033050-1018135373
                                                                                            • Opcode ID: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                                                            • Instruction ID: 611adbf81b114eca613a792660c7d22eb815cd0678680997020db2850ebf7e44
                                                                                            • Opcode Fuzzy Hash: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                                                            • Instruction Fuzzy Hash: AD516D22A04B8586EB21CF68C4A02A833A0FB59B58F15D326DA5D077AADF79E5D5C700
                                                                                            Function 00007FFD9445F950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD9445F8D4
                                                                                            • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD9445F8E6
                                                                                            • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD9445F96B
                                                                                              • Part of subcall function 00007FFD94454D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD94462124,?,?,?,00007FFD944543DB,?,?,?,00007FFD94455B31), ref: 00007FFD94454D72
                                                                                              • Part of subcall function 00007FFD94454D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD94462124,?,?,?,00007FFD944543DB,?,?,?,00007FFD94455B31), ref: 00007FFD94454D98
                                                                                              • Part of subcall function 00007FFD94454D50: memcpy.VCRUNTIME140(?,?,?,00007FFD94462124,?,?,?,00007FFD944543DB,?,?,?,00007FFD94455B31), ref: 00007FFD94454DB0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: setlocale$freemallocmemcpy
                                                                                            • String ID: bad locale name
                                                                                            • API String ID: 1663771476-1405518554
                                                                                            • Opcode ID: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                                                            • Instruction ID: f5d749ba46b47f109ad69950061c0cb2ce3f0bd604a2edfde3b10191e185822f
                                                                                            • Opcode Fuzzy Hash: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                                                            • Instruction Fuzzy Hash: 7A31D022F09B4251FF748BD5A4A027AA291AF86B80F48C035DA4D4779FDEACE881C341
                                                                                            Function 00007FFD944738A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFD9448B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B0
                                                                                              • Part of subcall function 00007FFD9448B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B8
                                                                                              • Part of subcall function 00007FFD9448B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0C1
                                                                                              • Part of subcall function 00007FFD9448B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0DD
                                                                                            • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFD9446A07C), ref: 00007FFD944738E1
                                                                                              • Part of subcall function 00007FFD9445B794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD94481347,?,?,?,?,?,?,?,?,?,00007FFD9448243E), ref: 00007FFD9445B7BF
                                                                                              • Part of subcall function 00007FFD9445B794: memcpy.VCRUNTIME140(?,?,00000000,00007FFD94481347,?,?,?,?,?,?,?,?,?,00007FFD9448243E), ref: 00007FFD9445B7DB
                                                                                              • Part of subcall function 00007FFD944667B0: _Maklocstr.LIBCPMT ref: 00007FFD944667E0
                                                                                              • Part of subcall function 00007FFD944667B0: _Maklocstr.LIBCPMT ref: 00007FFD944667FF
                                                                                              • Part of subcall function 00007FFD944667B0: _Maklocstr.LIBCPMT ref: 00007FFD9446681E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                                                            • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                                                            • API String ID: 2904694926-3573081731
                                                                                            • Opcode ID: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                                                            • Instruction ID: 26140c023d731a976a728c8fdf81c9d30012c1c1734aba27e4b71ed1c8ad6965
                                                                                            • Opcode Fuzzy Hash: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                                                            • Instruction Fuzzy Hash: 9941C0B2B08B8197E735CF6191E016D7BA0FB86781B048135DB8943E16DFB8F566CB00
                                                                                            Function 00007FFD9448430C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFD9448B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B0
                                                                                              • Part of subcall function 00007FFD9448B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B8
                                                                                              • Part of subcall function 00007FFD9448B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0C1
                                                                                              • Part of subcall function 00007FFD9448B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0DD
                                                                                            • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,0000003F,?,00000001,00007FFD94482278), ref: 00007FFD9448434D
                                                                                              • Part of subcall function 00007FFD9445B794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD94481347,?,?,?,?,?,?,?,?,?,00007FFD9448243E), ref: 00007FFD9445B7BF
                                                                                              • Part of subcall function 00007FFD9445B794: memcpy.VCRUNTIME140(?,?,00000000,00007FFD94481347,?,?,?,?,?,?,?,?,?,00007FFD9448243E), ref: 00007FFD9445B7DB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                                                            • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                                                            • API String ID: 3376215315-3573081731
                                                                                            • Opcode ID: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                                                            • Instruction ID: 13253f24ed2584f35a95f0563a9215964e84f9046db6166d29e9d2ce1aa4acab
                                                                                            • Opcode Fuzzy Hash: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                                                            • Instruction Fuzzy Hash: 1941BE32B08B9297E775CF6591E056D7BA0FB46B857048231DB8943F06EFB8E562CB40
                                                                                            Function 00007FFDAC12A714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: NameName::
                                                                                            • String ID: %lf
                                                                                            • API String ID: 1333004437-2891890143
                                                                                            • Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                                                            • Instruction ID: f44e3cd87302fc1a1d214068a36115adc438ff335466bb8c17f89f67032b3be5
                                                                                            • Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                                                            • Instruction Fuzzy Hash: 4431A12BB0DA8585EA62DB20E86037A7360FB85BE4F448131E99E57747CF3CE5028749
                                                                                            Function 00007FFD9445A4C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileFindNext$wcscpy_s
                                                                                            • String ID: .
