Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
installer.msi

Overview

General Information

Sample name:installer.msi
Analysis ID:1580947
MD5:5f35dcef40d02aa98a28b01f76b20674
SHA1:da835acb9ffdcd854f722b8d44a38b4aa2c04dcf
SHA256:bbe217c3cd9c1375a9e06a3ec8b6d1ea8c3d5132bdcab62a0050608df896bdb8
Tags:LegionLoadermsiRobotDroppersuccessroadway-comuser-aachum
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 2520 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\installer.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 4588 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 6004 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 8DC69D35C541E3685C8EA051F14BAC5D MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 2080 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2752 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ImporterREDServer.exe (PID: 740 cmdline: "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe" MD5: F67792E08586EA936EBCAE43AAB0388D)
        • conhost.exe (PID: 4052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • createdump.exe (PID: 2524 cmdline: "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)
      • conhost.exe (PID: 2968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 8DC69D35C541E3685C8EA051F14BAC5D, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6004, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 2080, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 8DC69D35C541E3685C8EA051F14BAC5D, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6004, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 2080, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 8DC69D35C541E3685C8EA051F14BAC5D, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6004, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 2080, ProcessName: powershell.exe
Sigma detected: Msiexec Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 104.21.6.3, DesusertionIsIpv6: false, DesusertionPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 6004, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49737
Sigma detected: Suspicious MsiExec Embedding Parent
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 8DC69D35C541E3685C8EA051F14BAC5D, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6004, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 2080, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 8DC69D35C541E3685C8EA051F14BAC5D, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6004, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 2080, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-26T13:25:24.803527+010028292021A Network Trojan was detected192.168.2.949737104.21.6.3443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 88.1% probability
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7A90929D-3D90-469D-B804-2FF52DD02E47}Jump to behavior
Source: unknownHTTPS traffic detected: 104.21.6.3:443 -> 192.168.2.9:49737 version: TLS 1.2
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000009.00000000.1562895422.00007FF680278000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: installer.msi, 518572.msi.2.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000C.00000000.1572654655.0000000140013000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: installer.msi, 518572.msi.2.dr
Source: Binary string: ucrtbase.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: api-ms-win-core-debug-l1-1-0.dll.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: installer.msi, 518572.msi.2.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: installer.msi, 518572.msi.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: installer.msi, 518572.msi.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: installer.msi, 518572.msi.2.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: installer.msi, 518572.msi.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.2.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.2.dr
Source: Binary string: D:\releases\dva\shared\adobe\utest\lib\win\release\64\utest.pdb source: utest.dll.2.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000C.00000002.1574933911.00000001802BD000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: installer.msi, 518572.msi.2.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmp, vcruntime140.dll.2.dr
Source: Binary string: D:\releases\dva\shared\adobe\utest\lib\win\release\64\utest.pdb((! source: utest.dll.2.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.2.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000C.00000000.1572654655.0000000140013000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000009.00000000.1562895422.00007FF680278000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: ucrtbase.pdbUGP source: installer.msi, 518572.msi.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: installer.msi, 518572.msi.2.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F856A330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,12_2_00007FF8F856A330

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.9:49737 -> 104.21.6.3:443
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: successroadway.com
Source: unknownHTTP traffic detected: POST /updater.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: successroadway.comContent-Length: 71Cache-Control: no-cache
Source: installer.msi, utest.dll.2.dr, 518572.msi.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: utest.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: utest.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: installer.msi, utest.dll.2.dr, 518572.msi.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: installer.msi, 518572.msi.2.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: powershell.exe, 00000005.00000002.1512039550.000000000331F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microK
Source: powershell.exe, 00000005.00000002.1520509794.00000000079A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: installer.msi, utest.dll.2.dr, 518572.msi.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: utest.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: installer.msi, 518572.msi.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: utest.dll.2.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: installer.msi, 518572.msi.2.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: installer.msi, utest.dll.2.dr, 518572.msi.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: installer.msi, utest.dll.2.dr, 518572.msi.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: utest.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: utest.dll.2.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: installer.msi, 518572.msi.2.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
Source: installer.msi, utest.dll.2.dr, 518572.msi.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000005.00000002.1518879029.0000000006365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: installer.msi, utest.dll.2.dr, 518572.msi.2.drString found in binary or memory: http://ocsp.digicert.com0C
Source: utest.dll.2.drString found in binary or memory: http://ocsp.digicert.com0H
Source: utest.dll.2.drString found in binary or memory: http://ocsp.digicert.com0I
Source: installer.msi, 518572.msi.2.drString found in binary or memory: http://ocsp.digicert.com0K
Source: installer.msi, 518572.msi.2.drString found in binary or memory: http://ocsp.digicert.com0N
Source: installer.msi, utest.dll.2.dr, 518572.msi.2.drString found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000005.00000002.1516184839.0000000005456000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: installer.msi, 518572.msi.2.drString found in binary or memory: http://schemas.mick
Source: powershell.exe, 00000005.00000002.1516184839.0000000005301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1516184839.0000000005456000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: installer.msi, utest.dll.2.dr, 518572.msi.2.drString found in binary or memory: http://www.digicert.com/CPS0
Source: utest.dll.2.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ImporterREDServer.exe, 0000000C.00000002.1574933911.00000001802BD000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-
Source: powershell.exe, 00000005.00000002.1516184839.0000000005301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: installer.msi, 518572.msi.2.drString found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
Source: powershell.exe, 00000005.00000002.1518879029.0000000006365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1518879029.0000000006365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1518879029.0000000006365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.1516184839.0000000005456000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: utest.dll.2.drString found in binary or memory: https://github.com/google/googletest/
Source: utest.dll.2.drString found in binary or memory: https://github.com/google/googletest/blob/master/googlemock/docs/CookBook.md#knowing-when-to-expect
Source: powershell.exe, 00000005.00000002.1516184839.000000000575B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: classes.jsa.2.drString found in binary or memory: https://java.oracle.com/
Source: powershell.exe, 00000005.00000002.1518879029.0000000006365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: installer.msi, 518572.msi.2.drString found in binary or memory: https://successroadway.com/updater.phpx
Source: installer.msi, utest.dll.2.dr, 518572.msi.2.drString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownHTTPS traffic detected: 104.21.6.3:443 -> 192.168.2.9:49737 version: TLS 1.2
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\518572.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8D9F.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8E0E.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8E4D.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8E8D.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8EDC.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8F0C.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8F4B.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIABDD.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{7A90929D-3D90-469D-B804-2FF52DD02E47}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB7B5.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB7C6.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\518575.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\518575.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI8D9F.tmpJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_000000014001222012_2_0000000140012220
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_000000014000839012_2_0000000140008390
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_0000000140007FC012_2_0000000140007FC0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F859F9DA12_2_00007FF8F859F9DA
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F856F9B012_2_00007FF8F856F9B0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F858220812_2_00007FF8F8582208
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F859A27C12_2_00007FF8F859A27C
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F858633812_2_00007FF8F8586338
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F858434012_2_00007FF8F8584340
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F857ABB012_2_00007FF8F857ABB0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F857946012_2_00007FF8F8579460
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F8580C6012_2_00007FF8F8580C60
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F858547012_2_00007FF8F8585470
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F857644012_2_00007FF8F8576440
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F85944E012_2_00007FF8F85944E0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F857BCD012_2_00007FF8F857BCD0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F8586C8412_2_00007FF8F8586C84
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F8592D7012_2_00007FF8F8592D70
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F857CDF012_2_00007FF8F857CDF0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F859BDA012_2_00007FF8F859BDA0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F85995A812_2_00007FF8F85995A8
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F859B69812_2_00007FF8F859B698
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F8583F0012_2_00007FF8F8583F00
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F857DF1012_2_00007FF8F857DF10
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F858071012_2_00007FF8F8580710
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F8578FB012_2_00007FF8F8578FB0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F856C78012_2_00007FF8F856C780
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F858478012_2_00007FF8F8584780
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F856D81012_2_00007FF8F856D810
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F85760D012_2_00007FF8F85760D0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F856E8B012_2_00007FF8F856E8B0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F859288012_2_00007FF8F8592880
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8FF5B750812_2_00007FF8FF5B7508
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: String function: 000000014000BC30 appears 53 times
Source: api-ms-win-crt-convert-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.2.drStatic PE information: No import functions for PE file found
Source: installer.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenameDataUploader.dllF vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenameucrtbase.dllj% vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenamevcruntime140.dllT vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenamemsvcp140.dllT vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs installer.msi
Source: classification engineClassification label: mal64.evad.winMSI@17/91@1/1
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_0000000140010BE0 GetLastError,FormatMessageA,12_2_0000000140010BE0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F856A7B0 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn,12_2_00007FF8F856A7B0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CMLC1B0.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4052:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2968:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2876:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_03
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFB03C3957A770F5A3.TMPJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\installer.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8DC69D35C541E3685C8EA051F14BAC5D
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8DC69D35C541E3685C8EA051F14BAC5DJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: dvacore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: libzip.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_system.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_date_time.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_threads.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_filesystem.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: dvaunittesting.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: utest.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7A90929D-3D90-469D-B804-2FF52DD02E47}Jump to behavior
Source: installer.msiStatic file information: File size 60333056 > 1048576
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000009.00000000.1562895422.00007FF680278000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: installer.msi, 518572.msi.2.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000C.00000000.1572654655.0000000140013000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: installer.msi, 518572.msi.2.dr
Source: Binary string: ucrtbase.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: api-ms-win-core-debug-l1-1-0.dll.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: installer.msi, 518572.msi.2.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: installer.msi, 518572.msi.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: installer.msi, 518572.msi.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: installer.msi, 518572.msi.2.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: installer.msi, 518572.msi.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.2.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.2.dr
Source: Binary string: D:\releases\dva\shared\adobe\utest\lib\win\release\64\utest.pdb source: utest.dll.2.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000C.00000002.1574933911.00000001802BD000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: installer.msi, 518572.msi.2.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmp, vcruntime140.dll.2.dr
Source: Binary string: D:\releases\dva\shared\adobe\utest\lib\win\release\64\utest.pdb((! source: utest.dll.2.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.2.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000C.00000000.1572654655.0000000140013000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000009.00000000.1562895422.00007FF680278000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: ucrtbase.pdbUGP source: installer.msi, 518572.msi.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: installer.msi, 518572.msi.2.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: installer.msi, 518572.msi.2.dr
Source: api-ms-win-core-synch-l1-2-0.dll.2.drStatic PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]
Source: vcruntime140.dll.2.drStatic PE information: section name: _RDATA
Source: UnRar.exe.2.drStatic PE information: section name: _RDATA
Source: BCUninstaller.exe.2.drStatic PE information: section name: _RDATA
Source: createdump.exe.2.drStatic PE information: section name: _RDATA
Source: MSIB7C6.tmp.2.drStatic PE information: section name: .fptable
Source: MSI8D9F.tmp.2.drStatic PE information: section name: .fptable
Source: MSI8E0E.tmp.2.drStatic PE information: section name: .fptable
Source: MSI8E4D.tmp.2.drStatic PE information: section name: .fptable
Source: MSI8E8D.tmp.2.drStatic PE information: section name: .fptable
Source: MSI8EDC.tmp.2.drStatic PE information: section name: .fptable
Source: MSI8F0C.tmp.2.drStatic PE information: section name: .fptable
Source: MSI8F4B.tmp.2.drStatic PE information: section name: .fptable
Source: MSIABDD.tmp.2.drStatic PE information: section name: .fptable
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_051E2F53 push eax; ret 5_2_051E2FA1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_051EAEAC pushad ; ret 5_2_051EAEB3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_051EBD82 push esp; ret 5_2_051EBD93
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_051EB87A push eax; ret 5_2_051EB883
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\utest.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8E4D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_date_time.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_system.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_threads.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8F0C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8E8D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8E0E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8EDC.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB7C6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8D9F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8F4B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_filesystem.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIABDD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB7C6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8D9F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8E0E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8E4D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8F4B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8F0C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIABDD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8E8D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8EDC.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F859C0C0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,12_2_00007FF8F859C0C0
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4129Jump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8E4D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8E0E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8EDC.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB7C6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8D9F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8F4B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8F0C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIABDD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8E8D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeAPI coverage: 8.2 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4452Thread sleep count: 4129 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3656Thread sleep count: 253 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1556Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3112Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F856A330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,12_2_00007FF8F856A330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: classes.jsa.2.drBinary or memory string: [Ljava/lang/VirtualMachineError;
Source: classes.jsa.2.drBinary or memory string: ,jdk.vm.ci.hotspot.HotSpotJVMCIBackendFactory
Source: classes.jsa.2.drBinary or memory string: ()Ljdk/vm/ci/runtime/JVMCICompiler;
Source: classes.jsa.2.drBinary or memory string: VirtualMachineError.java
Source: 518572.msi.2.drBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: classes.jsa.2.drBinary or memory string: jdk/vm/ci/common/JVMCIError
Source: classes.jsa.2.drBinary or memory string: jdk.vm.ci.services.JVMCIServiceLocator
Source: classes.jsa.2.drBinary or memory string: jdk.vm.ci.hotspot.aarch64.AArch64HotSpotJVMCIBackendFactory
Source: classes.jsa.2.drBinary or memory string: &jdk.vm.ci.services.JVMCIServiceLocator
Source: classes.jsa.2.drBinary or memory string: ()Ljdk/vm/ci/runtime/JVMCIRuntime;
Source: classes.jsa.2.drBinary or memory string: java/lang/VirtualMachineError.class
Source: classes.jsa.2.drBinary or memory string: 7jdk.vm.ci.hotspot.amd64.AMD64HotSpotJVMCIBackendFactory
Source: classes.jsa.2.drBinary or memory string: <"()Ljdk/vm/ci/runtime/JVMCIRuntime;
Source: classes.jsa.2.drBinary or memory string: [Ljava/lang/VirtualMachineError;
Source: classes.jsa.2.drBinary or memory string: java/lang/VirtualMachineError
Source: classes.jsa.2.drBinary or memory string: org.graalvm.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
Source: classes.jsa.2.drBinary or memory string: %jdk/vm/ci/hotspot/HotSpotJVMCIRuntime
Source: classes.jsa.2.drBinary or memory string: jdk/vm/ci/hotspot/HotSpotJVMCIRuntime
Source: classes.jsa.2.drBinary or memory string: ;jdk.vm.ci.hotspot.aarch64.AArch64HotSpotJVMCIBackendFactory
Source: classes.jsa.2.drBinary or memory string: jdk/vm/ci/runtime/JVMCI
Source: classes.jsa.2.drBinary or memory string: )()Ljdk/vm/ci/hotspot/HotSpotJVMCIRuntime;
Source: classes.jsa.2.drBinary or memory string: UG#java/lang/VirtualMachineError.class
Source: classes.jsa.2.drBinary or memory string: #()Ljdk/vm/ci/runtime/JVMCICompiler;
Source: classes.jsa.2.drBinary or memory string: jdk.vm.ci.hotspot.HotSpotJVMCIBackendFactory
Source: classes.jsa.2.drBinary or memory string: jdk.vm.ci.hotspot.amd64.AMD64HotSpotJVMCIBackendFactory
Source: classes.jsa.2.drBinary or memory string: <org.graalvm.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
Source: classes.jsa.2.drBinary or memory string: Ljava/lang/VirtualMachineError;
Source: classes.jsa.2.drBinary or memory string: ()Ljdk/vm/ci/hotspot/HotSpotJVMCIRuntime;
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 9_2_00007FF680272ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00007FF680272ECC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 9_2_00007FF680272984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00007FF680272984
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 9_2_00007FF680273074 SetUnhandledExceptionFilter,9_2_00007FF680273074
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 9_2_00007FF680272ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00007FF680272ECC
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_0000000140011004 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0000000140011004
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_0000000140011D78 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0000000140011D78
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_0000000140011F24 SetUnhandledExceptionFilter,12_2_0000000140011F24
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8F85B2CDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00007FF8F85B2CDC
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 12_2_00007FF8FF5C004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00007FF8FF5C004C