                                                                                            • API String ID: 544952861-248832578
                                                                                            • Opcode ID: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                                                            • Instruction ID: 10a23b691def3d4422aa75c5a47a9709154c5f290aa64d92667a563e3ce036bb
                                                                                            • Opcode Fuzzy Hash: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                                                            • Instruction Fuzzy Hash: 2B21A462B0D68582FF708FD1E8A47BA63A0EB46784F48C231DA8D53689DFBCD445CB00
                                                                                            Function 00007FFD94456C00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                                                            • String ID: ios_base::badbit set
                                                                                            • API String ID: 1099746521-3882152299
                                                                                            • Opcode ID: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                                                            • Instruction ID: a31d9a8988cca4569d4e997c6e4138decd70cdba3c446c76c48d1bce2d9eef8e
                                                                                            • Opcode Fuzzy Hash: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                                                            • Instruction Fuzzy Hash: 75012651F2D60A61FF79C6D1D4E16BD1222EF92744F54C036D90E0AAAFDEBDE106C240
                                                                                            Function 00007FFDAC122400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00007FFDAC126710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDAC12239E), ref: 00007FFDAC12671E
                                                                                            • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDAC12243E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: abortterminate
                                                                                            • String ID: MOC$RCC$csm
                                                                                            • API String ID: 661698970-2671469338
                                                                                            • Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                                                            • Instruction ID: 0be6e224b9b7a1af046147ec545fcf45d107f280551c88dc0e9e235a0f635152
                                                                                            • Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                                                            • Instruction Fuzzy Hash: 3BF08C3FB09682C1EB515F20B19026C3261EB58BA0F485071D78802393CF3CD4A0C606
                                                                                            Function 00007FFDAC12E9E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __C_specific_handler.LIBVCRUNTIME ref: 00007FFDAC12E9F0
                                                                                              • Part of subcall function 00007FFDAC12EC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFDAC12ECF0
                                                                                              • Part of subcall function 00007FFDAC12EC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFDAC12E9F5), ref: 00007FFDAC12ED3F
                                                                                              • Part of subcall function 00007FFDAC126710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDAC12239E), ref: 00007FFDAC12671E
                                                                                            • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDAC12EA1A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
                                                                                            • String ID: csm$f
                                                                                            • API String ID: 2451123448-629598281
                                                                                            • Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                                                            • Instruction ID: d187c0f24ef4524d1f968d4a5e9c8522281a5721eee7c9252b0600689e86ff43
                                                                                            • Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                                                            • Instruction Fuzzy Hash: 91E0EC3FF1928180D7115B60B15023C26A5BF157F4F144034D65807387CE3CD490420A
                                                                                            Function 00007FFDAC129CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Name::operator+
                                                                                            • String ID:
                                                                                            • API String ID: 2943138195-0
                                                                                            • Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                                                            • Instruction ID: 01654f730f5e5ba8b01ccbbf1a81f4d710b5d407dcbe90b80c436e454ce09b07
                                                                                            • Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                                                            • Instruction Fuzzy Hash: 1C916C7BF0AA5689F7528B68D8603AC37B0BB047A8F548035DA4D1B796EF3CE845C345
                                                                                            Function 00007FFDAC12A44C Relevance: 6.1, APIs: 4, Instructions: 134COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Name::operator+$NameName::
                                                                                            • String ID:
                                                                                            • API String ID: 168861036-0
                                                                                            • Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                                                            • Instruction ID: 66ab3f4f487e1447607948d825e459a9381e5d33eb550373693f1db39af200f2
                                                                                            • Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                                                            • Instruction Fuzzy Hash: 85518C7BB1AA5689E712CF20E8A07BD37A0BB44BA8F548031DA0D17796DF3DE441C745
                                                                                            Function 0000000140001ED0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$_invalid_parameter_noinfo_noreturnmemmove
                                                                                            • String ID:
                                                                                            • API String ID: 48703092-0
                                                                                            • Opcode ID: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                                                            • Instruction ID: 948ad675966271c9991ceaad39470193d7d81f5c1b48440d7dc352eab6ab828f
                                                                                            • Opcode Fuzzy Hash: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                                                            • Instruction Fuzzy Hash: B431B4B2711A9451EA06DF66F5443EDA291A788BE0F548635AF6C077E5EF38C4E2C300
                                                                                            Function 00007FFD94466DC8 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memcpy.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFD944667E5), ref: 00007FFD94466EA1
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFD944667E5), ref: 00007FFD94466EF2
                                                                                            • memcpy.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFD944667E5), ref: 00007FFD94466EFC
                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFD94466F3D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                                            • String ID:
                                                                                            • API String ID: 1775671525-0
                                                                                            • Opcode ID: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                                                            • Instruction ID: 64e8a12618c68575d7133fd0c856e6acc21327264fb2011074dc182f8afbc888
                                                                                            • Opcode Fuzzy Hash: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                                                            • Instruction Fuzzy Hash: E7414722B0964291EE24DB91E1A417D6354FB05BF0F548631EE6C0BBDEEEBCE041C300
                                                                                            Function 00007FFD94459BE8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                                            • String ID:
                                                                                            • API String ID: 1775671525-0
                                                                                            • Opcode ID: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                                                            • Instruction ID: 399fdcab1454e38c221177a2a955199a2060e157e29dc91ff66ac157f2b5cdf6
                                                                                            • Opcode Fuzzy Hash: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                                                            • Instruction Fuzzy Hash: D831E561B0964191EE249FD6A594169A364EF06BE4F54C231DE6D0BBEBEEBCE041C300
                                                                                            Function 00007FFD9447FD50 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Xp_movx$Xp_setw_errnoldexpmemcpy
                                                                                            • String ID:
                                                                                            • API String ID: 2233944734-0
                                                                                            • Opcode ID: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                                                            • Instruction ID: 4f75e795a751a5070e902f9a2a591e3214e2797a7739e8f84669a1f3881190e3
                                                                                            • Opcode Fuzzy Hash: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                                                            • Instruction Fuzzy Hash: DE41D432B1CA4686F771DBA590E11B96350AF8A744F54C631EA4D1379FDFBCE906C600
                                                                                            Function 00007FFD94453160 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcislower
                                                                                            • String ID:
                                                                                            • API String ID: 2234106055-0
                                                                                            • Opcode ID: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                                                            • Instruction ID: 9760fbcc13e0b8acce4d6902d07f5f0a371cc62d9dd434a8ec1a7b2351fad51f
                                                                                            • Opcode Fuzzy Hash: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                                                            • Instruction Fuzzy Hash: 1331B922B0C75182FB355BE6A4A037DAA91FB91792F188035DE8E0779EDE7CE445CB10
                                                                                            Function 00007FFD94453020 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcisupper
                                                                                            • String ID:
                                                                                            • API String ID: 3857474680-0
                                                                                            • Opcode ID: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                                                            • Instruction ID: aa3940114cabffdcd77d394f59800fa533197adeed2ffb588490145661c9d4b3
                                                                                            • Opcode Fuzzy Hash: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                                                            • Instruction Fuzzy Hash: 9B31F632B0C75182FF354B9594A037D6A91EB92F95F188035DA8E0779EDEBCE484CB10
                                                                                            Function 00007FFDAC12C87C Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Name::operator+
                                                                                            • String ID:
                                                                                            • API String ID: 2943138195-0
                                                                                            • Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                                                            • Instruction ID: e7b5eb3dcef03ede1965e525b1c186833a2ebbc05b141bc348abae3dd574246c
                                                                                            • Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                                                            • Instruction Fuzzy Hash: 5F415477B09B8589FB02CF68D8A13AC37A0BB44BA8F548035DA4E5775ACB7CD842C345
                                                                                            Function 00007FFD9448AF70 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,00000000,?,?,?,00007FFD9447E921), ref: 00007FFD9448AFB7
                                                                                            • memcpy.VCRUNTIME140(?,00000000,?,?,?,00007FFD9447E921), ref: 00007FFD9448AFDB
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFD9447E921), ref: 00007FFD9448AFE8
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFD9447E921), ref: 00007FFD9448B05B
                                                                                              • Part of subcall function 00007FFD94452E30: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD94452E5A
                                                                                              • Part of subcall function 00007FFD94452E30: LCMapStringEx.KERNEL32 ref: 00007FFD94452E9E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: String___lc_locale_name_funcfreemallocmemcpywcsnlen
                                                                                            • String ID:
                                                                                            • API String ID: 2888714520-0
                                                                                            • Opcode ID: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                                                            • Instruction ID: f471cbbc9c96e2b2bf293dc1222e667381a8c85855d687959c42628bfeda4680
                                                                                            • Opcode Fuzzy Hash: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                                                            • Instruction Fuzzy Hash: B621F961B09BD185EA709F52A49052A9A90FB47BD4F588231EE6D17BDBDE7CD401C300
                                                                                            Function 00007FFD9445AAA0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _fsopen$fclosefseek