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssb87b.ps1" -propfile "c:\users\user\appdata\local\temp\msib869.txt" -scriptfile "c:\users\user\appdata\local\temp\scrb86a.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrb86b.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssb87b.ps1" -propfile "c:\users\user\appdata\local\temp\msib869.txt" -scriptfile "c:\users\user\appdata\local\temp\scrb86a.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrb86b.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: ___lc_locale_name_func,GetLocaleInfoEx,12_2_00007FF8F858EFC0
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 9_2_00007FF680272DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,9_2_00007FF680272DA0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		1
Replication Through Removable Media		1
Command and Scripting Interpreter		1
Windows Service		1
Windows Service		21
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		1
Scripting		11
Process Injection		1
Disable or Modify Tools		LSASS Memory11
Security Software Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS21
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Obfuscated Files or Information		Cached Domain Credentials11
Peripheral Device Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Timestomp		DCSync1
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc Filesystem24
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
File Deletion		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580947 Sample: installer.msi Startdate: 26/12/2024 Architecture: WINDOWS Score: 64 49 successroadway.com 2->49 55 Suricata IDS alerts for network traffic 2->55 57 AI detected suspicious sample 2->57 59 Sigma detected: Suspicious Script Execution From Temp Folder 2->59 61 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->61 9 msiexec.exe 139 107 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 35 C:\Windows\Installer\MSIB7C6.tmp, PE32 9->35 dropped 37 C:\Windows\Installer\MSIABDD.tmp, PE32 9->37 dropped 39 C:\Windows\Installer\MSI8F4B.tmp, PE32 9->39 dropped 41 52 other files (none is malicious) 9->41 dropped 14 msiexec.exe 14 9->14         started        19 cmd.exe 1 9->19         started        21 createdump.exe 1 9->21         started        process6 dnsIp7 51 successroadway.com 104.21.6.3, 443, 49737 CLOUDFLARENETUS United States 14->51 43 C:\Users\user\AppData\Local\...\scrB86A.ps1, Unicode 14->43 dropped 45 C:\Users\user\AppData\Local\...\pssB87B.ps1, Unicode 14->45 dropped 47 C:\Users\user\AppData\Local\...\msiB869.txt, Unicode 14->47 dropped 53 Bypasses PowerShell execution policy 14->53 23 powershell.exe 17 14->23         started        25 ImporterREDServer.exe 1 19->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        file8 signatures9 process10 process11 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_date_time.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_filesystem.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_system.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_threads.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\msvcp140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\utest.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140_1.dll0%ReversingLabs
C:\Windows\Installer\MSI8D9F.tmp0%ReversingLabs
C:\Windows\Installer\MSI8E0E.tmp0%ReversingLabs
C:\Windows\Installer\MSI8E4D.tmp0%ReversingLabs
C:\Windows\Installer\MSI8E8D.tmp0%ReversingLabs
C:\Windows\Installer\MSI8EDC.tmp0%ReversingLabs
C:\Windows\Installer\MSI8F0C.tmp0%ReversingLabs
C:\Windows\Installer\MSI8F4B.tmp0%ReversingLabs
C:\Windows\Installer\MSIABDD.tmp0%ReversingLabs
C:\Windows\Installer\MSIB7C6.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://successroadway.com/updater.php0%Avira URL Cloudsafe
http://crl.microK0%Avira URL Cloudsafe
https://java.oracle.com/0%Avira URL Cloudsafe
https://successroadway.com/updater.phpx0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
successroadway.com
104.21.6.3
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://successroadway.com/updater.phptrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.1518879029.0000000006365000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      https://github.com/google/googletest/utest.dll.2.drfalse
        		high
        https://successroadway.com/updater.phpxinstaller.msi, 518572.msi.2.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://crl.microKpowershell.exe, 00000005.00000002.1512039550.000000000331F000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.1516184839.0000000005456000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.1516184839.0000000005301000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://crl.microsoftpowershell.exe, 00000005.00000002.1520509794.00000000079A0000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.1516184839.0000000005456000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://go.micropowershell.exe, 00000005.00000002.1516184839.000000000575B000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/powershell.exe, 00000005.00000002.1518879029.0000000006365000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://java.oracle.com/classes.jsa.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.1518879029.0000000006365000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 00000005.00000002.1518879029.0000000006365000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Iconpowershell.exe, 00000005.00000002.1518879029.0000000006365000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.mickinstaller.msi, 518572.msi.2.drfalse
                            		high
                            http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-ImporterREDServer.exe, 0000000C.00000002.1574933911.00000001802BD000.00000002.00000001.01000000.00000008.sdmpfalse
                              		high
                              https://aka.ms/winui2/webview2download/Reload():installer.msi, 518572.msi.2.drfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.1516184839.0000000005301000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.1516184839.0000000005456000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    104.21.6.3
                                    		successroadway.comUnited States
                                    		13335CLOUDFLARENETUStrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1580947
                                    Start date and time:2024-12-26 13:24:18 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 7m 30s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:17
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:installer.msi
                                    Detection:MAL
                                    Classification:mal64.evad.winMSI@17/91@1/1
                                    EGA Information:
                                    • Successful, ratio: 33.3%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 12
                                    • Number of non-executed functions: 193
                                    Cookbook Comments:
                                    • Found application associated with file extension: .msi

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target ImporterREDServer.exe, PID 740 because there are no executed function
                                    • Execution Graph export aborted for target powershell.exe, PID 2080 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    07:25:25API Interceptor4x Sleep call for process: powershell.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    104.21.6.3setup.msiGet hashmaliciousUnknownBrowse
                                      setup.msiGet hashmaliciousUnknownBrowse
                                        Remittance Advice.emlGet hashmaliciousReCaptcha PhishBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          successroadway.comsetup.msiGet hashmaliciousUnknownBrowse
                                          • 104.21.6.3
                                          setup.msiGet hashmaliciousUnknownBrowse
                                          • 104.21.6.3

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CLOUDFLARENETUSsetup.msiGet hashmaliciousUnknownBrowse
                                          • 104.21.6.3
                                          pVbAZEFIpI.exeGet hashmaliciousLummaCBrowse
                                          • 172.67.157.254
                                          GxX48twWHA.exeGet hashmaliciousLummaCBrowse
                                          • 104.21.66.86
                                          ERTL09tA59.exeGet hashmaliciousLummaCBrowse
                                          • 104.21.66.86
                                          MaZjv5XeQi.exeGet hashmaliciousLummaCBrowse
                                          • 172.67.157.254
                                          jT7sgjdTea.exeGet hashmaliciousLummaCBrowse
                                          • 172.67.157.254
                                          Y4svWfRK1L.exeGet hashmaliciousLummaCBrowse
                                          • 172.67.157.254
                                          YKri2nEBWE.exeGet hashmaliciousLummaCBrowse
                                          • 172.67.157.254
                                          0c8cY5GOMh.exeGet hashmaliciousLummaCBrowse
                                          • 104.21.66.86
                                          setup.msiGet hashmaliciousUnknownBrowse
                                          • 104.21.6.3

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          37f463bf4616ecd445d4a1937da06e19setup.msiGet hashmaliciousUnknownBrowse
                                          • 104.21.6.3
                                          setup.msiGet hashmaliciousUnknownBrowse
                                          • 104.21.6.3
                                          HVlonDQpuI.exeGet hashmaliciousVidarBrowse
                                          • 104.21.6.3
                                          00000.ps1Get hashmaliciousLummaCBrowse
                                          • 104.21.6.3
                                          123.ps1Get hashmaliciousLummaCBrowse
                                          • 104.21.6.3
                                          Purchase Order No. G02873362-Docx.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                          • 104.21.6.3
                                          blq.exeGet hashmaliciousGh0stCringe, RunningRAT, XRedBrowse
                                          • 104.21.6.3
                                          PodcastsTries.exeGet hashmaliciousVidarBrowse
                                          • 104.21.6.3
                                          New PO - Supplier 0202AW-PER2.exeGet hashmaliciousLodaRAT, XRedBrowse
                                          • 104.21.6.3

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exesetup.msiGet hashmaliciousUnknownBrowse
                                            setup.msiGet hashmaliciousUnknownBrowse
                                              installer.msiGet hashmaliciousUnknownBrowse
                                                E8vC8KRIp1.msiGet hashmaliciousUnknownBrowse
                                                  installer.msiGet hashmaliciousUnknownBrowse
                                                    3gPZmVbozD.msiGet hashmaliciousUnknownBrowse
                                                      setup.msiGet hashmaliciousUnknownBrowse
                                                        installer.msiGet hashmaliciousUnknownBrowse
                                                          setup.msiGet hashmaliciousUnknownBrowse
                                                            Setup.msiGet hashmaliciousUnknownBrowse

                                                              Created / dropped Files

                                                              C:\Config.Msi\518574.rbs

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:modified
                                                              Size (bytes):20535
                                                              Entropy (8bit):5.819282512990886
                                                              Encrypted:false
                                                              SSDEEP:384:To8Qvcd2pn3o8VT8e58tdg1nvEx9XlGtkv8GuGNXSylsmYbC82O7PnXhYneyqhNj:TBQvcd2pn3BVT8eatdg1nvEx9XlGtkkR
                                                              MD5:778508D072F39C1EB6975DA5B28B4F02
                                                              SHA1:4091522387EC268CAE951AD16E68957BDE25CCAD
                                                              SHA-256:9E98135D54B866AD3C9C1584C6C0F4B9D0ACC9303049CE07EC5735FDE0CFBD9D
                                                              SHA-512:15606F88FF70E6DF08C7EE02AB77B8464E28B56CF67E169A52AE6E81F64B2CEBC00C843478C4AACFE3886F74F924BF836D2B2DC6DCE057C9F6BA4A62477E0DC3
                                                              Malicious:false
                                                              Preview:...@IXOS.@.....@.;.Y.@.....@.....@.....@.....@.....@......&.{7A90929D-3D90-469D-B804-2FF52DD02E47}..Cave App..installer.msi.@.....@.....@.....@......icon_22.exe..&.{E80F2B59-D743-41E0-8072-3664F2FD7ADC}.....@.....@.....@.....@.......@.....@.....@.......@......Cave App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{7A90929D-3D90-469D-B804-2FF52DD02E47}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{7A90929D-3D90-469D-B804-2FF52DD02E47}.@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}&.{7A90929D-3D90-469D-B804-2FF52DD02E47}.@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}&.{7A90929D-3D90-469D-B804-2FF52DD02E47}.@......&.{DE28A560-E5E1-4035-8CA3-44934686A249}&.{7A90929D-3D90-469D-B804-2FF52DD02E47}.@......&.{03D39B98-E7BB-4062-BD92-307D642A5CF1}&.{7A90929D-3D90-469D-B804-2FF52DD02E47}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{7A90929D-3D90-46

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1360
                                                              Entropy (8bit):5.415059038751397
                                                              Encrypted:false
                                                              SSDEEP:24:3Uyt3WSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NK3R82r+SVbR:ky9WSU4xymI4RfoUeW+mZ9tK8NWR82jD
                                                              MD5:FD6EFA8F14C5DC6D31919F10350E7E37
                                                              SHA1:19C81E14CD96499CA522E985EF49006061DDE189
                                                              SHA-256:9BCB3D1FF78418525F66B02DAD61C5A09975BF673C27EBD9EAB7AF1B3CACBCBE
                                                              SHA-512:EF44DB604F1990F96A422C4937D87CFA31C0793BC1E5B03EABFD464480633EACBB286A7DD31EE3250DCAC55585DC7E55EB4E504D44973A4E66D7A3AC13E4D0EA
                                                              Malicious:false
                                                              Preview:@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_03lf0y10.szl.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vi3104ba.aj5.psm1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\msiB869.txt

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\msiexec.exe
                                                              File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):96
                                                              Entropy (8bit):2.99798449505456
                                                              Encrypted:false
                                                              SSDEEP:3:QmalTuOIAlSRYplflbPRYplf955:Qmalt9lLZiLN
                                                              MD5:F26BF481CA203C7D611850139ACBEF41
                                                              SHA1:EA86C45B436D1B8F5F42F87AE5034332A5BCFEC4
                                                              SHA-256:A6AE6BBFC3486BA26A9A3C67B127D6972D16B8B925BDE4AF20880EE1B1D997CB
                                                              SHA-512:D1D2AE7C30A146AC1A85BDC133CE1F105AFC6F4EC8C5BD21A8EAACD0910929D3A9FCB540AB533A253C296C51DC71D1AE58749F7449DAB1C530E82D78D3544E4E
                                                              Malicious:true
                                                              Preview:..C.e.v.e.r.a.l.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .T.r.i.a.l.N.o.w. .:.<.-.>.:. .0. .<.<.:.>.>. .

                                                              C:\Users\user\AppData\Local\Temp\pssB87B.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\msiexec.exe
                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):6668
                                                              Entropy (8bit):3.5127462716425657
                                                              Encrypted:false
                                                              SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                              MD5:30C30EF2CB47E35101D13402B5661179
                                                              SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                              SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                              SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                              Malicious:true
                                                              Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                                              C:\Users\user\AppData\Local\Temp\scrB86A.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\msiexec.exe
                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):250
                                                              Entropy (8bit):3.576902729499699
                                                              Encrypted:false
                                                              SSDEEP:6:QfFok79idK3fclQ9zgltHN+KiVmMXFVrMTlp1LlG7JidK3fpdInO:QfF3IugM/XFVrMTWNvn
                                                              MD5:479FAC6E0C05C5A57698619AFE51DEF2
                                                              SHA1:1AF4A4DB75ACE8324ED7BFF59D711E80A7BDB821
                                                              SHA-256:700080D274E5629A2BFA0D47B9BAF53AD69E67A64A2B04D84115D5851AB3DDBD
                                                              SHA-512:B0B5065C216EBC1124B985F3FF86EE7C7E7E9B994190D1103C454EDD602E0242B7160BFFB202538470254675DFACAC6159F1A459B979DAD563BDED84FCED193E
                                                              Malicious:true
                                                              Preview:..$.o.i.g.n.q.p. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".C.e.v.e.r.a.l.S.e.s.".....$.a.v.o.i.j.g. .=. .[.u.i.n.t.3.2.].(.$.o.i.g.n.q.p. .-.r.e.p.l.a.c.e. .'.b.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".T.r.i.a.l.N.o.w.". .$.a.v.o.i.j.g.

                                                              C:\Users\user\AppData\Roaming\Microsoft\Installer\{7A90929D-3D90-469D-B804-2FF52DD02E47}\icon_22.exe

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:MS Windows icon resource - 7 icons, 256x256, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                              Category:dropped
                                                              Size (bytes):372526
                                                              Entropy (8bit):4.467275942115759
                                                              Encrypted:false
                                                              SSDEEP:3072:aAVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOzzCIhZ:LCANx6xPZX9mBW
                                                              MD5:B52B2D1D4C9E56CA24AB0CD0730CC5AD
                                                              SHA1:C70A3683DF57DE3096CA58F314C0B649035392CC
                                                              SHA-256:73CDA59B9158F5DCA967A6EC24A3608C672DCA63F714BFD7B7B5F81C1303F457
                                                              SHA-512:CDCAB1C415B87948AD45C967D6C50EA24935D7E58CFC30717E2943D9CE9F5DDEFCB5E60BCE58F9F387635EA30E1A0399DBA644316CC53F1802BAE73B76CB1BFA
                                                              Malicious:false
                                                              Preview:............ .( ..v......... .(.... ..@@.... .(B...(..00.... ..%...j.. .... ............... .....>......... .h......(............. ...... ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exe

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):310928
                                                              Entropy (8bit):6.001677789306043
                                                              Encrypted:false
                                                              SSDEEP:3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
                                                              MD5:147B71C906F421AC77F534821F80A0C6
                                                              SHA1:3381128CA482A62333E20D0293FDA50DC5893323
                                                              SHA-256:7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
                                                              SHA-512:2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Joe Sandbox View:
                                                              • Filename: setup.msi, Detection: malicious, Browse
                                                              • Filename: setup.msi, Detection: malicious, Browse
                                                              • Filename: installer.msi, Detection: malicious, Browse
                                                              • Filename: E8vC8KRIp1.msi, Detection: malicious, Browse
                                                              • Filename: installer.msi, Detection: malicious, Browse
                                                              • Filename: 3gPZmVbozD.msi, Detection: malicious, Browse
                                                              • Filename: setup.msi, Detection: malicious, Browse
                                                              • Filename: installer.msi, Detection: malicious, Browse
                                                              • Filename: setup.msi, Detection: malicious, Browse
                                                              • Filename: Setup.msi, Detection: malicious, Browse
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}|...|...|....../p....../v....../1...u.a.l....../u...|........./v....../}...Rich|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):117496
                                                              Entropy (8bit):6.136079902481222
                                                              Encrypted:false
                                                              SSDEEP:1536:P4ynPKh5ilvitpOeRZBMZTWTKnSU3hGe+K8b9Ate83CtyxZMPXR0qmOi4:PjoiaUDahe+B92e9tiMPXR0qmOX
                                                              MD5:F67792E08586EA936EBCAE43AAB0388D
                                                              SHA1:4A5B4009DE72DB003D57F8A4416D17F95B3539A8
                                                              SHA-256:4D434BB99C771524C35222E5C65EBEE87FD2F16DDA05BF6191F9723EECE2434D
                                                              SHA-512:F9E69377201E2DC577792F01B71ED3C9AF6C8AD52DD9E139C99EF1D9096F3EB7796F89642242BE8CEE4030EA9CF60EF1AA93D1B0890326A83CB9063E919F1E4A
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,|..B/..B/..B/.../..B/.G...B/.F...B/.A...B/.C...B/.C...B/..G...B/<.C...B/..C/..B/<.G...B/<../..B/.../..B/<.@...B/Rich..B/................PE..d.....-a..........#............................@.....................................].... .................................................D...,...............`....................]..T...................P_..(...P^...............0..H............................text............................... ..`.rdata...o...0...p..."..............@..@.data...@...........................@....pdata..`...........................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exe