                                                                                            • String ID:
                                                                                            • API String ID: 410343947-0
                                                                                            • Opcode ID: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                                                            • Instruction ID: f9caeeaebcfc9d86d505821fd1f1f2430302d80a46928e954add1af0d965179d
                                                                                            • Opcode Fuzzy Hash: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                                                            • Instruction Fuzzy Hash: B731E521B2974141EF7887D6A4A46756292EF8AF84F488234CF0D4379DDEBCE441C380
                                                                                            Function 00007FFD9445ABB4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _wfsopen$fclosefseek
                                                                                            • String ID:
                                                                                            • API String ID: 1261181034-0
                                                                                            • Opcode ID: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                                                            • Instruction ID: c72e0334e5f5339d603ea6f5d3df9276e1b630fce05138b2bb31c7395d7e2f18
                                                                                            • Opcode Fuzzy Hash: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                                                            • Instruction Fuzzy Hash: AA31C825B1964642FF7DC796A4E467522A1EFC6F84F488234CE0E53799DE7CE841C740
                                                                                            Function 0000000140010660 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$FormatFreeLibraryMessage
                                                                                            • String ID:
                                                                                            • API String ID: 4174221723-0
                                                                                            • Opcode ID: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                                                            • Instruction ID: 329cc6dd5267e1a20a6fc7da630ad77381380cdf8f0f417e816be49fa379c834
                                                                                            • Opcode Fuzzy Hash: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                                                            • Instruction Fuzzy Hash: F4315072A18B8441EB128B26E4453AE6751E79DBF4F249301F7FD0B6F9DBB9D5C08600
                                                                                            Function 00007FFD9448A5D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFD9448576B), ref: 00007FFD9448A604
                                                                                            • ___lc_collate_cp_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFD9448576B), ref: 00007FFD9448A60E
                                                                                              • Part of subcall function 00007FFD944526E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD94452728
                                                                                              • Part of subcall function 00007FFD944526E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9445274E
                                                                                              • Part of subcall function 00007FFD944526E0: GetCPInfo.KERNEL32 ref: 00007FFD94452792
                                                                                            • memcmp.VCRUNTIME140(?,?,?,?,?,?,?,00007FFD9448576B), ref: 00007FFD9448A631
                                                                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FFD9448576B), ref: 00007FFD9448A66F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: __strncnt$Info___lc_collate_cp_func___lc_locale_name_func_errnomemcmp
                                                                                            • String ID:
                                                                                            • API String ID: 3421985146-0
                                                                                            • Opcode ID: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                                                            • Instruction ID: accfafaa6d246dcea6cdc6f6c26efd3d8cc25f45f0145e1651937e4c3eed9eb0
                                                                                            • Opcode Fuzzy Hash: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                                                            • Instruction Fuzzy Hash: E4219231B0878286EB648FA69590029BB94FB85FD4B458235DA9D6779ECFBCE801C700
                                                                                            Function 000000014000FAA0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                                                              • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                                                              • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: __acrt_iob_func__stdio_common_vfprintfmemset
                                                                                            • String ID: [FINALIZE ] %08X %s$[UNLOAD LIB]$[UNLOAD LIB] %08X %s
                                                                                            • API String ID: 1351999747-1487749591
                                                                                            • Opcode ID: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                                                            • Instruction ID: 71482a23b425682d2a021b79c21f529c824127a60a25d7ce3ea3483a94a8a675
                                                                                            • Opcode Fuzzy Hash: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                                                            • Instruction Fuzzy Hash: 42213972215B8485E352DF22E5503DE37A4F74CF88F588129EB890BB69CF39C662D750
                                                                                            Function 00007FFD94488620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: memmove$FormatFreeLocalMessage
                                                                                            • String ID: unknown error
                                                                                            • API String ID: 725469203-3078798498
                                                                                            • Opcode ID: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                                                            • Instruction ID: 8f0504c47ee8660f89153600e2add8a997bdc249596fedbfb6f6d09b33438452
                                                                                            • Opcode Fuzzy Hash: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                                                            • Instruction Fuzzy Hash: 52115B2260978582E7209B65E59136DB7A0FB8ABCCF488234DA8C0B79FDFBCD554C741
                                                                                            Function 00007FFD9448B090 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B0
                                                                                            • ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B8
                                                                                            • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0C1
                                                                                            • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0DD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_func