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):506008
                                                              Entropy (8bit):6.4284173495366845
                                                              Encrypted:false
                                                              SSDEEP:6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
                                                              MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
                                                              SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
                                                              SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
                                                              SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):12224
                                                              Entropy (8bit):6.596101286914553
                                                              Encrypted:false
                                                              SSDEEP:192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
                                                              MD5:919E653868A3D9F0C9865941573025DF
                                                              SHA1:EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
                                                              SHA-256:2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
                                                              SHA-512:6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):12224
                                                              Entropy (8bit):6.640081558424349
                                                              Encrypted:false
                                                              SSDEEP:192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
                                                              MD5:7676560D0E9BC1EE9502D2F920D2892F
                                                              SHA1:4A7A7A99900E41FF8A359CA85949ACD828DDB068
                                                              SHA-256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
                                                              SHA-512:F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):11712
                                                              Entropy (8bit):6.6023398138369505
                                                              Encrypted:false
                                                              SSDEEP:192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
                                                              MD5:AC51E3459E8FCE2A646A6AD4A2E220B9
                                                              SHA1:60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
                                                              SHA-256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
                                                              SHA-512:6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):11720
                                                              Entropy (8bit):6.614262942006268
                                                              Encrypted:false
                                                              SSDEEP:192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
                                                              MD5:B0E0678DDC403EFFC7CDC69AE6D641FB
                                                              SHA1:C1A4CE4DED47740D3518CD1FF9E9CE277D959335
                                                              SHA-256:45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
                                                              SHA-512:2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):11720
                                                              Entropy (8bit):6.654155040985372
                                                              Encrypted:false
                                                              SSDEEP:192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
                                                              MD5:94788729C9E7B9C888F4E323A27AB548
                                                              SHA1:B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
                                                              SHA-256:ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
                                                              SHA-512:AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):15304
                                                              Entropy (8bit):6.548897063441128
                                                              Encrypted:false
                                                              SSDEEP:192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
                                                              MD5:580D9EA2308FC2D2D2054A79EA63227C
                                                              SHA1:04B3F21CBBA6D59A61CD839AE3192EA111856F65
                                                              SHA-256:7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
                                                              SHA-512:97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):11712
                                                              Entropy (8bit):6.622041192039296
                                                              Encrypted:false
                                                              SSDEEP:192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
                                                              MD5:35BC1F1C6FBCCEC7EB8819178EF67664
                                                              SHA1:BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
                                                              SHA-256:7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
                                                              SHA-512:9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):11720
                                                              Entropy (8bit):6.730719514840594
                                                              Encrypted:false
                                                              SSDEEP:192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
                                                              MD5:3BF4406DE02AA148F460E5D709F4F67D
                                                              SHA1:89B28107C39BB216DA00507FFD8ADB7838D883F6
                                                              SHA-256:349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
                                                              SHA-512:5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):11720
                                                              Entropy (8bit):6.626458901834476
                                                              Encrypted:false
                                                              SSDEEP:192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
                                                              MD5:BBAFA10627AF6DFAE5ED6E4AEAE57B2A
                                                              SHA1:3094832B393416F212DB9107ADD80A6E93A37947
                                                              SHA-256:C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
                                                              SHA-512:D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):12232
                                                              Entropy (8bit):6.577869728469469
                                                              Encrypted:false
                                                              SSDEEP:192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
                                                              MD5:3A4B6B36470BAD66621542F6D0D153AB
                                                              SHA1:5005454BA8E13BAC64189C7A8416ECC1E3834DC6
                                                              SHA-256:2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
                                                              SHA-512:84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):11712
                                                              Entropy (8bit):6.6496318655699795
                                                              Encrypted:false
                                                              SSDEEP:192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
                                                              MD5:A038716D7BBD490378B26642C0C18E94
                                                              SHA1:29CD67219B65339B637A1716A78221915CEB4370
                                                              SHA-256:B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
                                                              SHA-512:43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):12736
                                                              Entropy (8bit):6.587452239016064
                                                              Encrypted:false
                                                              SSDEEP:192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
                                                              MD5:D75144FCB3897425A855A270331E38C9
                                                              SHA1:132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
                                                              SHA-256:08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
                                                              SHA-512:295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):14280
                                                              Entropy (8bit):6.658205945107734
                                                              Encrypted:false
                                                              SSDEEP:384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
                                                              MD5:8ACB83D102DABD9A5017A94239A2B0C6
                                                              SHA1:9B43A40A7B498E02F96107E1524FE2F4112D36AE
                                                              SHA-256:059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
                                                              SHA-512:B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):12224
                                                              Entropy (8bit):6.621310788423453
                                                              Encrypted:false
                                                              SSDEEP:96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
                                                              MD5:808F1CB8F155E871A33D85510A360E9E
                                                              SHA1:C6251ABFF887789F1F4FC6B9D85705788379D149
                                                              SHA-256:DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
                                                              SHA-512:441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):11720
                                                              Entropy (8bit):6.7263193693903345
                                                              Encrypted:false
                                                              SSDEEP:192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
                                                              MD5:CFF476BB11CC50C41D8D3BF5183D07EC
                                                              SHA1:71E0036364FD49E3E535093E665F15E05A3BDE8F
                                                              SHA-256:B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
                                                              SHA-512:7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):12744
                                                              Entropy (8bit):6.601327134572443
                                                              Encrypted:false
                                                              SSDEEP:192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
                                                              MD5:F43286B695326FC0C20704F0EEBFDEA6
                                                              SHA1:3E0189D2A1968D7F54E721B1C8949487EF11B871
                                                              SHA-256:AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
                                                              SHA-512:6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):14272
                                                              Entropy (8bit):6.519411559704781
                                                              Encrypted:false
                                                              SSDEEP:192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
                                                              MD5:E173F3AB46096482C4361378F6DCB261
                                                              SHA1:7922932D87D3E32CE708F071C02FB86D33562530
                                                              SHA-256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
                                                              SHA-512:3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):12232
                                                              Entropy (8bit):6.659079053710614
                                                              Encrypted:false
                                                              SSDEEP:192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
                                                              MD5:9C9B50B204FCB84265810EF1F3C5D70A
                                                              SHA1:0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
                                                              SHA-256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
                                                              SHA-512:EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):11200
                                                              Entropy (8bit):6.7627840671368835
                                                              Encrypted:false
                                                              SSDEEP:192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
                                                              MD5:0233F97324AAAA048F705D999244BC71
                                                              SHA1:5427D57D0354A103D4BB8B655C31E3189192FC6A
                                                              SHA-256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
                                                              SHA-512:8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):12224
                                                              Entropy (8bit):6.590253878523919
                                                              Encrypted:false
                                                              SSDEEP:192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
                                                              MD5:E1BA66696901CF9B456559861F92786E
                                                              SHA1:D28266C7EDE971DC875360EB1F5EA8571693603E
                                                              SHA-256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
                                                              SHA-512:08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):11720
                                                              Entropy (8bit):6.672720452347989
                                                              Encrypted:false
                                                              SSDEEP:192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
                                                              MD5:7A15B909B6B11A3BE6458604B2FF6F5E
                                                              SHA1:0FEB824D22B6BEEB97BCE58225688CB84AC809C7
                                                              SHA-256:9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
                                                              SHA-512:D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):13760
                                                              Entropy (8bit):6.575688560984027
                                                              Encrypted:false
                                                              SSDEEP:192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
                                                              MD5:6C3FCD71A6A1A39EAB3E5C2FD72172CD
                                                              SHA1:15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
                                                              SHA-256:A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
                                                              SHA-512:EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):12232
                                                              Entropy (8bit):6.70261983917014
                                                              Encrypted:false
                                                              SSDEEP:192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
                                                              MD5:D175430EFF058838CEE2E334951F6C9C
                                                              SHA1:7F17FBDCEF12042D215828C1D6675E483A4C62B1
                                                              SHA-256:1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
                                                              SHA-512:6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):12744
                                                              Entropy (8bit):6.599515320379107
                                                              Encrypted:false
                                                              SSDEEP:192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
                                                              MD5:9D43B5E3C7C529425EDF1183511C29E4
                                                              SHA1:07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
                                                              SHA-256:19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
                                                              SHA-512:C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):12232
                                                              Entropy (8bit):6.690164913578267
                                                              Encrypted:false
                                                              SSDEEP:192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
                                                              MD5:43E1AE2E432EB99AA4427BB68F8826BB
                                                              SHA1:EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
                                                              SHA-256:3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
                                                              SHA-512:40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):11720
                                                              Entropy (8bit):6.615761482304143
                                                              Encrypted:false
                                                              SSDEEP:192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
                                                              MD5:735636096B86B761DA49EF26A1C7F779
                                                              SHA1:E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
                                                              SHA-256:5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
                                                              SHA-512:3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):12744
                                                              Entropy (8bit):6.627282858694643
                                                              Encrypted:false
                                                              SSDEEP:192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
                                                              MD5:031DC390780AC08F498E82A5604EF1EB
                                                              SHA1:CF23D59674286D3DC7A3B10CD8689490F583F15F
                                                              SHA-256:B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
                                                              SHA-512:1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):15816
                                                              Entropy (8bit):6.435326465651674
                                                              Encrypted:false
                                                              SSDEEP:192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
                                                              MD5:285DCD72D73559678CFD3ED39F81DDAD
                                                              SHA1:DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
                                                              SHA-256:6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
                                                              SHA-512:84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):12232
                                                              Entropy (8bit):6.5874576656353145
                                                              Encrypted:false
                                                              SSDEEP:192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
                                                              MD5:5CCE7A5ED4C2EBAF9243B324F6618C0E
                                                              SHA1:FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
                                                              SHA-256:AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
                                                              SHA-512:FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):13768
                                                              Entropy (8bit):6.645869978118917
                                                              Encrypted:false
                                                              SSDEEP:192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
                                                              MD5:41FBBB054AF69F0141E8FC7480D7F122
                                                              SHA1:3613A572B462845D6478A92A94769885DA0843AF
                                                              SHA-256:974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
                                                              SHA-512:97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_date_time.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):61176
                                                              Entropy (8bit):5.850944458899023
                                                              Encrypted:false
                                                              SSDEEP:1536:8dAqjxlblBAeX9cMPqnLQmnSPFCCBXuk9:8d1l59cJbSNZBXuO
                                                              MD5:3B02A4FCAAC283D3C5E082B62F88BE25
                                                              SHA1:C230237FA2BEF46A4C9649871EE46BBA89958C4E
                                                              SHA-256:D02FB06775ED21CE1124C5A9BA42D7E00872C4CAF3933F0852FFD98591EE9790
                                                              SHA-512:9FE3ACDC6CDC51F56AB205A669F3865FB18DA79750A62E896615AF98F4D37B4A5DADB898126B421133CBD86805A1A84D1C92A429F88AA2152D07939BEBEB93B0
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.X.F...F...F...>O..F.......F.......F.......F.......F.......F...F...F..-/...F..-/...F..-/#..F...FK..F..-/...F..Rich.F..........PE..d.....-a.........." .....X...|.......Y.................................................... .....................................................x.......h.......................0...P...T.......................(....................p..X............................text....V.......X.................. ..`.rdata...X...p...Z...\..............@..@.data...............................@....pdata..............................@..@.rsrc...h...........................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_filesystem.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):127224
                                                              Entropy (8bit):6.217127607919178
                                                              Encrypted:false
                                                              SSDEEP:1536:KOMFt1bvZ+4WYoIW9YAlqlEO/NiuE0PJmISN10ZpzdUAsSAl9/mEzuEVvHV7Gvru:fMFZ+4azlqlEO/0d0PkIxPYGX6
                                                              MD5:ABDA3CF0D286D6CC5EC2CB1B49DBC180
                                                              SHA1:85CA9C24AD7CF07830E86607723770645D724C28
                                                              SHA-256:5549E8D3C90AFC8A90558529FE0127CE8A36805D853ED2BBD2A832E497D07405
                                                              SHA-512:AF813D4529C7971C6427E84C21275F2D703495E8BCDE72112ED400FCF2BFD64D1E3754E7A8D95A4D1953472C3C9821EF0444CD844F02AE31FA2C5FA8D93E66CF
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'y.fI*.fI*.fI*...*.fI*..M+.fI*..J+.fI*..L+.fI*..H+.fI*..H+.fI*..H+.fI*.fH*.fI*..L+.fI*..I+.fI*...*.fI*.f.*.fI*..K+.fI*Rich.fI*................PE..d.....-a.........." ......................................................... ............ ..........................................x..|B..............p.......@...............D....>..T...................0@..(...0?............... ...............................text...p........................... ..`.rdata....... ......................@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc..D...........................@..B................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):418040
                                                              Entropy (8bit):6.1735291180760505
                                                              Encrypted:false
                                                              SSDEEP:6144:vJXvKtM+eZLmd2Mht6hBj2+1J3Hw2iojntPqbmdv0Pz:vJXvcMRZLmd2Mht6hBj3A2iW8WO
                                                              MD5:1CC74B77B1A0B6F14B19F45412D62227
                                                              SHA1:25C8D5B1DD13C826AC97995E2265E7960877A869
                                                              SHA-256:1314E7F48DCFAA9ED62AD80C19D4EAD856C6D216D6F80B8EFA1A3803087C506A
                                                              SHA-512:CA88D9DB167FEE11DCF88FD365DBAEF9E2704996E622F1523943C5AF54D6AE2546D860DB86B20757C89FA52E4140D474EB0EA4A69042AA4CAAF6125E0D5381D9
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+ ..Es..Es..Es...s..Es..Ar..Es..Fr..Es..@r..Es..Dr..Es..Dr..Es..Ds(.Es..@r..Es..Er..Es..s..Es...s..Es..Gr..EsRich..Es........PE..d.....-a.........." .........:.......................................................4.... .........................................`n...T...........p.......0..d2...D.................T...................0...(...0................ ...............................text...\........................... ..`.rdata..h.... ......................@..@.data....7.......0..................@....pdata..d2...0...4..................@..@.rsrc........p.......8..............@..@.reloc...............>..............@..B................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):698104
                                                              Entropy (8bit):6.463466021766765
                                                              Encrypted:false
                                                              SSDEEP:12288:rtCgw2rHcLfk4heNe39mSOWE64h/5+JLkxBdmmVaSV:JCglHsfb9vzE64h/CAxBdmmVaSV
                                                              MD5:087DAF44CD13B79E4D59068B3A1C6250
                                                              SHA1:653FB242A44C7742764C77D8249D00DDDC1C867E
                                                              SHA-256:7AAFC98B0189C4DB66E03EC69B0DA58E59F5728FA9C37F7A61D1531E4D146FD6
                                                              SHA-512:3BB7494191EDDA18416B425762EA35B1C614CA420E6D0A8BBA5B9749C453F2552435FC97CF4532E088BBEC2B57A7DC9F782F7C7CEC67F96A33511C367F6A5052
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>.B.P.B.P.B.P.K...N.P...T.J.P...S.@.P...U.Z.P...Q.F.P...Q.G.P.B.Q...P..U.P.P..P.C.P...C.P.B...C.P..R.C.P.RichB.P.........................PE..d.....-a.........." ................l................................................s.... ..........................................7..T...4...........X....`...D...................Q..T...................@S..(...@R..................H............................text............................... ..`.rdata...V.......X..................@..@.data...`(...0..."..................@....pdata...D...`...F...6..............@..@.rsrc...X............|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_system.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):31480
                                                              Entropy (8bit):5.969706735107452
                                                              Encrypted:false
                                                              SSDEEP:384:rTnmLAtoAmXkI4WW9jLU7gJX5ZGz/5UtxcNPMUyZJKSm/dAgZsHL4DhAm:noxXzI5Z05uqlyEiRUhR
                                                              MD5:CC2C7E9435E8F818F3114AEFCC84E053
                                                              SHA1:F106C5EEAA3545CB85BA1217F40E4AE8F047E69E
                                                              SHA-256:59415F12FF688B58C9180A545F4836A4C2DDF472C232B3BE9FAB7965F9980924
                                                              SHA-512:316D0F0374DA2818CC1A83A6F8BE8E70CCCC2D9F37DB54DF9322FF26FF436EB18532CEB549F286E569E1A6B82BA1345FFE4A7ADC678AE450FC5C3C637F24259D
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{...{...{...r.e.....)...h...)...s...)...y...)....... ...x...{...E......y......z......z...{.a.z......z...Rich{...........PE..d.....-a.........." .....,...4......@0................................................... ..........................................T......tU..x.......`....p.......^..............0F..T....................G..(....F...............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...h....`.......N..............@....pdata.......p.......R..............@..@.rsrc...`............V..............@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_threads.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):103672
                                                              Entropy (8bit):5.851546804507911
                                                              Encrypted:false
                                                              SSDEEP:1536:DkEZwX0tTbIIJdLJABqKSimO9K64vaO4WpgXyhchiUKcvKXMnVOlVS:QErbXvAxO41yhcBvKXwaVS
                                                              MD5:129051E3B7B8D3CC55559BEDBED09486
                                                              SHA1:E257D69C91594C623A8649AC3F76DC4B0C4D8EDF
                                                              SHA-256:73BFA0700A1C1631483D1ADC79A5225066A28A5CA94D70267DE6B0573BF11BDF
                                                              SHA-512:6DCF486B58A0C8E16CB0A2A0B7C53812275DF7E55CEBE94B645517D2A061A67CA3B9CFDDA4F94E89BE57D3B629540C4A45DD153EF84DB90E46D06257A936831A
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X..............&........................................&.............&......&......&.J.......".....&......Rich............................PE..d.....-a.........." ................4...............................................:..... ..........................................J.......[..........`............x..............`...T.......................(....................................................text............................... ..`.rdata.............................@..@.data........p.......N..............@....pdata...............\..............@..@.rsrc...`............n..............@..@.reloc...............t..............@..B........................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):57488
                                                              Entropy (8bit):6.382541157520703
                                                              Encrypted:false
                                                              SSDEEP:768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
                                                              MD5:71F796B486C7FAF25B9B16233A7CE0CD
                                                              SHA1:21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
                                                              SHA-256:B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
                                                              SHA-512:A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):4664568
                                                              Entropy (8bit):6.259383987199329
                                                              Encrypted:false
                                                              SSDEEP:49152:AroFmAk9nrwChDI061WcO0ABWmIex2MvOGL//VCsHqwApmqamnBObTETCAtdB8n:0tI0OWiVmIek+QpmqtB+9
                                                              MD5:A6A89F55416DB79D9E13B82685A04D60
                                                              SHA1:EDE6DE1377BBE28E1F0D0DEF095367F1E788FE3B
                                                              SHA-256:22D7C730C0092CDE5E339276F45882ACF4E172269153C6A328D83314DBACEF4B
                                                              SHA-512:D2A734AE3ACC3033C050634839E32F90AE29862D77EC28B87945D62D44562ED56AC2A4266BC70F0F42CACCC0A7D93B07E2B42D7FFCEFE2F599A6A9DC2F26C583
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........$n..J=..J=..J=...=..J=..N<..J=..I<..J=..O<..J=..K<..J=..N<..J=..L<..J=..K<..J=..K<..J=..K=i.J=..N<..J=..O<U.J=..J<..J=..=..J=...=..J=..H<..J=Rich..J=................PE..d.....-a.........." ......+..........f(.......................................I.......H... ..........................................7>.8.....A......@I.......G......G......PI..F....1.T...................0.1.(...0.1...............+..............................text.....+.......+................. ..`.rdata.......+.......+.............@..@.data....'...`B......DB.............@....pdata.......G.......E.............@..@.rsrc........@I.......F.............@..@.reloc...F...PI..H....F.............@..B........................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):215288
                                                              Entropy (8bit):6.050529290720027
                                                              Encrypted:false
                                                              SSDEEP:3072:emvBIfdYtwUTAgsHW0Akz0dMtTWYUQ4TyjEXv8pQxI88hw:ekBIATA1z7tTzovXv8Kxzj
                                                              MD5:BF5EE5008353BB5C52DCF8821082CE6B
                                                              SHA1:F85B517F96FE87D953925D05238345A03594C8F8
                                                              SHA-256:9273A49CAC32ACA5358A77D41DE00FEB589ED3285B2B2E07E9CE9CEBF80BAA31
                                                              SHA-512:B5862D1679AB4F44B228C3E52F5CB98616BF089BAD5EC3BBB63ABDCABDDB55C71C36628E2945C7460AA33F836D85A1A320BF2C704072B307A3B719CD3C6A8549
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[..5...5...5......5...1...5...6...5...0...5...4...5...4...5.#.4...5...4.-.5.#.0...5.#.5...5.#....5.......5.#.7...5.Rich..5.........PE..d.....-a.........." .........j...............................................p............ ..............................................!...........P..h....0.......,.......`..........T...........................@................................................text............................... ..`.rdata..............................@..@.data....$..........................@....pdata.......0... ..................@..@.rsrc...h....P......."..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ghiuoqfj.rar