                                                                                            • String ID:
                                                                                            • API String ID: 3203701943-0
                                                                                            • Opcode ID: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                                                            • Instruction ID: 67259b15765a04c5ebc56e7113e420ac834bbb688dd2373df3b45fc5de39bc82
                                                                                            • Opcode Fuzzy Hash: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                                                            • Instruction Fuzzy Hash: 500148A2F15BA186EB148FB9D950128B7A0FB59B84B14C231EA0E87319DA7CD0C2C700
                                                                                            Function 00007FFD94452468 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: malloc
                                                                                            • String ID: MOC$RCC$csm
                                                                                            • API String ID: 2803490479-2671469338
                                                                                            • Opcode ID: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                                                            • Instruction ID: 7dee1ddfae81333c460d7f309f2ec4a41a2c9338a2ce7fb10c59ef06a3b673eb
                                                                                            • Opcode Fuzzy Hash: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                                                            • Instruction Fuzzy Hash: 9D017521F0814286EF745FD596E51792261FF4BB84F58C033D60D0778FCEACA841CA02
                                                                                            Function 00007FFD9447C9A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                                                            • String ID: 0123456789-
                                                                                            • API String ID: 4032823789-3850129594
                                                                                            • Opcode ID: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                                                            • Instruction ID: 050810a25285fa36a13a1f2be5fe882e97c026cdbd46345009f5c988de30d0af
                                                                                            • Opcode Fuzzy Hash: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                                                            • Instruction Fuzzy Hash: FF717F32B49B5599EB20CFA5E4A02AC3371FB49B98F458036DE4D17B9EDE78D44AC340
                                                                                            Function 00007FFD9447C710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                                                            • String ID: %.0Lf
                                                                                            • API String ID: 296878162-1402515088
                                                                                            • Opcode ID: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                                                            • Instruction ID: d9d929b251fca6564846db066697f4f2df1042f430dad01bf5f5e055ed00addb
                                                                                            • Opcode Fuzzy Hash: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                                                            • Instruction Fuzzy Hash: F7719232B09F8585EB21CBA5E4A02AD6361EF56B94F058132DE4D27B6ADF7CD046C300
                                                                                            Function 00007FFD9447CC30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                                                            • String ID: %.0Lf
                                                                                            • API String ID: 296878162-1402515088
                                                                                            • Opcode ID: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                                                            • Instruction ID: 0c6b7ce45e77d2b85f2dc7515d35cdb649f6d6d8473df68429c34da79a6886d8
                                                                                            • Opcode Fuzzy Hash: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                                                            • Instruction Fuzzy Hash: 10719232B09B8595EB21CBA5E4A02AD77B1EF95798F048132DE4D17B5ADF78D046C340
                                                                                            Function 00007FFD94488F00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: rand_s
                                                                                            • String ID: invalid random_device value
                                                                                            • API String ID: 863162693-3926945683
                                                                                            • Opcode ID: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                                                            • Instruction ID: d5f5ab06d35340cdc003689744d52fa8e4ca21e2fee4fe887d6801415de7ba42
                                                                                            • Opcode Fuzzy Hash: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                                                            • Instruction Fuzzy Hash: 2451A711E18E4585FBA29B7444F11BA6354AF17384F14C732E75E3669BEFB9A492C100
                                                                                            Function 00007FFDAC124710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: abort$CreateFrameInfo
                                                                                            • String ID: csm
                                                                                            • API String ID: 2697087660-1018135373
                                                                                            • Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                                                            • Instruction ID: 8e53a65521ee80c4825287e4555be2d48ba7f1d8d6ca7ba1f8ceca1f3f500d4f
                                                                                            • Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                                                            • Instruction Fuzzy Hash: F9514B3B71A78186E621AB15E05036E77A5FB88BE0F140535DB8D07B96CF38E460CB0A
                                                                                            Function 00007FFD94487330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Strftime_invalid_parameter_noinfo_noreturn
                                                                                            • String ID: !%x
                                                                                            • API String ID: 1195835417-1893981228
                                                                                            • Opcode ID: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                                                            • Instruction ID: ff0223a5383841507880574617f6e51155241eddd9c449e5b9a8b343dd9ab1ea
                                                                                            • Opcode Fuzzy Hash: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                                                            • Instruction Fuzzy Hash: A7418E22F15A9199FB20CBE5D8A17EC2B31BB46B98F448531EE5D17B8EDF789185C300
                                                                                            Function 00007FFD944532D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFD94453305