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:RAR archive data, v5
                                                              Category:dropped
                                                              Size (bytes):407806
                                                              Entropy (8bit):7.999532124658577
                                                              Encrypted:true
                                                              SSDEEP:12288:h1lbiMg1O2KLgCmFWwamgXMNHjzAGWbzR7BULM:A/ogJrzbWbzhBv
                                                              MD5:DC4B33E019040D17A80F08288989F505
                                                              SHA1:3AE9CACF5046E4C33EF3F7737F64C4EEC8218132
                                                              SHA-256:41B7E9D296386637724C81E54C52848BF25267667928BBDEEFAA3ECAC7275DA5
                                                              SHA-512:2F33ACEDA39885438F1650FB9C26490182474A296D2A104518BDADFB4B9F938265FF3DF2C9B91E3DAD10E096F34BA5B7ECACB1A61C3337A8F6071389A8486474
                                                              Malicious:false
                                                              Preview:Rar!.....S..!........^...z..he....d.fMZp...Hsb..Z.....S.......v....Q.-.....@i. ."!ai..<...x.P..@'.X.....Hh.k.3...t...P...D....,..Ps..y..:F...4.`9o...B+n..S.....-.!.....^...Kw;.d..O...J...v.`...0..Y.s..W2zx...o%x/ . _.7.~.\....@..:.>....\q..._.....".>w.s..}a.&...{...A..n...Q*........!#=_.y...g..g.;...h..o..V._c~.3w.O.]....q[...N..=0.?.Ze.k..P....g3...)V..k'..h*.t......h.{.....^.q..|.$P.......r}O..........B..CG.2..[.."0.G........."r...1.......?.?!..C ..G.t.Bc/9B..D!uU^..&.m/Uu..D..#K....moe,..W.*....o.zD...B..W..A.4..D.GqW....ui.vg....x.U..|#W.F.Cd*B.e.&..Z.~H_$b........%..Na......8...K]..z.VL.!j..9o.aE....\j<.Nj.e{..:..*-.xg..bS....d...'..Wl{.v@...Nn...r.e'."..u.6..z&.4.....h..g...VO?...."D.hE...i.6.h<t6.$>b.\.5..}3[W...U3.'I........>.....r.....)..9..".v;..j...q..\...L......`I......P..e3VI.I.`..V.R..o.a.|.+..ER.....~.o,b.QE..8.g..W...)....%.#&.....K .-..{.K.T...h.Ma>.f..7en..\.uv.YK.b'.5B%.q'M...u.`...y"..~:g.9...#A<;.......j.

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\msvcp140.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):566704
                                                              Entropy (8bit):6.494428734965787
                                                              Encrypted:false
                                                              SSDEEP:12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
                                                              MD5:6DA7F4530EDB350CF9D967D969CCECF8
                                                              SHA1:3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
                                                              SHA-256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
                                                              SHA-512:1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):22
                                                              Entropy (8bit):3.879664004902594
                                                              Encrypted:false
                                                              SSDEEP:3:mKDDlR+7H6U:hOD6U
                                                              MD5:D9324699E54DC12B3B207C7433E1711C
                                                              SHA1:864EB0A68C2979DCFF624118C9C0618FF76FA76C
                                                              SHA-256:EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
                                                              SHA-512:E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
                                                              Malicious:false
                                                              Preview:@echo off..Start "" %1

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\classes.jsa

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):12124160
                                                              Entropy (8bit):4.1175508751036585
                                                              Encrypted:false
                                                              SSDEEP:49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
                                                              MD5:8A13CBE402E0BBF3DA56315F0EBA7F8E
                                                              SHA1:EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
                                                              SHA-256:7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
                                                              SHA-512:46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
                                                              Malicious:false
                                                              Preview:.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\classes_nocoops.jsa

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):12124160
                                                              Entropy (8bit):4.117842215789484
                                                              Encrypted:false
                                                              SSDEEP:49152:lIsY5NLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8v:lYNDUK7k59
                                                              MD5:8DD2CDF8B1702DEE25F4BC2DCE10DA8F
                                                              SHA1:7AE8D142C41159D65C7AB9598C90EC1DF33138D1
                                                              SHA-256:B19E92D742D8989D275BB34FB7828211969997D38FF9250D9561F432D5C5F62C
                                                              SHA-512:6CEBD788559543623A3F54154F6C84E31A9716CFFA19D199087F0704CC9016F54CF0B3CFF6D8DB65428138EEB12553B23EBA7EDAF5B64A050A077DD2951286B0
                                                              Malicious:false
                                                              Preview:....j..L.........*.\.....................................+..............................j..-.....................................!>.............................|<:.......................A.......@...... t...............................".....................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.datatransfer.jmod

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Java jmod module version 1.0
                                                              Category:dropped
                                                              Size (bytes):51389
                                                              Entropy (8bit):7.916683616123071
                                                              Encrypted:false
                                                              SSDEEP:768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
                                                              MD5:8F4C0388762CD566EAE3261FF8E55D14
                                                              SHA1:B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
                                                              SHA-256:AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
                                                              SHA-512:1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
                                                              Malicious:false
                                                              Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^*#.j...R.A..qV.1o...p.....|._.-N$.!.;X....|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be.*.eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.*t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N....*..r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.desktop.jmod

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Java jmod module version 1.0
                                                              Category:dropped
                                                              Size (bytes):12133334
                                                              Entropy (8bit):7.944474086295981
                                                              Encrypted:false
                                                              SSDEEP:196608:h6fa1BzmQR9sZTGVq8B4ISiOCC0SabOyigGRA7OtuPZIWeXB:6a1gk+8B4IS8S2OyiJRA7OtYZaB
                                                              MD5:E3705B15388EC3BDFE799AD5DB80B172
                                                              SHA1:0B9B77F028727C73265393A68F37FC69C30205BD
                                                              SHA-256:BE59AC0E673827B731CF5616B41DA11581A5863285FEA1A0696AA4F93796BCC3
                                                              SHA-512:CA44B3E7658232FCC19C9AD223455F326D34B17384E566B8CAF0F7409D71B2B86F4089BF4A35128EC6CFFE080DF84C69C72C22B230FB0F2F8CB345442318F737
                                                              Malicious:false
                                                              Preview:JM..PK.........n/Q................classes/module-info.class.X...e../.l.!..!.#..M..."..g..#.B.........0;{.AAD.EE..QQQ.aG....{.]....7......~.{....k...{....<HD...4.......x%?G.4_St.Z...\..].+c..t.t........iC./...gZ..].8C..D'M...\3.+~5......z.<.f1..2.v./.As.Lv.....`2.M%...d.h..S`....YC.....D.u0-l.V#.5.,.e..)[..[.v..*............d.I...A........A+&."..8g.)"..E..1!.Z.]....Ak..5.......<'..L8bC..V4.U2.~$...i....)."I...O...d:......@..S...w0m...-....2..x....z.....O....k.8.}....P.....=..I/...<../.d..k....43VL.i...........C.S|`..!b.8....3.Ey..S..e..+.../T..j...g..B.@q9.."..>.LU..2-i....-.!....Z....g.BGl.j..R...Z.D.YJ.Kd...9 l.FN4.Rk.22..b..Rn...u..x.,...j.I.aZ.....X[{L.e..Z#..`.Z...*8..[.p..0.(...j..W..-M...V..H7.c.KN...5e.."...t[um..R...UF.c..1.....z|z.EeO..j..k.V..\x.8.....et;.9.^.Pa..+......U....Iu.q.t....HY.g...q.......omK...FKr1.F..F?.i.d../.]....68..L.........W..s.CU.|y.....zE..Q\...82..W.i[.#Q..xm......P..u.<.#...yC...,........~B..|sF.

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.instrument.jmod

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Java jmod module version 1.0
                                                              Category:dropped
                                                              Size (bytes):41127
                                                              Entropy (8bit):7.961466748192397
                                                              Encrypted:false
                                                              SSDEEP:768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
                                                              MD5:D039093C051B1D555C8F9B245B3D7FA0
                                                              SHA1:C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
                                                              SHA-256:4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
                                                              SHA-512:334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
                                                              Malicious:false
                                                              Preview:JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...*A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z|*.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.logging.jmod

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Java jmod module version 1.0
                                                              Category:dropped
                                                              Size (bytes):113725
                                                              Entropy (8bit):7.928841651831531
                                                              Encrypted:false
                                                              SSDEEP:3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
                                                              MD5:3A03EF8F05A2D0472AE865D9457DAB32
                                                              SHA1:7204170A08115A16A50D5A06C3DE7B0ADB6113B1
                                                              SHA-256:584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
                                                              SHA-512:1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
                                                              Malicious:false
                                                              Preview:JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm......*..Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h.*.^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz|..^.........8q..{...}.*G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j*..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.management.jmod

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Java jmod module version 1.0
                                                              Category:dropped
                                                              Size (bytes):896846
                                                              Entropy (8bit):7.923431656723031
                                                              Encrypted:false
                                                              SSDEEP:12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
                                                              MD5:C6FBB7D49CAA027010C2A817D80CA77C
                                                              SHA1:4191E275E1154271ABF1E54E85A4FF94F59E7223
                                                              SHA-256:1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
                                                              SHA-512:FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
                                                              Malicious:false
                                                              Preview:JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..|..]{.........S|...(cu/..i.d.z...[....'.M|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\utest.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):639224
                                                              Entropy (8bit):6.219852228773659
                                                              Encrypted:false
                                                              SSDEEP:12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
                                                              MD5:01DACEA3CBE5F2557D0816FC64FAE363
                                                              SHA1:566064A9CB1E33DB10681189A45B105CDD504FD4
                                                              SHA-256:B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
                                                              SHA-512:C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):98224
                                                              Entropy (8bit):6.452201564717313
                                                              Encrypted:false
                                                              SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                              MD5:F34EB034AA4A9735218686590CBA2E8B
                                                              SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                              SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                              SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140_1.dll

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):37256
                                                              Entropy (8bit):6.297533243519742
                                                              Encrypted:false
                                                              SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
                                                              MD5:135359D350F72AD4BF716B764D39E749
                                                              SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
                                                              SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
                                                              SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

                                                              C:\Windows\Installer\518572.msi

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {E80F2B59-D743-41E0-8072-3664F2FD7ADC}, Number of Words: 10, Subject: Cave App, Author: Weqos Apps Industries, Name of Creating Application: Cave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Cave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 26 07:05:13 2024, Last Saved Time/Date: Thu Dec 26 07:05:13 2024, Last Printed: Thu Dec 26 07:05:13 2024, Number of Pages: 450
                                                              Category:dropped
                                                              Size (bytes):60333056
                                                              Entropy (8bit):7.202428166979746
                                                              Encrypted:false
                                                              SSDEEP:786432:gGZTjVmrjV7eIAtehOTZxoZ4sdUuzt/NCaY2ksCl:gGVVmrjV7eIvhOTZCRjVCa1t8
                                                              MD5:5F35DCEF40D02AA98A28B01F76B20674
                                                              SHA1:DA835ACB9FFDCD854F722B8D44A38B4AA2C04DCF
                                                              SHA-256:BBE217C3CD9C1375A9E06A3EC8B6D1EA8C3D5132BDCAB62A0050608DF896BDB8
                                                              SHA-512:D5431E321419F89E0B6ED5564BBC54EEF41D5F792D91ECE635AF937F6F519B1AE222D6865AFB757EDE32810A2F8549634CB316126231BBA05AE5D4B11D6CB076
                                                              Malicious:false
                                                              Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...N...K...L...e...O...""..P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                              C:\Windows\Installer\518575.msi

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {E80F2B59-D743-41E0-8072-3664F2FD7ADC}, Number of Words: 10, Subject: Cave App, Author: Weqos Apps Industries, Name of Creating Application: Cave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Cave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 26 07:05:13 2024, Last Saved Time/Date: Thu Dec 26 07:05:13 2024, Last Printed: Thu Dec 26 07:05:13 2024, Number of Pages: 450
                                                              Category:dropped
                                                              Size (bytes):60333056
                                                              Entropy (8bit):7.202428166979746
                                                              Encrypted:false
                                                              SSDEEP:786432:gGZTjVmrjV7eIAtehOTZxoZ4sdUuzt/NCaY2ksCl:gGVVmrjV7eIvhOTZCRjVCa1t8
                                                              MD5:5F35DCEF40D02AA98A28B01F76B20674
                                                              SHA1:DA835ACB9FFDCD854F722B8D44A38B4AA2C04DCF
                                                              SHA-256:BBE217C3CD9C1375A9E06A3EC8B6D1EA8C3D5132BDCAB62A0050608DF896BDB8
                                                              SHA-512:D5431E321419F89E0B6ED5564BBC54EEF41D5F792D91ECE635AF937F6F519B1AE222D6865AFB757EDE32810A2F8549634CB316126231BBA05AE5D4B11D6CB076
                                                              Malicious:false
                                                              Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...N...K...L...e...O...""..P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                              C:\Windows\Installer\MSI8D9F.tmp

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1021792
                                                              Entropy (8bit):6.608727172078022
                                                              Encrypted:false
                                                              SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                              MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                              SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                              SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                              SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                              C:\Windows\Installer\MSI8E0E.tmp

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1021792
                                                              Entropy (8bit):6.608727172078022
                                                              Encrypted:false
                                                              SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                              MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                              SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                              SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                              SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                              C:\Windows\Installer\MSI8E4D.tmp

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1021792
                                                              Entropy (8bit):6.608727172078022
                                                              Encrypted:false
                                                              SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                              MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                              SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                              SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                              SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                              C:\Windows\Installer\MSI8E8D.tmp

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1021792
                                                              Entropy (8bit):6.608727172078022
                                                              Encrypted:false
                                                              SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                              MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                              SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                              SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                              SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                              C:\Windows\Installer\MSI8EDC.tmp

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1201504
                                                              Entropy (8bit):6.4557937684843365
                                                              Encrypted:false
                                                              SSDEEP:24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
                                                              MD5:E83D774F643972B8ECCDB3A34DA135C5
                                                              SHA1:A58ECCFB12D723C3460563C5191D604DEF235D15
                                                              SHA-256:D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
                                                              SHA-512:CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.|CF..@G.|DF..@G.|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

                                                              C:\Windows\Installer\MSI8F0C.tmp

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1021792
                                                              Entropy (8bit):6.608727172078022
                                                              Encrypted:false
                                                              SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                              MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                              SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                              SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                              SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                              C:\Windows\Installer\MSI8F4B.tmp