                                                                                              • Part of subcall function 00007FFD944A25AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD94455AF8), ref: 00007FFD944A25C6
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFD944557FA,?,?,?,00007FFD94454438), ref: 00007FFD944532FE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                                                            • String ID: ios_base::failbit set
                                                                                            • API String ID: 1934640635-3924258884
                                                                                            • Opcode ID: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                                                            • Instruction ID: 30e0f331d7a99db7518b62c76b0b2664eb8c3a4efa7656458a6abf7db3d9dde1
                                                                                            • Opcode Fuzzy Hash: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                                                            • Instruction Fuzzy Hash: 1621E921B09B8195DE70CB91E5902AAB394FB49BE0F548631EE9C43B9EEF7CC545CB00
                                                                                            Function 00007FFDAC129BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: Name::operator+
                                                                                            • String ID: void$void
                                                                                            • API String ID: 2943138195-3746155364
                                                                                            • Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                                                            • Instruction ID: 8b4832de1243d745e929ea545057956a0c22f3a6f4a87b1db9822bedf1906e9a
                                                                                            • Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                                                            • Instruction Fuzzy Hash: 1131686BF19A1588FB12DB64E8611EC33B0BB08398F840136DE4E22B5AEF3CD144C718
                                                                                            Function 000000014000E370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 000000014000FAA0: memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000E441
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                                                            • String ID: [FAIL LOAD ] %s$[LOAD LIB ] %s
                                                                                            • API String ID: 1654775311-1428855073
                                                                                            • Opcode ID: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                                                            • Instruction ID: e1e0474e3a99f30cd742c56738cdfbd4506b2c38850e860c1e011aff6007d584
                                                                                            • Opcode Fuzzy Hash: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                                                            • Instruction Fuzzy Hash: EC218EB2714B8481FA16CB1AF44439A6362E78DBE4F544321BBA94BAF9DF38C181C740
                                                                                            Function 00007FFD9445F1B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFD9445C744), ref: 00007FFD9445F1D4
                                                                                              • Part of subcall function 00007FFD9448B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B0
                                                                                              • Part of subcall function 00007FFD9448B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0B8
                                                                                              • Part of subcall function 00007FFD9448B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0C1
                                                                                              • Part of subcall function 00007FFD9448B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD94456093), ref: 00007FFD9448B0DD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                                                            • String ID: false$true
                                                                                            • API String ID: 2502581279-2658103896
                                                                                            • Opcode ID: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                                                            • Instruction ID: c07eeb74700f774e9ca233e195e148b8bcd93e3abc4f4dff5bf58ff815dd6a6c
                                                                                            • Opcode Fuzzy Hash: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                                                            • Instruction Fuzzy Hash: F0219166609B8581EB30DFA0E4A03A977A0FB99BA8F548532DA8C0775EDF7CD154C780
                                                                                            Function 00007FFDAC12604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileHeader$ExceptionRaise
                                                                                            • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                                                            • API String ID: 3685223789-3176238549
                                                                                            • Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                                                            • Instruction ID: 514a6473184da5f2ec455aa57523c8f329a3bdf1d728aedf6f11f3c4e4a77c9f
                                                                                            • Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                                                            • Instruction Fuzzy Hash: F10112ABB2BA4691EE429B14E4B0278A350FFA07E8F805431D54E067A7DF6CD505C709
                                                                                            Function 00007FFDAC1263F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFileHeaderRaise
                                                                                            • String ID: csm
                                                                                            • API String ID: 2573137834-1018135373
                                                                                            • Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                                                            • Instruction ID: d19e2db911e58761aaa035183fc0322d9bb5a22e14be81e763ed44811668218f
                                                                                            • Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                                                            • Instruction Fuzzy Hash: BE115B36709B8182EB528F25F4502697BA5FB98BD8F684230DE8C07B99DF3CC5518704
                                                                                            Function 00007FFD94456A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFD94456A3D
                                                                                              • Part of subcall function 00007FFD94454DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD94466AB5,?,?,?,?,?,?,?,?,?,00007FFD9446A96E), ref: 00007FFD94454DF9
                                                                                              • Part of subcall function 00007FFD94454DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD94466AB5,?,?,?,?,?,?,?,?,?,00007FFD9446A96E), ref: 00007FFD94454E28
                                                                                              • Part of subcall function 00007FFD94454DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FFD94466AB5,?,?,?,?,?,?,?,?,?,00007FFD9446A96E), ref: 00007FFD94454E3F
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD94456A5A
                                                                                            Strings
                                                                                            • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFD94456A65
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$Getmonthsmallocmemcpy
                                                                                            • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece
                                                                                            • API String ID: 1628830074-2030377133
                                                                                            • Opcode ID: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                                                            • Instruction ID: dce2a282884e11cf772c3fafc43a7b03fae755b5dbbd27bc2cc93bff5f7372fd
                                                                                            • Opcode Fuzzy Hash: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                                                            • Instruction Fuzzy Hash: F1E0C021B15742A1DE649B92F5D43656360FB49B94F849034DA0E06B5ADFBCE4B4C300
                                                                                            Function 00007FFD944569E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFD944569ED
                                                                                              • Part of subcall function 00007FFD94454DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD94466AB5,?,?,?,?,?,?,?,?,?,00007FFD9446A96E), ref: 00007FFD94454DF9
                                                                                              • Part of subcall function 00007FFD94454DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD94466AB5,?,?,?,?,?,?,?,?,?,00007FFD9446A96E), ref: 00007FFD94454E28
                                                                                              • Part of subcall function 00007FFD94454DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FFD94466AB5,?,?,?,?,?,?,?,?,?,00007FFD9446A96E), ref: 00007FFD94454E3F
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD94456A0A
                                                                                            Strings
                                                                                            • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFD94456A15
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$Getdaysmallocmemcpy
                                                                                            • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                                            • API String ID: 1347072587-3283725177
                                                                                            • Opcode ID: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                                                            • Instruction ID: 9489f81ef0024829a9dd652d20eb41a9a2e19cd94b2cfd34d481d56c68c03125
                                                                                            • Opcode Fuzzy Hash: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                                                            • Instruction Fuzzy Hash: 29E0E521B15B42A2DF349B92F5D436563A0EF49B94F988134DA0D07B5ADFBCD4A4C700
                                                                                            Function 00007FFD944562C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFD944562CD
                                                                                              • Part of subcall function 00007FFD94454D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD94462124,?,?,?,00007FFD944543DB,?,?,?,00007FFD94455B31), ref: 00007FFD94454D72
                                                                                              • Part of subcall function 00007FFD94454D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD94462124,?,?,?,00007FFD944543DB,?,?,?,00007FFD94455B31), ref: 00007FFD94454D98
                                                                                              • Part of subcall function 00007FFD94454D50: memcpy.VCRUNTIME140(?,?,?,00007FFD94462124,?,?,?,00007FFD944543DB,?,?,?,00007FFD94455B31), ref: 00007FFD94454DB0
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD944562EA
                                                                                            Strings
                                                                                            • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFD944562F5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$Getdaysmallocmemcpy
                                                                                            • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                                            • API String ID: 1347072587-3283725177
                                                                                            • Opcode ID: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                                                            • Instruction ID: 9f46b264a03460b918ae92d3d44c77afb6183ae8d4017f4420cf232503658f6a
                                                                                            • Opcode Fuzzy Hash: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                                                            • Instruction Fuzzy Hash: 5FE0E521B1574291DF249B92F5E4365A3A0FF45B80F84C434DA1D0775ADF7CD4A4C700
                                                                                            Function 00007FFD94456330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFD9445633D
                                                                                              • Part of subcall function 00007FFD94454D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD94462124,?,?,?,00007FFD944543DB,?,?,?,00007FFD94455B31), ref: 00007FFD94454D72
                                                                                              • Part of subcall function 00007FFD94454D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD94462124,?,?,?,00007FFD944543DB,?,?,?,00007FFD94455B31), ref: 00007FFD94454D98
                                                                                              • Part of subcall function 00007FFD94454D50: memcpy.VCRUNTIME140(?,?,?,00007FFD94462124,?,?,?,00007FFD944543DB,?,?,?,00007FFD94455B31), ref: 00007FFD94454DB0
                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD9445635A
                                                                                            Strings
                                                                                            • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFD94456365
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$Getmonthsmallocmemcpy
                                                                                            • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
                                                                                            • API String ID: 1628830074-4232081075
                                                                                            • Opcode ID: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                                                            • Instruction ID: 89cc08dca751f829f61cdc96eff0c70eb82e3b74fceb47aa2df97cccbb0a8d50
                                                                                            • Opcode Fuzzy Hash: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                                                            • Instruction Fuzzy Hash: 02E0C021B15742A1DE249B92F59436563A0EB55B90F488034DA1D0675ADFBCD4E4C740
                                                                                            Function 0000000140012990 Relevance: 5.1, APIs: 4, Instructions: 105COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionThrow
                                                                                            • String ID:
                                                                                            • API String ID: 432778473-0