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1021792
                                                              Entropy (8bit):6.608727172078022
                                                              Encrypted:false
                                                              SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                              MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                              SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                              SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                              SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                              C:\Windows\Installer\MSIABDD.tmp

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):380520
                                                              Entropy (8bit):6.512348002260683
                                                              Encrypted:false
                                                              SSDEEP:6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
                                                              MD5:FFDAACB43C074A8CB9A608C612D7540B
                                                              SHA1:8F054A7F77853DE365A7763D93933660E6E1A890
                                                              SHA-256:7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
                                                              SHA-512:A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

                                                              C:\Windows\Installer\MSIB7B5.tmp

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):392729
                                                              Entropy (8bit):4.731481746298714
                                                              Encrypted:false
                                                              SSDEEP:3072:QpY9LAVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOz0:QpY9UCANx6xPZX9mBt
                                                              MD5:D33C8A377A9AD724924155365DC0BBCE
                                                              SHA1:A079D22D9476DDEEC1C3C4E141B6FC82CBD985C2
                                                              SHA-256:6B46A20D602254AEC195F4C238C46D16D8B75E16C2BDA04F3D177A1C1A8DDB04
                                                              SHA-512:89872F8C7D02651F1D58960D7C2E483E56B860294CA173797E7EA3522669DF1261B34DF7AFEAABE38A82A4F399F8176A4BD7016C16F67B5245B5E46CD398739C
                                                              Malicious:false
                                                              Preview:...@IXOS.@.....@-;.Y.@.....@.....@.....@.....@.....@......&.{7A90929D-3D90-469D-B804-2FF52DD02E47}..Cave App..installer.msi.@.....@.....@.....@......icon_22.exe..&.{E80F2B59-D743-41E0-8072-3664F2FD7ADC}.....@.....@.....@.....@.......@.....@.....@.......@......Cave App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@4....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F}=.C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}3.21:\Software\Weqos Apps Industries\Cave App\Version.@.......@.....@.....@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}H.C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll.@.......@.....@.....@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}O.C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll.@.......@.....@.....@......&.{DE28A

                                                              C:\Windows\Installer\MSIB7C6.tmp

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):787808
                                                              Entropy (8bit):6.693392695195763
                                                              Encrypted:false
                                                              SSDEEP:24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
                                                              MD5:8CF47242B5DF6A7F6D2D7AF9CC3A7921
                                                              SHA1:B51595A8A113CF889B0D1DD4B04DF16B3E18F318
                                                              SHA-256:CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
                                                              SHA-512:748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

                                                              C:\Windows\Installer\SourceHash{7A90929D-3D90-469D-B804-2FF52DD02E47}

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                              Category:dropped
                                                              Size (bytes):20480
                                                              Entropy (8bit):1.163683287469867
                                                              Encrypted:false
                                                              SSDEEP:12:JSbX72FjEmQAGiLIlHVRpiBh/7777777777777777777777777vDHFIKreNfEgXF:JGlQI5AmmeNpsF
                                                              MD5:63BC976A0D8FE0A716FFA12E32BB2680
                                                              SHA1:E9F2CFD613D22B9A1B50D78EBD8F9290D174A549
                                                              SHA-256:0C23E04A83D3E3D8B393249C93642E273FD173A851EDFF6D0F23C31AEE636A65
                                                              SHA-512:8F0099D953D1F0CE0E0DB7A0D95FC512DD09D11BB9D238FED8D3DD19DCE0EA51C1450FF2EE823B39A261D68BD4F7A766D9D4A2E4BC479C0D17FF3169E3FB56F0
                                                              Malicious:false
                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Windows\Installer\inprogressinstallinfo.ipi

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                              Category:dropped
                                                              Size (bytes):20480
                                                              Entropy (8bit):1.566935956982411
                                                              Encrypted:false
                                                              SSDEEP:48:u8PhcuRc06WXJ4FT5lxOacwMoAEu5CyISuacZgUXSacwSuacoTN:hhc1bFTrxOvDv5Cn1v+UXSvw1v
                                                              MD5:12DF2DF13EA07A091625DFA64BD636E9
                                                              SHA1:642F6421324FE71948B071DE45248E11200E2BD2
                                                              SHA-256:AC3E13F0CA5B4CBE1F4C929ABEF74959F824C37F162A1EA86D596BBF9FE1C1F6
                                                              SHA-512:34B2DBCBD17DFCC318D0B3C2A07864FAE69B942DFAD9C5998C75A81236A59D27D5618A0DA5AF42E4CC85D266FDF311E14DA1FF67CA100BAABB386060ABA6CBD5
                                                              Malicious:false
                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):360001
                                                              Entropy (8bit):5.362961771357333
                                                              Encrypted:false
                                                              SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauw:zTtbmkExhMJCIpEB
                                                              MD5:F92E323945837891DCB83EE64D6098CF
                                                              SHA1:4D925ABC54C906905C6570FAFEB98B414AC38C1B
                                                              SHA-256:D735F51F930E8F1E4A06A1B8681EE1D8E3621235ED8F80DB78EA47DA6F6BD28B
                                                              SHA-512:6A714A50D927708DE40CBE748DA601369B2BC95E5CB31B077769A562B628EE4F4F8D89FD7AE640F561A77CEC17A0659AEF86EA638FC1563EC693F5D5E6D8D7DD
                                                              Malicious:false
                                                              Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                              C:\Windows\Temp\~DF27DD58078178F818.TMP

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):512
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3::
                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                              Malicious:false
                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Windows\Temp\~DF2B5BD134BC1726B0.TMP

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                              Category:dropped
                                                              Size (bytes):32768
                                                              Entropy (8bit):1.2557089527891394
                                                              Encrypted:false
                                                              SSDEEP:48:bVUuGBO+CFXJ9T5ELxOacwMoAEu5CyISuacZgUXSacwSuacoTN:hUn6VTuLxOvDv5Cn1v+UXSvw1v
                                                              MD5:D57AFDC6EC1DF90D0F161F33F842F013
                                                              SHA1:E97558978F6D0EE9F2B686F5934D1A8B0203A903
                                                              SHA-256:F76D69BE7E155D1A934FB422CE3DB0F2BC8474B5275C6DAF227F4853ED3AA573
                                                              SHA-512:AB0104361F6511B01B4FA8777829822AFD4EE86D8B3505EADFC8D4AC8EBAD1034AC4A36B7206746D3D48AF0434B65E9F1CEF9E2BBB03151201C48F41DDA031D2
                                                              Malicious:false
                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Windows\Temp\~DF3A0BCDFB624EF5CF.TMP

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):512
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3::
                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                              Malicious:false
                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Windows\Temp\~DF4227810B5775D01B.TMP

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):512
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3::
                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                              Malicious:false
                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Windows\Temp\~DF53012A6A44E5D2D3.TMP

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                              Category:dropped
                                                              Size (bytes):32768
                                                              Entropy (8bit):1.2557089527891394
                                                              Encrypted:false
                                                              SSDEEP:48:bVUuGBO+CFXJ9T5ELxOacwMoAEu5CyISuacZgUXSacwSuacoTN:hUn6VTuLxOvDv5Cn1v+UXSvw1v
                                                              MD5:D57AFDC6EC1DF90D0F161F33F842F013
                                                              SHA1:E97558978F6D0EE9F2B686F5934D1A8B0203A903
                                                              SHA-256:F76D69BE7E155D1A934FB422CE3DB0F2BC8474B5275C6DAF227F4853ED3AA573
                                                              SHA-512:AB0104361F6511B01B4FA8777829822AFD4EE86D8B3505EADFC8D4AC8EBAD1034AC4A36B7206746D3D48AF0434B65E9F1CEF9E2BBB03151201C48F41DDA031D2
                                                              Malicious:false
                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Windows\Temp\~DF5B4CC7E6CB9BEE9A.TMP

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):512
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3::
                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                              Malicious:false
                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Windows\Temp\~DF63D771F9E9FC2697.TMP

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                              Category:dropped
                                                              Size (bytes):20480
                                                              Entropy (8bit):1.566935956982411
                                                              Encrypted:false
                                                              SSDEEP:48:u8PhcuRc06WXJ4FT5lxOacwMoAEu5CyISuacZgUXSacwSuacoTN:hhc1bFTrxOvDv5Cn1v+UXSvw1v
                                                              MD5:12DF2DF13EA07A091625DFA64BD636E9
                                                              SHA1:642F6421324FE71948B071DE45248E11200E2BD2
                                                              SHA-256:AC3E13F0CA5B4CBE1F4C929ABEF74959F824C37F162A1EA86D596BBF9FE1C1F6
                                                              SHA-512:34B2DBCBD17DFCC318D0B3C2A07864FAE69B942DFAD9C5998C75A81236A59D27D5618A0DA5AF42E4CC85D266FDF311E14DA1FF67CA100BAABB386060ABA6CBD5
                                                              Malicious:false
                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Windows\Temp\~DFB03C3957A770F5A3.TMP

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):73728
                                                              Entropy (8bit):0.13833856402616718
                                                              Encrypted:false
                                                              SSDEEP:48:K1TyacwSuacPacwMoAEu5CyISuacZgUXqE:vvw1vPvDv5Cn1v+UXqE
                                                              MD5:8404E1CFE0A7993660D38C1289C13251
                                                              SHA1:08C3EB6817EFEDA29276F8F7E7E6DE36CFBE245C
                                                              SHA-256:0B19EFC62B643727AFF8097D22824BDED4CF851F36E697B40FD9B9CFFC2AEBFE
                                                              SHA-512:C5730F37DB735465E2C7484AB9335284809D8819C5D705B1B11D74BAA39A0349AAB06FC08FA3F4ACD0EC9CD0988A9DE898769B92E71B06B04E6CD19391274E39
                                                              Malicious:false
                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Windows\Temp\~DFC8BBCD8D03C5EE05.TMP

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):32768
                                                              Entropy (8bit):0.07120789387870324
                                                              Encrypted:false
                                                              SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOIKre8CTfEgXLIiVky6l7:2F0i8n0itFzDHFIKreNfEgX27
                                                              MD5:4CDD301A2E7245461A47ADB9910DF435
                                                              SHA1:7D68083A89E53CB0253C6CBD8F6F93C628FEDD8D
                                                              SHA-256:ADB40028523437853764478649A7234D65D0AD32EBCCCB208F4B50AC4469D8A5
                                                              SHA-512:F058ED607DBA7EC5B7C6278601111835B1C906EE2E5B103BEF1960A77C43BE2B4EA9B9738A4A0060B09493235D31F2798F90D08DACEB2DEC2D952EBF0F6A5B4D
                                                              Malicious:false
                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Windows\Temp\~DFCE54E98D247B273F.TMP

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):512
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3::
                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                              Malicious:false
                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Windows\Temp\~DFD84883C4F2CAE998.TMP

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                              Category:dropped
                                                              Size (bytes):32768
                                                              Entropy (8bit):1.2557089527891394
                                                              Encrypted:false
                                                              SSDEEP:48:bVUuGBO+CFXJ9T5ELxOacwMoAEu5CyISuacZgUXSacwSuacoTN:hUn6VTuLxOvDv5Cn1v+UXSvw1v
                                                              MD5:D57AFDC6EC1DF90D0F161F33F842F013
                                                              SHA1:E97558978F6D0EE9F2B686F5934D1A8B0203A903
                                                              SHA-256:F76D69BE7E155D1A934FB422CE3DB0F2BC8474B5275C6DAF227F4853ED3AA573
                                                              SHA-512:AB0104361F6511B01B4FA8777829822AFD4EE86D8B3505EADFC8D4AC8EBAD1034AC4A36B7206746D3D48AF0434B65E9F1CEF9E2BBB03151201C48F41DDA031D2
                                                              Malicious:false
                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Windows\Temp\~DFEE9D7868015FD737.TMP

                                                              Download File
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                              Category:dropped
                                                              Size (bytes):20480
                                                              Entropy (8bit):1.566935956982411
                                                              Encrypted:false
                                                              SSDEEP:48:u8PhcuRc06WXJ4FT5lxOacwMoAEu5CyISuacZgUXSacwSuacoTN:hhc1bFTrxOvDv5Cn1v+UXSvw1v
                                                              MD5:12DF2DF13EA07A091625DFA64BD636E9
                                                              SHA1:642F6421324FE71948B071DE45248E11200E2BD2
                                                              SHA-256:AC3E13F0CA5B4CBE1F4C929ABEF74959F824C37F162A1EA86D596BBF9FE1C1F6
                                                              SHA-512:34B2DBCBD17DFCC318D0B3C2A07864FAE69B942DFAD9C5998C75A81236A59D27D5618A0DA5AF42E4CC85D266FDF311E14DA1FF67CA100BAABB386060ABA6CBD5
                                                              Malicious:false
                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              \Device\ConDrv

                                                              Download File
                                                              Process:C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):638
                                                              Entropy (8bit):4.751962275036146
                                                              Encrypted:false
                                                              SSDEEP:12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
                                                              MD5:15CA959638E74EEC47E0830B90D0696E
                                                              SHA1:E836936738DCB6C551B6B76054F834CFB8CC53E5
                                                              SHA-256:57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
                                                              SHA-512:101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
                                                              Malicious:false
                                                              Preview:[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

                                                              Static File Info

                                                              General

                                                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {E80F2B59-D743-41E0-8072-3664F2FD7ADC}, Number of Words: 10, Subject: Cave App, Author: Weqos Apps Industries, Name of Creating Application: Cave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Cave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 26 07:05:13 2024, Last Saved Time/Date: Thu Dec 26 07:05:13 2024, Last Printed: Thu Dec 26 07:05:13 2024, Number of Pages: 450
                                                              Entropy (8bit):7.202428166979746
                                                              TrID:
                                                              • Windows SDK Setup Transform Script (63028/2) 88.73%
                                                              • Generic OLE2 / Multistream Compound File (8008/1) 11.27%
                                                              File name:installer.msi
                                                              File size:60'333'056 bytes
                                                              MD5:5f35dcef40d02aa98a28b01f76b20674
                                                              SHA1:da835acb9ffdcd854f722b8d44a38b4aa2c04dcf
                                                              SHA256:bbe217c3cd9c1375a9e06a3ec8b6d1ea8c3d5132bdcab62a0050608df896bdb8
                                                              SHA512:d5431e321419f89e0b6ed5564bbc54eef41d5f792d91ece635af937f6f519b1ae222d6865afb757ede32810a2f8549634cb316126231bba05ae5d4b11d6cb076
                                                              SSDEEP:786432:gGZTjVmrjV7eIAtehOTZxoZ4sdUuzt/NCaY2ksCl:gGVVmrjV7eIvhOTZCRjVCa1t8
                                                              TLSH:66D76C01B3FA4148F2F75EB17EBA45A594BABD521B30C0EF1204A60E1B71BC25BB5763
                                                              File Content Preview:........................>............................................2..................................................................x......................................................................................................................