                                                                                            • Opcode ID: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                                                            • Instruction ID: 3f6ef9a8942bd25f1c030384d86529519749b139d31aef7b6ed3ba5bf9942206
                                                                                            • Opcode Fuzzy Hash: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                                                            • Instruction Fuzzy Hash: 582153B6610A8489E729EE37E8523E92311F78C7D8F149426BF4D4FBAECE31C4518340
                                                                                            Function 00000001400124D0 Relevance: 5.1, APIs: 4, Instructions: 77COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2401738058.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2401713838.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401818265.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401841751.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401865836.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2401885291.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_140000000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionThrow$_invalid_parameter_noinfo_noreturn
                                                                                            • String ID:
                                                                                            • API String ID: 2822070131-0
                                                                                            • Opcode ID: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                                                            • Instruction ID: fb8aed582c15149af4c4f009e579fb1eee3dc1aedb4e9a74b926e9b9865ab3f7
                                                                                            • Opcode Fuzzy Hash: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                                                            • Instruction Fuzzy Hash: 331151B5710A40C9E71DEB73A8423EA1211EB887C4F149536BF480BA6ECE76C4518740
                                                                                            Function 00007FFDAC12672C Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(?,?,?,00007FFDAC1265B9,?,?,?,?,00007FFDAC12FB22,?,?,?,?,?), ref: 00007FFDAC12674B
                                                                                            • SetLastError.KERNEL32(?,?,?,00007FFDAC1265B9,?,?,?,?,00007FFDAC12FB22,?,?,?,?,?), ref: 00007FFDAC1267D4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403593802.00007FFDAC121000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC120000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2403571913.00007FFDAC120000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403643283.00007FFDAC131000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403666991.00007FFDAC132000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403690035.00007FFDAC136000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403709801.00007FFDAC137000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffdac120000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 1452528299-0
                                                                                            • Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                                                            • Instruction ID: 1ec01f95580df05a0dbc7174eb41fe29bb23bee610dbb1d64fecef217f1893ed
                                                                                            • Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                                                            • Instruction Fuzzy Hash: BE11722FF0F65282FA568721A8642342291BF68BF4F944634D96E077D7DF2CF8418709
                                                                                            Function 00007FFD94468CD0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID:
                                                                                            • API String ID: 1294909896-0
                                                                                            • Opcode ID: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                                                            • Instruction ID: cc5eaee7db89ea17968da913756194eeed3f591ccb8fb4e55f6dc6decaaaa2f8
                                                                                            • Opcode Fuzzy Hash: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                                                            • Instruction Fuzzy Hash: 93F0E135B1AB0192DB689B55E6F416873A0FF89B90B548031CE4D47B69DFBCE4A5C300
                                                                                            Function 00007FFD94468C60 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID:
                                                                                            • API String ID: 1294909896-0
                                                                                            • Opcode ID: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                                                            • Instruction ID: 10a1046cf9a964f8351f10c4dadb33ba9ff9e0eb9cfa3ce296b86679d6659fb6
                                                                                            • Opcode Fuzzy Hash: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                                                            • Instruction Fuzzy Hash: DDF0E131B1AB4196DB649B55E6E416873A0FF89B90B548031CE4D43B69DFBCE4A5C300
                                                                                            Function 00007FFD94481DB0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID:
                                                                                            • API String ID: 1294909896-0
                                                                                            • Opcode ID: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                                                            • Instruction ID: 9f3b2a4dd14456f2f8e0779a7b6c0a05644a47a9fda6e06d2578659be53c4175
                                                                                            • Opcode Fuzzy Hash: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                                                            • Instruction Fuzzy Hash: E8F0E131B1AB0192D7649B55E6E417873A0FB89F94F548031CE4D43B69DFBDE4A5C300
                                                                                            Function 00007FFD94468A08 Relevance: 5.0, APIs: 4, Instructions: 16COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2403302495.00007FFD94451000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD94450000, based on PE: true
                                                                                            • Associated: 00000012.00000002.2402911217.00007FFD94450000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403437260.00007FFD944A5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403456874.00007FFD944A6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403496195.00007FFD944D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403524078.00007FFD944D4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000012.00000002.2403549019.00007FFD944D7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_7ffd94450000_ImporterREDServer.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID:
                                                                                            • API String ID: 1294909896-0
                                                                                            • Opcode ID: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                                                            • Instruction ID: efdca4a086b0fd210aa8f0cd660929916ac9dc49b98443d04f7422ceb115fd16
                                                                                            • Opcode Fuzzy Hash: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                                                            • Instruction Fuzzy Hash: ABE00A76B16A0192EB289F61D9F402863B4FFD9F59B585032CE1E46269DEF8D895C300