                                                              File Icon

                                                              Icon Hash:2d2e3797b32b2b99

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-12-26T13:25:24.803527+01002829202ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA1192.168.2.949737104.21.6.3443TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 26, 2024 13:25:23.396634102 CET49737443192.168.2.9104.21.6.3
                                                              Dec 26, 2024 13:25:23.396677017 CET44349737104.21.6.3192.168.2.9
                                                              Dec 26, 2024 13:25:23.396806002 CET49737443192.168.2.9104.21.6.3
                                                              Dec 26, 2024 13:25:23.401259899 CET49737443192.168.2.9104.21.6.3
                                                              Dec 26, 2024 13:25:23.401273012 CET44349737104.21.6.3192.168.2.9
                                                              Dec 26, 2024 13:25:24.710767984 CET44349737104.21.6.3192.168.2.9
                                                              Dec 26, 2024 13:25:24.710969925 CET49737443192.168.2.9104.21.6.3
                                                              Dec 26, 2024 13:25:24.799468994 CET49737443192.168.2.9104.21.6.3
                                                              Dec 26, 2024 13:25:24.799525976 CET44349737104.21.6.3192.168.2.9
                                                              Dec 26, 2024 13:25:24.799856901 CET44349737104.21.6.3192.168.2.9
                                                              Dec 26, 2024 13:25:24.799917936 CET49737443192.168.2.9104.21.6.3
                                                              Dec 26, 2024 13:25:24.803394079 CET49737443192.168.2.9104.21.6.3
                                                              Dec 26, 2024 13:25:24.803472042 CET49737443192.168.2.9104.21.6.3
                                                              Dec 26, 2024 13:25:24.803504944 CET44349737104.21.6.3192.168.2.9
                                                              Dec 26, 2024 13:25:25.525495052 CET44349737104.21.6.3192.168.2.9
                                                              Dec 26, 2024 13:25:25.525564909 CET44349737104.21.6.3192.168.2.9
                                                              Dec 26, 2024 13:25:25.525613070 CET49737443192.168.2.9104.21.6.3
                                                              Dec 26, 2024 13:25:25.525643110 CET49737443192.168.2.9104.21.6.3
                                                              Dec 26, 2024 13:25:25.527388096 CET49737443192.168.2.9104.21.6.3
                                                              Dec 26, 2024 13:25:25.527409077 CET44349737104.21.6.3192.168.2.9
                                                              Dec 26, 2024 13:25:25.527419090 CET49737443192.168.2.9104.21.6.3
                                                              Dec 26, 2024 13:25:25.527460098 CET49737443192.168.2.9104.21.6.3

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 26, 2024 13:25:23.251163960 CET6445053192.168.2.91.1.1.1
                                                              Dec 26, 2024 13:25:23.390793085 CET53644501.1.1.1192.168.2.9

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Dec 26, 2024 13:25:23.251163960 CET192.168.2.91.1.1.10xdbf6Standard query (0)successroadway.comA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Dec 26, 2024 13:25:23.390793085 CET1.1.1.1192.168.2.90xdbf6No error (0)successroadway.com104.21.6.3A (IP address)IN (0x0001)false
                                                              Dec 26, 2024 13:25:23.390793085 CET1.1.1.1192.168.2.90xdbf6No error (0)successroadway.com172.67.134.27A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • successroadway.com

                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.949737104.21.6.34436004C:\Windows\SysWOW64\msiexec.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-26 12:25:24 UTC196OUTPOST /updater.php HTTP/1.1
                                                              Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                              User-Agent: AdvancedInstaller
                                                              Host: successroadway.com
                                                              Content-Length: 71
                                                              Cache-Control: no-cache
                                                              2024-12-26 12:25:24 UTC71OUTData Raw: 44 61 74 65 3d 32 36 25 32 46 31 32 25 32 46 32 30 32 34 26 54 69 6d 65 3d 30 37 25 33 41 32 35 25 33 41 32 32 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 38 2e 39 2e 39 26 53 6f 72 6f 71 56 69 6e 73 3d 54 72 75 65
                                                              Data Ascii: Date=26%2F12%2F2024&Time=07%3A25%3A22&BuildVersion=8.9.9&SoroqVins=True
                                                              2024-12-26 12:25:25 UTC833INHTTP/1.1 500 Internal Server Error
                                                              Date: Thu, 26 Dec 2024 12:25:25 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Cache-Control: no-store
                                                              cf-cache-status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3aUyATMTRo7mkFG6z2Dg%2B%2BjSMkkaM36Q8vRVzxUGmN05fMnl5fMxgiiQdlfVYw4PYJ08Jke14Yn2n9FtTetN5yqrsEHBFx27AXKkKt5WZ3rGcqbcHJst9l71sW9RUyCdc06iDEE%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f810dab5f5a8c51-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2024&min_rtt=2021&rtt_var=764&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=927&delivery_rate=1427174&cwnd=234&unsent_bytes=0&cid=aeafa58d4d930825&ts=826&x=0"
                                                              2024-12-26 12:25:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:07:25:11
                                                              Start date:26/12/2024
                                                              Path:C:\Windows\System32\msiexec.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\installer.msi"
                                                              Imagebase:0x7ff6cf4c0000
                                                              File size:69'632 bytes
                                                              MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:2
                                                              Start time:07:25:12
                                                              Start date:26/12/2024
                                                              Path:C:\Windows\System32\msiexec.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\msiexec.exe /V
                                                              Imagebase:0x7ff6cf4c0000
                                                              File size:69'632 bytes
                                                              MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:3
                                                              Start time:07:25:14
                                                              Start date:26/12/2024
                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 8DC69D35C541E3685C8EA051F14BAC5D
                                                              Imagebase:0x170000
                                                              File size:59'904 bytes
                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:5
                                                              Start time:07:25:25
                                                              Start date:26/12/2024
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssB87B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiB869.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrB86A.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrB86B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                              Imagebase:0x5d0000
                                                              File size:433'152 bytes
                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:6
                                                              Start time:07:25:25
                                                              Start date:26/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff70f010000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:8
                                                              Start time:07:25:31
                                                              Start date:26/12/2024
                                                              Path:C:\Windows\System32\cmd.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""
                                                              Imagebase:0x7ff66a6d0000
                                                              File size:289'792 bytes
                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:9
                                                              Start time:07:25:31
                                                              Start date:26/12/2024
                                                              Path:C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe"
                                                              Imagebase:0x7ff680270000
                                                              File size:57'488 bytes
                                                              MD5 hash:71F796B486C7FAF25B9B16233A7CE0CD
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Antivirus matches:
                                                              • Detection: 0%, ReversingLabs
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:10
                                                              Start time:07:25:31
                                                              Start date:26/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff70f010000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:11
                                                              Start time:07:25:31
                                                              Start date:26/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff70f010000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:12
                                                              Start time:07:25:32
                                                              Start date:26/12/2024
                                                              Path:C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"
                                                              Imagebase:0x140000000
                                                              File size:117'496 bytes
                                                              MD5 hash:F67792E08586EA936EBCAE43AAB0388D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Antivirus matches:
                                                              • Detection: 0%, ReversingLabs
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:13
                                                              Start time:07:25:32
                                                              Start date:26/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff70f010000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Executed Functions

                                                                Function 051E8478 Relevance: .3, Instructions: 266COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1516017043.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_51e0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3481254fdec40c42917ebc7fe180dab3bafab7cbcb44decaf2be50c038aa7f26
                                                                • Instruction ID: 549d0a9dbcd7151a1875f1c99394025197b1a330e19d8b7945de71bc35a3c393
                                                                • Opcode Fuzzy Hash: 3481254fdec40c42917ebc7fe180dab3bafab7cbcb44decaf2be50c038aa7f26
                                                                • Instruction Fuzzy Hash: 6DA18E35E006489FDB14EFA4D954EADBBF6FF84300F114559E806AB265DB34ED49CB80
                                                                Function 07D41B50 Relevance: .2, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1521609716.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7d40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e4217205c6b37ae5363f94dca90f3d863deb94214ee3a9c2bf2412277cfa3332
                                                                • Instruction ID: e233e4620b2907b82e9f529fb33b9fde99c238ca1c8ba3540a730aeb1cdcd0c6
                                                                • Opcode Fuzzy Hash: e4217205c6b37ae5363f94dca90f3d863deb94214ee3a9c2bf2412277cfa3332
                                                                • Instruction Fuzzy Hash: D85109B070435DDFDB258F69D84076AFBF2AF85211F1480AAE445CB251EB36CD81CB61
                                                                Function 07D41B46 Relevance: .1, Instructions: 96COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1521609716.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7d40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b742d1f63c2cd31cc6a3bb4dc213b603f13d3d351277995c7fb51b67fdcc0624
                                                                • Instruction ID: df6981594b86fdbad3092c3fbc30a619bef6f92f30ffd07041784d648b543af3
                                                                • Opcode Fuzzy Hash: b742d1f63c2cd31cc6a3bb4dc213b603f13d3d351277995c7fb51b67fdcc0624
                                                                • Instruction Fuzzy Hash: 2F316DF5A0020EDFDB34CE59D984AAAFBF1FF81211F188066D4458B251E736D9C5CB91
                                                                Function 051E8959 Relevance: .1, Instructions: 91COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1516017043.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_51e0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 57a180005b2b03c6096e728c2bc288d5e26e315540fce79c6ec9748ed98f1796
                                                                • Instruction ID: 09f5eb0956534c88dd6dabfe9070b72fb663c536e3593db489ec26357e7e2a40
                                                                • Opcode Fuzzy Hash: 57a180005b2b03c6096e728c2bc288d5e26e315540fce79c6ec9748ed98f1796
                                                                • Instruction Fuzzy Hash: 8D312575A007499FDB05DBA4C854BAD7BB2BF89340F09046AE506EB3A1CF349C4ACB90
                                                                Function 051E8C23 Relevance: .1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1516017043.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_51e0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fd858a6f009c7955e1b83b315fbf3ab8e14f1fa50b596d699b118f7231e8bdb1
                                                                • Instruction ID: 05a65a8eb26241417cd1276e35d5be14745874cedc95a7f071bd7e8f81f2d68e
                                                                • Opcode Fuzzy Hash: fd858a6f009c7955e1b83b315fbf3ab8e14f1fa50b596d699b118f7231e8bdb1
                                                                • Instruction Fuzzy Hash: 2E317270900649DFDB18DF75D884BADBBF2BF89344F158829D802AB2A4DB75A845CF40
                                                                Function 0355D005 Relevance: .0, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1515304509.000000000355D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0355D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_355d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bfa0eceb55fb66b0d52f1bd55c52b97dfcfdc1e9c9cb615f90a0631559c35c0a
                                                                • Instruction ID: 3c08f89dc02b3dc97a5976a9f0ec2521fb99a41fe5c31bb51e881d3626b4e248
                                                                • Opcode Fuzzy Hash: bfa0eceb55fb66b0d52f1bd55c52b97dfcfdc1e9c9cb615f90a0631559c35c0a
                                                                • Instruction Fuzzy Hash: B9012D6240D3C05FD7128B259D94752BFB8EF43224F1981DBED888F1A3D2699C45CB72
                                                                Function 0355D01D Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1515304509.000000000355D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0355D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_355d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c0bd37f70317613bfe804320171075b92b5cdeaaff25159ce0964a7a1e9a88cb
                                                                • Instruction ID: e1e50337bd6c98dbf234c93699ae5eff4682eedebc8c9dd0c3628edf04c8fbee
                                                                • Opcode Fuzzy Hash: c0bd37f70317613bfe804320171075b92b5cdeaaff25159ce0964a7a1e9a88cb
                                                                • Instruction Fuzzy Hash: BE01A7335043409FE710DE16ED84B66FBE8EF41224F18C55BFD484A2A2E679A941CAB2
                                                                Function 051E3E16 Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1516017043.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_51e0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8074bb12f7624ac27aae542010df9157db47739f3b7fced3766d0ed6c1d38b67
                                                                • Instruction ID: 8bd30ee84627956a7aca7fdcc5e8ccd49cdae156208343f66654863879364150
                                                                • Opcode Fuzzy Hash: 8074bb12f7624ac27aae542010df9157db47739f3b7fced3766d0ed6c1d38b67
                                                                • Instruction Fuzzy Hash: 69F0DA35A001159FDB15CF9DD890AEEF7B1FF88324F208159E515A72A1C732EC52CB50
                                                                Function 051E88ED Relevance: .0, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1516017043.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_51e0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dcbbac56a740accd3a1209717210ef4780e625499c27dcc9f73aa2ccb5158783
                                                                • Instruction ID: c8f181ff4ef7c0a52f5605f8d04f37c9bc9dc4cb3bea23ec09d312ad885f76d3
                                                                • Opcode Fuzzy Hash: dcbbac56a740accd3a1209717210ef4780e625499c27dcc9f73aa2ccb5158783
                                                                • Instruction Fuzzy Hash: 68F03074A4070A9FEB14DBE0D5A5B6E77B2AF84340F118814D1029F264DB789D498BD1

                                                                Execution Graph

                                                                Execution Coverage:3.4%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:1.7%
                                                                Total number of Nodes:700
                                                                Total number of Limit Nodes:1
                                                                execution_graph 2243 7ff6802727ec 2266 7ff680272b8c 2243->2266 2246 7ff68027280d 2249 7ff68027294d 2246->2249 2254 7ff68027282b __scrt_release_startup_lock 2246->2254 2247 7ff680272943 2306 7ff680272ecc IsProcessorFeaturePresent 2247->2306 2250 7ff680272ecc 7 API calls 2249->2250 2251 7ff680272958 2250->2251 2253 7ff680272960 _exit 2251->2253 2252 7ff680272850 2254->2252 2255 7ff6802728d6 _get_initial_narrow_environment __p___argv __p___argc 2254->2255 2258 7ff6802728ce _register_thread_local_exe_atexit_callback 2254->2258 2272 7ff680271060 2255->2272 2258->2255 2261 7ff680272903 2262 7ff68027290d 2261->2262 2263 7ff680272908 _cexit 2261->2263 2302 7ff680272d20 2262->2302 2263->2262 2313 7ff68027316c 2266->2313 2269 7ff680272bbb __scrt_initialize_crt 2270 7ff680272805 2269->2270 2315 7ff68027404c 2269->2315 2270->2246 2270->2247 2273 7ff680271386 2272->2273 2297 7ff6802710b4 2272->2297 2342 7ff680271450 __acrt_iob_func 2273->2342 2275 7ff680271399 2300 7ff680273020 GetModuleHandleW 2275->2300 2276 7ff680271289 2276->2273 2277 7ff68027129f 2276->2277 2347 7ff680272688 2277->2347 2279 7ff680271125 strcmp 2279->2297 2280 7ff6802712a9 2281 7ff680271325 2280->2281 2282 7ff6802712b9 GetTempPathA 2280->2282 2356 7ff6802723c0 2281->2356 2285 7ff6802712cb GetLastError 2282->2285 2286 7ff6802712e9 strcat_s 2282->2286 2283 7ff680271151 strcmp 2283->2297 2289 7ff680271450 6 API calls 2285->2289 2286->2281 2287 7ff680271304 2286->2287 2291 7ff680271450 6 API calls 2287->2291 2290 7ff6802712df GetLastError 2289->2290 2295 7ff680271312 2290->2295 2291->2295 2292 7ff680271344 __acrt_iob_func fflush __acrt_iob_func fflush 2292->2295 2293 7ff68027117d strcmp 2293->2297 2295->2275 2297->2276 2297->2279 2297->2283 2297->2293 2298 7ff680271226 strcmp 2297->2298 2298->2297 2299 7ff680271239 atoi 2298->2299 2299->2297 2301 7ff6802728ff 2300->2301 2301->2251 2301->2261 2303 7ff680272d31 __scrt_initialize_crt 2302->2303 2304 7ff680272916 2303->2304 2305 7ff68027404c __scrt_initialize_crt 7 API calls 2303->2305 2304->2252 2305->2304 2307 7ff680272ef2 2306->2307 2308 7ff680272f11 RtlCaptureContext RtlLookupFunctionEntry 2307->2308 2309 7ff680272f3a RtlVirtualUnwind 2308->2309 2310 7ff680272f76 2308->2310 2309->2310 2311 7ff680272fa8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2310->2311 2312 7ff680272ffa 2311->2312 2312->2249 2314 7ff680272bae __scrt_dllmain_crt_thread_attach 2313->2314 2314->2269 2314->2270 2316 7ff680274054 2315->2316 2317 7ff68027405e 2315->2317 2321 7ff6802744f4 2316->2321 2317->2270 2322 7ff680274503 2321->2322 2323 7ff680274059 2321->2323 2329 7ff680276630 2322->2329 2325 7ff680276460 2323->2325 2326 7ff68027648b 2325->2326 2327 7ff68027646e DeleteCriticalSection 2326->2327 2328 7ff68027648f 2326->2328 2327->2326 2328->2317 2333 7ff680276498 2329->2333 2334 7ff6802765b2 TlsFree 2333->2334 2340 7ff6802764dc 2333->2340 2335 7ff68027650a LoadLibraryExW 2337 7ff68027652b GetLastError 2335->2337 2338 7ff680276581 2335->2338 2336 7ff6802765a1 GetProcAddress 2336->2334 2337->2340 2338->2336 2339 7ff680276598 FreeLibrary 2338->2339 2339->2336 2340->2334 2340->2335 2340->2336 2341 7ff68027654d LoadLibraryExW 2340->2341 2341->2338 2341->2340 2392 7ff680271010 2342->2392 2344 7ff68027148a __acrt_iob_func 2395 7ff680271000 2344->2395 2346 7ff6802714a2 __stdio_common_vfprintf __acrt_iob_func fflush 2346->2275 2350 7ff680272690 2347->2350 2348 7ff6802726aa malloc 2349 7ff6802726b4 2348->2349 2348->2350 2349->2280 2350->2348 2351 7ff6802726ba 2350->2351 2352 7ff6802726c5 2351->2352 2397 7ff680272b30 2351->2397 2401 7ff680271720 2352->2401 2355 7ff6802726cb 2355->2280 2357 7ff680272688 5 API calls 2356->2357 2358 7ff6802723f5 OpenProcess 2357->2358 2359 7ff68027243b GetLastError 2358->2359 2360 7ff680272458 K32GetModuleBaseNameA 2358->2360 2361 7ff680271450 6 API calls 2359->2361 2362 7ff680272492 2360->2362 2363 7ff680272470 GetLastError 2360->2363 2372 7ff680272453 2361->2372 2418 7ff680271800 2362->2418 2364 7ff680271450 6 API calls 2363->2364 2366 7ff680272484 CloseHandle 2364->2366 2366->2372 2368 7ff6802725fa 2429 7ff680272660 2368->2429 2369 7ff6802725b3 CloseHandle 2369->2372 2370 7ff6802724ae 2371 7ff6802713c0 6 API calls 2370->2371 2373 7ff6802724cf CreateFileA 2371->2373 2372->2368 2374 7ff6802725f3 _invalid_parameter_noinfo_noreturn 2372->2374 2375 7ff68027250f GetLastError 2373->2375 2384 7ff680272543 2373->2384 2374->2368 2377 7ff680271450 6 API calls 2375->2377 2380 7ff680272538 CloseHandle 2377->2380 2378 7ff680272550 MiniDumpWriteDump 2381 7ff68027258a CloseHandle CloseHandle 2378->2381 2382 7ff680272576 GetLastError 2378->2382 2380->2372 2381->2372 2383 7ff68027258c 2382->2383 2382->2384 2386 7ff680271450 6 API calls 2383->2386 2384->2378 2384->2381 2386->2381 2387 7ff6802713c0 __acrt_iob_func 2388 7ff680271010 fprintf __stdio_common_vfprintf 2387->2388 2389 7ff6802713fa __acrt_iob_func 2388->2389 2488 7ff680271000 2389->2488 2391 7ff680271412 __stdio_common_vfprintf __acrt_iob_func fflush 2391->2292 2396 7ff680271000 2392->2396 2394 7ff680271036 __stdio_common_vfprintf 2394->2344 2395->2346 2396->2394 2398 7ff680272b3e std::bad_alloc::bad_alloc 2397->2398 2407 7ff680273f84 2398->2407 2400 7ff680272b4f 2402 7ff68027172e Concurrency::cancel_current_task 2401->2402 2403 7ff680273f84 Concurrency::cancel_current_task 2 API calls 2402->2403 2404 7ff68027173f 2403->2404 2412 7ff680273cc0 2404->2412 2408 7ff680273fa3 2407->2408 2409 7ff680273fc0 RtlPcToFileHeader 2407->2409 2408->2409 2410 7ff680273fd8 2409->2410 2411 7ff680273fe7 RaiseException 2409->2411 2410->2411 2411->2400 2413 7ff68027176d 2412->2413 2414 7ff680273ce1 2412->2414 2413->2355 2414->2413 2415 7ff680273cf6 malloc 2414->2415 2416 7ff680273d23 free 2415->2416 2417 7ff680273d07 2415->2417 2416->2413 2417->2416 2419 7ff680271863 WSAStartup 2418->2419 2420 7ff680271850 2418->2420 2423 7ff68027187f 2419->2423 2428 7ff68027185c 2419->2428 2421 7ff680271450 6 API calls 2420->2421 2421->2428 2422 7ff680272660 __GSHandlerCheck_EH 8 API calls 2424 7ff680271d87 2422->2424 2425 7ff680271dd0 2423->2425 2423->2428 2438 7ff6802720c0 2423->2438 2424->2369 2424->2370 2427 7ff680271450 6 API calls 2425->2427 2427->2428 2428->2422 2430 7ff680272669 2429->2430 2431 7ff680271334 2430->2431 2432 7ff6802729c0 IsProcessorFeaturePresent 2430->2432 2431->2292 2431->2387 2433 7ff6802729d8 2432->2433 2483 7ff680272a94 RtlCaptureContext 2433->2483 2439 7ff680272218 2438->2439 2440 7ff6802720e9 2438->2440 2462 7ff6802717e0 2439->2462 2444 7ff680272137 2440->2444 2445 7ff68027216c 2440->2445 2447 7ff680272144 2440->2447 2442 7ff68027221d 2446 7ff680271720 Concurrency::cancel_current_task 4 API calls 2442->2446 2444->2442 2444->2447 2449 7ff680272690 5 API calls 2445->2449 2451 7ff680272155 BuildCatchObjectHelperInternal 2445->2451 2450 7ff680272223 2446->2450 2453 7ff680272690 2447->2453 2448 7ff6802721e0 _invalid_parameter_noinfo_noreturn 2452 7ff6802721d3 BuildCatchObjectHelperInternal 2448->2452 2449->2451 2451->2448 2451->2452 2452->2423 2454 7ff6802726aa malloc 2453->2454 2455 7ff68027269b 2454->2455 2456 7ff6802726b4 2454->2456 2455->2454 2457 7ff6802726ba 2455->2457 2456->2451 2458 7ff6802726c5 2457->2458 2459 7ff680272b30 Concurrency::cancel_current_task 2 API calls 2457->2459 2460 7ff680271720 Concurrency::cancel_current_task 4 API calls 2458->2460 2459->2458 2461 7ff6802726cb 2460->2461 2461->2451 2475 7ff6802734d4 2462->2475 2480 7ff6802733f8 2475->2480 2478 7ff680273f84 Concurrency::cancel_current_task 2 API calls 2479 7ff6802734f6 2478->2479 2481 7ff680273cc0 __std_exception_copy 2 API calls 2480->2481 2482 7ff68027342c 2481->2482 2482->2478 2484 7ff680272aae RtlLookupFunctionEntry 2483->2484 2485 7ff6802729eb 2484->2485 2486 7ff680272ac4 RtlVirtualUnwind 2484->2486 2487 7ff680272984 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2485->2487 2486->2484 2486->2485 2488->2391 2939 7ff6802759ad 2940 7ff6802743d0 ExFilterRethrow 10 API calls 2939->2940 2941 7ff6802759ba 2940->2941 2942 7ff6802743d0 ExFilterRethrow 10 API calls 2941->2942 2943 7ff6802759c3 __GSHandlerCheck_EH 2942->2943 2944 7ff680275a0a RaiseException 2943->2944 2945 7ff680275a29 2944->2945 2946 7ff680273b54 11 API calls 2945->2946 2950 7ff680275a31 2946->2950 2947 7ff680275a5a __GSHandlerCheck_EH 2948 7ff6802743d0 ExFilterRethrow 10 API calls 2947->2948 2949 7ff680275a6d 2948->2949 2951 7ff6802743d0 ExFilterRethrow 10 API calls 2949->2951 2950->2947 2952 7ff680274104 10 API calls 2950->2952 2953 7ff680275a76 2951->2953 2952->2947 2954 7ff6802743d0 ExFilterRethrow 10 API calls 2953->2954 2955 7ff680275a7f 2954->2955 2956 7ff6802743d0 ExFilterRethrow 10 API calls 2955->2956 2957 7ff680275a8e 2956->2957 2958 7ff6802774a7 2961 7ff680275cc0 2958->2961 2966 7ff680275c38 2961->2966 2964 7ff680275ce0 2965 7ff6802743d0 ExFilterRethrow 10 API calls 2965->2964 2967 7ff680275ca3 2966->2967 2968 7ff680275c5a 2966->2968 2967->2964 2967->2965 2968->2967 2969 7ff6802743d0 ExFilterRethrow 10 API calls 2968->2969 2969->2967 2489 7ff680275f75 2497 7ff680275e35 __GSHandlerCheck_EH 2489->2497 2490 7ff680275f92 2502 7ff6802743d0 2490->2502 2492 7ff680275f97 2493 7ff680275fa2 2492->2493 2494 7ff6802743d0 ExFilterRethrow 10 API calls 2492->2494 2495 7ff680272660 __GSHandlerCheck_EH 8 API calls 2493->2495 2494->2493 2496 7ff680275fb5 2495->2496 2497->2490 2499 7ff680273bd0 2497->2499 2500 7ff6802743d0 ExFilterRethrow 10 API calls 2499->2500 2501 7ff680273bde 2500->2501 2501->2497 2505 7ff6802743ec 2502->2505 2504 7ff6802743d9 2504->2492 2506 7ff68027440b GetLastError 2505->2506 2507 7ff680274404 2505->2507 2519 7ff680276678 2506->2519 2507->2504 2520 7ff680276498 __vcrt_InitializeCriticalSectionEx 5 API calls 2519->2520 2521 7ff68027669f TlsGetValue 2520->2521 2523 7ff680277372 2524 7ff6802743d0 ExFilterRethrow 10 API calls 2523->2524 2525 7ff680277389 2524->2525 2526 7ff6802743d0 ExFilterRethrow 10 API calls 2525->2526 2527 7ff6802773a4 2526->2527 2528 7ff6802743d0 ExFilterRethrow 10 API calls 2527->2528 2529 7ff6802773ad 2528->2529 2534 7ff680275414 2529->2534 2532 7ff6802743d0 ExFilterRethrow 10 API calls 2533 7ff6802773f8 2532->2533 2535 7ff680275443 __except_validate_context_record 2534->2535 2536 7ff6802743d0 ExFilterRethrow 10 API calls 2535->2536 2537 7ff680275448 2536->2537 2538 7ff680275498 2537->2538 2543 7ff6802755b2 __GSHandlerCheck_EH 2537->2543 2548 7ff680275551 2537->2548 2539 7ff68027559f 2538->2539 2547 7ff6802754f3 __GSHandlerCheck_EH 2538->2547 2538->2548 2574 7ff680273678 2539->2574 2540 7ff6802755f7 2540->2548 2581 7ff6802749a4 2540->2581 2543->2540 2543->2548 2578 7ff680273bbc 2543->2578 2544 7ff6802756a2 abort 2545 7ff680275543 2550 7ff680275cf0 2545->2550 2547->2544 2547->2545 2548->2532 2634 7ff680273ba8 2550->2634 2552 7ff680275d40 __GSHandlerCheck_EH 2553 7ff680275d5b 2552->2553 2554 7ff680275d72 2552->2554 2555 7ff6802743d0 ExFilterRethrow 10 API calls 2553->2555 2556 7ff6802743d0 ExFilterRethrow 10 API calls 2554->2556 2557 7ff680275d60 2555->2557 2558 7ff680275d77 2556->2558 2559 7ff680275d6a 2557->2559 2560 7ff680275fd0 abort 2557->2560 2558->2559 2561 7ff6802743d0 ExFilterRethrow 10 API calls 2558->2561 2562 7ff6802743d0 ExFilterRethrow 10 API calls 2559->2562 2563 7ff680275d82 2561->2563 2565 7ff680275d96 __GSHandlerCheck_EH 2562->2565 2564 7ff6802743d0 ExFilterRethrow 10 API calls 2563->2564 2564->2559 2566 7ff680275f92 2565->2566 2573 7ff680273bd0 __GSHandlerCheck_EH 10 API calls 2565->2573 2567 7ff6802743d0 ExFilterRethrow 10 API calls 2566->2567 2568 7ff680275f97 2567->2568 2569 7ff680275fa2 2568->2569 2570 7ff6802743d0 ExFilterRethrow 10 API calls 2568->2570 2571 7ff680272660 __GSHandlerCheck_EH 8 API calls 2569->2571 2570->2569 2572 7ff680275fb5 2571->2572 2572->2548 2573->2565 2575 7ff68027368a 2574->2575 2576 7ff680275cf0 __GSHandlerCheck_EH 19 API calls 2575->2576 2577 7ff6802736a5 2576->2577 2577->2548 2579 7ff6802743d0 ExFilterRethrow 10 API calls 2578->2579 2580 7ff680273bc5 2579->2580 2580->2540 2582 7ff680274a01 __GSHandlerCheck_EH 2581->2582 2583 7ff680274a09 2582->2583 2584 7ff680274a20 2582->2584 2585 7ff6802743d0 ExFilterRethrow 10 API calls 2583->2585 2586 7ff6802743d0 ExFilterRethrow 10 API calls 2584->2586 2594 7ff680274a0e 2585->2594 2587 7ff680274a25 2586->2587 2589 7ff6802743d0 ExFilterRethrow 10 API calls 2587->2589 2587->2594 2588 7ff680274e99 abort 2590 7ff680274a30 2589->2590 2591 7ff6802743d0 ExFilterRethrow 10 API calls 2590->2591 2591->2594 2592 7ff680274b54 __GSHandlerCheck_EH 2593 7ff680274def 2592->2593 2627 7ff680274b90 __GSHandlerCheck_EH 2592->2627 2593->2588 2595 7ff680274ded 2593->2595 2673 7ff680274ea0 2593->2673 2594->2588 2594->2592 2596 7ff6802743d0 ExFilterRethrow 10 API calls 2594->2596 2598 7ff6802743d0 ExFilterRethrow 10 API calls 2595->2598 2597 7ff680274ac0 2596->2597 2600 7ff680274e37 2597->2600 2603 7ff6802743d0 ExFilterRethrow 10 API calls 2597->2603 2602 7ff680274e30 2598->2602 2599 7ff680274dd4 __GSHandlerCheck_EH 2599->2595 2608 7ff680274e81 2599->2608 2604 7ff680272660 __GSHandlerCheck_EH 8 API calls 2600->2604 2602->2588 2602->2600 2605 7ff680274ad0 2603->2605 2606 7ff680274e43 2604->2606 2607 7ff6802743d0 ExFilterRethrow 10 API calls 2605->2607 2606->2548 2609 7ff680274ad9 2607->2609 2610 7ff6802743d0 ExFilterRethrow 10 API calls 2608->2610 2637 7ff680273be8 2609->2637 2612 7ff680274e86 2610->2612 2614 7ff6802743d0 ExFilterRethrow 10 API calls 2612->2614 2615 7ff680274e8f terminate 2614->2615 2615->2588 2616 7ff6802743d0 ExFilterRethrow 10 API calls 2617 7ff680274b16 2616->2617 2617->2592 2618 7ff6802743d0 ExFilterRethrow 10 API calls 2617->2618 2619 7ff680274b22 2618->2619 2621 7ff6802743d0 ExFilterRethrow 10 API calls 2619->2621 2620 7ff680273bbc 10 API calls BuildCatchObjectHelperInternal 2620->2627 2622 7ff680274b2b 2621->2622 2640 7ff680275fd8 2622->2640 2626 7ff680274b3f 2647 7ff6802760c8 2626->2647 2627->2599 2627->2620 2651 7ff6802752d0 2627->2651 2665 7ff6802748d0 2627->2665 2629 7ff680274e7b terminate 2629->2608 2631 7ff680274b47 std::bad_alloc::bad_alloc __GSHandlerCheck_EH 2631->2629 2632 7ff680273f84 Concurrency::cancel_current_task 2 API calls 2631->2632 2633 7ff680274e7a 2632->2633 2633->2629 2635 7ff6802743d0 ExFilterRethrow 10 API calls 2634->2635 2636 7ff680273bb1 2635->2636 2636->2552 2638 7ff6802743d0 ExFilterRethrow 10 API calls 2637->2638 2639 7ff680273bf6 2638->2639 2639->2588 2639->2616 2641 7ff6802760bf abort 2640->2641 2646 7ff680276003 2640->2646 2642 7ff680274b3b 2642->2592 2642->2626 2643 7ff680273bbc 10 API calls BuildCatchObjectHelperInternal 2643->2646 2644 7ff680273ba8 Is_bad_exception_allowed 10 API calls 2644->2646 2646->2642 2646->2643 2646->2644 2689 7ff680275190 2646->2689 2649 7ff680276135 2647->2649 2650 7ff6802760e5 Is_bad_exception_allowed 2647->2650 2648 7ff680273ba8 10 API calls Is_bad_exception_allowed 2648->2650 2649->2631 2650->2648 2650->2649 2652 7ff6802752fd 2651->2652 2663 7ff68027538d 2651->2663 2653 7ff680273ba8 Is_bad_exception_allowed 10 API calls 2652->2653 2654 7ff680275306 2653->2654 2655 7ff680273ba8 Is_bad_exception_allowed 10 API calls 2654->2655 2656 7ff68027531f 2654->2656 2654->2663 2655->2656 2657 7ff68027534c 2656->2657 2658 7ff680273ba8 Is_bad_exception_allowed 10 API calls 2656->2658 2656->2663 2659 7ff680273bbc BuildCatchObjectHelperInternal 10 API calls 2657->2659 2658->2657 2660 7ff680275360 2659->2660 2661 7ff680275379 2660->2661 2662 7ff680273ba8 Is_bad_exception_allowed 10 API calls 2660->2662 2660->2663 2664 7ff680273bbc BuildCatchObjectHelperInternal 10 API calls 2661->2664 2662->2661 2663->2627 2664->2663 2666 7ff68027490d __GSHandlerCheck_EH 2665->2666 2667 7ff680274933 2666->2667 2703 7ff68027480c 2666->2703 2668 7ff680273ba8 Is_bad_exception_allowed 10 API calls 2667->2668 2670 7ff680274945 2668->2670 2712 7ff680273838 RtlUnwindEx 2670->2712 2674 7ff680275169 2673->2674 2675 7ff680274ef4 2673->2675 2677 7ff680272660 __GSHandlerCheck_EH 8 API calls 2674->2677 2676 7ff6802743d0 ExFilterRethrow 10 API calls 2675->2676 2679 7ff680274ef9 2676->2679 2678 7ff680275175 2677->2678 2678->2595 2680 7ff680274f0e EncodePointer 2679->2680 2682 7ff680274f60 __GSHandlerCheck_EH 2679->2682 2681 7ff6802743d0 ExFilterRethrow 10 API calls 2680->2681 2684 7ff680274f1e 2681->2684 2682->2674 2683 7ff680275189 abort 2682->2683 2688 7ff680274f82 __GSHandlerCheck_EH 2682->2688 2684->2682 2736 7ff6802734f8 2684->2736 2686 7ff680273ba8 10 API calls Is_bad_exception_allowed 2686->2688 2687 7ff6802748d0 __GSHandlerCheck_EH 21 API calls 2687->2688 2688->2674 2688->2686 2688->2687 2690 7ff6802751bd 2689->2690 2702 7ff68027524c 2689->2702 2691 7ff680273ba8 Is_bad_exception_allowed 10 API calls 2690->2691 2692 7ff6802751c6 2691->2692 2693 7ff680273ba8 Is_bad_exception_allowed 10 API calls 2692->2693 2694 7ff6802751df 2692->2694 2692->2702 2693->2694 2695 7ff68027520b 2694->2695 2696 7ff680273ba8 Is_bad_exception_allowed 10 API calls 2694->2696 2694->2702 2697 7ff680273bbc BuildCatchObjectHelperInternal 10 API calls 2695->2697 2696->2695 2699 7ff68027521f 2697->2699 2698 7ff680275238 2701 7ff680273bbc BuildCatchObjectHelperInternal 10 API calls 2698->2701 2699->2698 2700 7ff680273ba8 Is_bad_exception_allowed 10 API calls 2699->2700 2699->2702 2700->2698 2701->2702 2702->2646 2704 7ff68027482f 2703->2704 2715 7ff680274608 2704->2715 2706 7ff680274840 2707 7ff680274881 __AdjustPointer 2706->2707 2708 7ff680274845 __AdjustPointer 2706->2708 2709 7ff680273bbc BuildCatchObjectHelperInternal 10 API calls 2707->2709 2711 7ff680274864 BuildCatchObjectHelperInternal 2707->2711 2710 7ff680273bbc BuildCatchObjectHelperInternal 10 API calls 2708->2710 2708->2711 2709->2711 2710->2711 2711->2667 2713 7ff680272660 __GSHandlerCheck_EH 8 API calls 2712->2713 2714 7ff68027394e 2713->2714 2714->2627 2716 7ff680274635 2715->2716 2718 7ff68027463e 2715->2718 2717 7ff680273ba8 Is_bad_exception_allowed 10 API calls 2716->2717 2717->2718 2719 7ff680273ba8 Is_bad_exception_allowed 10 API calls 2718->2719 2720 7ff68027465d 2718->2720 2727 7ff6802746c2 __AdjustPointer BuildCatchObjectHelperInternal 2718->2727 2719->2720 2721 7ff6802746aa 2720->2721 2722 7ff6802746ca 2720->2722 2720->2727 2724 7ff6802747e9 abort abort 2721->2724 2721->2727 2723 7ff680273bbc BuildCatchObjectHelperInternal 10 API calls 2722->2723 2725 7ff68027474a 2722->2725 2722->2727 2723->2725 2726 7ff68027480c 2724->2726 2725->2727 2729 7ff680273bbc BuildCatchObjectHelperInternal 10 API calls 2725->2729 2728 7ff680274608 BuildCatchObjectHelperInternal 10 API calls 2726->2728 2727->2706 2730 7ff680274840 2728->2730 2729->2727 2731 7ff680274845 __AdjustPointer 2730->2731 2732 7ff680274881 __AdjustPointer 2730->2732 2734 7ff680273bbc BuildCatchObjectHelperInternal 10 API calls 2731->2734 2735 7ff680274864 BuildCatchObjectHelperInternal 2731->2735 2733 7ff680273bbc BuildCatchObjectHelperInternal 10 API calls 2732->2733 2732->2735 2733->2735 2734->2735 2735->2706 2737 7ff6802743d0 ExFilterRethrow 10 API calls 2736->2737 2738 7ff680273524 2737->2738 2738->2682 2739 7ff680272970 2742 7ff680272da0 2739->2742 2743 7ff680272979 2742->2743 2744 7ff680272dc3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 2742->2744 2744->2743 2745 7ff6802716f0 2748 7ff680273d50 2745->2748 2749 7ff68027170c 2748->2749 2750 7ff680273d5f free 2748->2750 2750->2749 2751 7ff6802772f0 2752 7ff680277303 2751->2752 2753 7ff680277310 2751->2753 2755 7ff680271e80 2752->2755 2756 7ff680271e93 2755->2756 2758 7ff680271eb7 2755->2758 2757 7ff680271ed8 _invalid_parameter_noinfo_noreturn 2756->2757 2756->2758 2758->2753 2970 7ff6802743b0 2971 7ff6802743ca 2970->2971 2972 7ff6802743b9 2970->2972 2972->2971 2973 7ff6802743c5 free 2972->2973 2973->2971 2977 7ff680277130 2978 7ff680277168 __GSHandlerCheckCommon 2977->2978 2979 7ff680277194 2978->2979 2981 7ff680273c00 2978->2981 2982 7ff6802743d0 ExFilterRethrow 10 API calls 2981->2982 2983 7ff680273c42 2982->2983 2984 7ff6802743d0 ExFilterRethrow 10 API calls 2983->2984 2985 7ff680273c4f 2984->2985 2986 7ff6802743d0 ExFilterRethrow 10 API calls 2985->2986 2987 7ff680273c58 __GSHandlerCheck_EH 2986->2987 2988 7ff680275414 __GSHandlerCheck_EH 31 API calls 2987->2988 2989 7ff680273ca9 2988->2989 2989->2979 2759 7ff68027756f 2760 7ff6802743d0 ExFilterRethrow 10 API calls 2759->2760 2761 7ff68027757d 2760->2761 2762 7ff680277588 2761->2762 2763 7ff6802743d0 ExFilterRethrow 10 API calls 2761->2763 2763->2762 2990 7ff68027191a 2991 7ff68027194d 2990->2991 2993 7ff6802718a0 2990->2993 2992 7ff6802720c0 21 API calls 2991->2992 2992->2993 2995 7ff680271dd0 2993->2995 2996 7ff6802720c0 21 API calls 2993->2996 2999 7ff680271d76 2993->2999 2994 7ff680272660 __GSHandlerCheck_EH 8 API calls 2997 7ff680271d87 2994->2997 2998 7ff680271450 6 API calls 2995->2998 2996->2993 2998->2999 2999->2994 3000 7ff68027291a 3001 7ff680273020 __scrt_is_managed_app GetModuleHandleW 3000->3001 3002 7ff680272921 3001->3002 3003 7ff680272925 3002->3003 3004 7ff680272960 _exit 3002->3004 3005 7ff680271b18 _time64 3006 7ff680271b34 3005->3006 3007 7ff680271bf1 3006->3007 3008 7ff680271ee0 22 API calls 3006->3008 3009 7ff680272230 22 API calls 3007->3009 3010 7ff680271c34 BuildCatchObjectHelperInternal 3007->3010 3008->3007 3009->3010 3011 7ff680271da2 _invalid_parameter_noinfo_noreturn 3010->3011 3012 7ff6802718a0 3010->3012 3013 7ff680271da9 WSAGetLastError 3011->3013 3016 7ff680271dd0 3012->3016 3017 7ff680271d76 3012->3017 3018 7ff6802720c0 21 API calls 3012->3018 3014 7ff680271450 6 API calls 3013->3014 3014->3017 3015 7ff680272660 __GSHandlerCheck_EH 8 API calls 3019 7ff680271d87 3015->3019 3020 7ff680271450 6 API calls 3016->3020 3017->3015 3018->3012 3020->3017 2764 7ff680277559 2767 7ff680274158 2764->2767 2768 7ff680274182 2767->2768 2769 7ff680274170 2767->2769 2771 7ff6802743d0 ExFilterRethrow 10 API calls 2768->2771 2769->2768 2770 7ff680274178 2769->2770 2773 7ff6802743d0 ExFilterRethrow 10 API calls 2770->2773 2777 7ff680274180 2770->2777 2772 7ff680274187 2771->2772 2775 7ff6802743d0 ExFilterRethrow 10 API calls 2772->2775 2772->2777 2774 7ff6802741a7 2773->2774 2776 7ff6802743d0 ExFilterRethrow 10 API calls 2774->2776 2775->2777 2778 7ff6802741b4 terminate 2776->2778 2779 7ff6802774d6 2790 7ff680273b54 2779->2790 2781 7ff68027751a __GSHandlerCheck_EH 2782 7ff6802743d0 ExFilterRethrow 10 API calls 2781->2782 2783 7ff68027752e 2782->2783 2785 7ff6802743d0 ExFilterRethrow 10 API calls 2783->2785 2787 7ff68027753b 2785->2787 2788 7ff6802743d0 ExFilterRethrow 10 API calls 2787->2788 2789 7ff680277548 2788->2789 2791 7ff6802743d0 ExFilterRethrow 10 API calls 2790->2791 2792 7ff680273b66 2791->2792 2793 7ff680273ba1 abort 2792->2793 2794 7ff6802743d0 ExFilterRethrow 10 API calls 2792->2794 2795 7ff680273b71 2794->2795 2795->2793 2796 7ff680273b8d 2795->2796 2797 7ff6802743d0 ExFilterRethrow 10 API calls 2796->2797 2798 7ff680273b92 2797->2798 2798->2781 2799 7ff680274104 2798->2799 2800 7ff6802743d0 ExFilterRethrow 10 API calls 2799->2800 2801 7ff680274112 2800->2801 2801->2781 3021 7ff680274024 3028 7ff68027642c 3021->3028 3026 7ff680274031 3040 7ff680276714 3028->3040 3031 7ff68027402d 3031->3026 3033 7ff6802744ac 3031->3033 3032 7ff680276460 __vcrt_uninitialize_locks DeleteCriticalSection 3032->3031 3045 7ff6802765e8 3033->3045 3041 7ff680276498 __vcrt_InitializeCriticalSectionEx 5 API calls 3040->3041 3042 7ff68027674a 3041->3042 3043 7ff680276444 3042->3043 3044 7ff68027675f InitializeCriticalSectionAndSpinCount 3042->3044 3043->3031 3043->3032 3044->3043 3046 7ff680276498 __vcrt_InitializeCriticalSectionEx 5 API calls 3045->3046 3047 7ff68027660d TlsAlloc 3046->3047 2805 7ff680275860 2806 7ff6802743d0 ExFilterRethrow 10 API calls 2805->2806 2807 7ff6802758ad 2806->2807 2808 7ff6802743d0 ExFilterRethrow 10 API calls 2807->2808 2809 7ff6802758bb __except_validate_context_record 2808->2809 2810 7ff6802743d0 ExFilterRethrow 10 API calls 2809->2810 2811 7ff680275914 2810->2811 2812 7ff6802743d0 ExFilterRethrow 10 API calls 2811->2812 2813 7ff68027591d 2812->2813 2814 7ff6802743d0 ExFilterRethrow 10 API calls 2813->2814 2815 7ff680275926 2814->2815 2834 7ff680273b18 2815->2834 2818 7ff6802743d0 ExFilterRethrow 10 API calls 2819 7ff680275959 2818->2819 2820 7ff680275aa9 abort 2819->2820 2821 7ff680275991 2819->2821 2822 7ff680273b54 11 API calls 2821->2822 2826 7ff680275a31 2822->2826 2823 7ff680275a5a __GSHandlerCheck_EH 2824 7ff6802743d0 ExFilterRethrow 10 API calls 2823->2824 2825 7ff680275a6d 2824->2825 2827 7ff6802743d0 ExFilterRethrow 10 API calls 2825->2827 2826->2823 2828 7ff680274104 10 API calls 2826->2828 2829 7ff680275a76 2827->2829 2828->2823 2830 7ff6802743d0 ExFilterRethrow 10 API calls 2829->2830 2831 7ff680275a7f 2830->2831 2832 7ff6802743d0 ExFilterRethrow 10 API calls 2831->2832 2833 7ff680275a8e 2832->2833 2835 7ff6802743d0 ExFilterRethrow 10 API calls 2834->2835 2836 7ff680273b29 2835->2836 2837 7ff6802743d0 ExFilterRethrow 10 API calls 2836->2837 2838 7ff680273b34 2836->2838 2837->2838 2839 7ff6802743d0 ExFilterRethrow 10 API calls 2838->2839 2840 7ff680273b45 2839->2840 2840->2818 2840->2819 2841 7ff680277260 2842 7ff680277273 2841->2842 2843 7ff680277280 2841->2843 2844 7ff680271e80 _invalid_parameter_noinfo_noreturn 2842->2844 2844->2843 2845 7ff680271ce0 2846 7ff680272688 5 API calls 2845->2846 2847 7ff680271cea gethostname 2846->2847 2848 7ff680271d08 2847->2848 2849 7ff680271da9 WSAGetLastError 2847->2849 2859 7ff680272040 2848->2859 2850 7ff680271450 6 API calls 2849->2850 2851 7ff680271d76 2850->2851 2854 7ff680272660 __GSHandlerCheck_EH 8 API calls 2851->2854 2853 7ff6802718a0 2853->2851 2856 7ff680271dd0 2853->2856 2857 7ff6802720c0 21 API calls 2853->2857 2855 7ff680271d87 2854->2855 2858 7ff680271450 6 API calls 2856->2858 2857->2853 2858->2851 2860 7ff6802720a2 2859->2860 2863 7ff680272063 BuildCatchObjectHelperInternal 2859->2863 2864 7ff680272230 2860->2864 2862 7ff6802720b5 2862->2853 2863->2853 2865 7ff6802723ab 2864->2865 2866 7ff68027225e 2864->2866 2868 7ff6802717e0 21 API calls 2865->2868 2867 7ff6802722be 2866->2867 2870 7ff6802722e6 2866->2870 2871 7ff6802722b1 2866->2871 2872 7ff680272690 5 API calls 2867->2872 2869 7ff6802723b0 2868->2869 2873 7ff680271720 Concurrency::cancel_current_task 4 API calls 2869->2873 2874 7ff6802722cf BuildCatchObjectHelperInternal 2870->2874 2875 7ff680272690 5 API calls 2870->2875 2871->2867 2871->2869 2872->2874 2876 7ff6802723b6 2873->2876 2877 7ff680272364 _invalid_parameter_noinfo_noreturn 2874->2877 2878 7ff680272357 BuildCatchObjectHelperInternal 2874->2878 2875->2874 2877->2878 2878->2862 2879 7ff68027195f 2880 7ff68027196d 2879->2880 2881 7ff680271a23 2880->2881 2895 7ff680271ee0 2880->2895 2883 7ff680271a67 BuildCatchObjectHelperInternal 2881->2883 2884 7ff680272230 22 API calls 2881->2884 2885 7ff680271da2 _invalid_parameter_noinfo_noreturn 2883->2885 2887 7ff6802718a0 2883->2887 2884->2883 2886 7ff680271da9 WSAGetLastError 2885->2886 2888 7ff680271450 6 API calls 2886->2888 2890 7ff680271dd0 2887->2890 2891 7ff680271d76 2887->2891 2892 7ff6802720c0 21 API calls 2887->2892 2888->2891 2889 7ff680272660 __GSHandlerCheck_EH 8 API calls 2893 7ff680271d87 2889->2893 2894 7ff680271450 6 API calls 2890->2894 2891->2889 2892->2887 2894->2891 2899 7ff680271f25 2895->2899 2908 7ff680271f04 BuildCatchObjectHelperInternal 2895->2908 2896 7ff680272031 2897 7ff6802717e0 21 API calls 2896->2897 2898 7ff680272036 2897->2898 2903 7ff680271720 Concurrency::cancel_current_task 4 API calls 2898->2903 2899->2896 2901 7ff680271fa9 2899->2901 2902 7ff680271f74 2899->2902 2900 7ff680272690 5 API calls 2907 7ff680271f92 BuildCatchObjectHelperInternal 2900->2907 2905 7ff680272690 5 API calls 2901->2905 2901->2907 2902->2898 2902->2900 2906 7ff68027203c 2903->2906 2904 7ff68027202a _invalid_parameter_noinfo_noreturn 2904->2896 2905->2907 2907->2904 2907->2908 2908->2881 2909 7ff6802748c7 abort 2913 7ff6802727d0 2917 7ff680273074 SetUnhandledExceptionFilter 2913->2917 2910 7ff680271550 2911 7ff680273d50 __std_exception_destroy free 2910->2911 2912 7ff680271567 2911->2912 3061 7ff680273090 3062 7ff6802730a8 3061->3062 3063 7ff6802730c4 3061->3063 3062->3063 3068 7ff6802741c0 3062->3068 3067 7ff6802730e2 3069 7ff6802743d0 ExFilterRethrow 10 API calls 3068->3069 3070 7ff6802730d6 3069->3070 3071 7ff6802741d4 3070->3071 3072 7ff6802743d0 ExFilterRethrow 10 API calls 3071->3072 3073 7ff6802741dd 3072->3073 3073->3067 3078 7ff680277090 3079 7ff6802770d2 __GSHandlerCheckCommon 3078->3079 3080 7ff6802770fa 3079->3080 3082 7ff680273d78 3079->3082 3085 7ff680273da8 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 3082->3085 3083 7ff680273e99 3083->3080 3084 7ff680273e64 RtlUnwindEx 3084->3085 3085->3083 3085->3084 3086 7ff680271510 3087 7ff680273cc0 __std_exception_copy 2 API calls 3086->3087 3088 7ff680271539 3087->3088 3089 7ff680277411 3090 7ff680277495 3089->3090 3091 7ff680277429 3089->3091 3091->3090 3092 7ff6802743d0 ExFilterRethrow 10 API calls 3091->3092 3093 7ff680277476 3092->3093 3094 7ff6802743d0 ExFilterRethrow 10 API calls 3093->3094 3095 7ff68027748b terminate 3094->3095 3095->3090 2918 7ff68027733c _seh_filter_exe 2922 7ff680271d39 2923 7ff680271d40 2922->2923 2923->2923 2924 7ff680272040 22 API calls 2923->2924 2926 7ff6802718a0 2923->2926 2924->2926 2925 7ff680271d76 2927 7ff680272660 __GSHandlerCheck_EH 8 API calls 2925->2927 2926->2925 2928 7ff680271dd0 2926->2928 2929 7ff6802720c0 21 API calls 2926->2929 2930 7ff680271d87 2927->2930 2931 7ff680271450 6 API calls 2928->2931 2929->2926 2931->2925 3099 7ff680272700 3100 7ff680272710 3099->3100 3112 7ff680272bd8 3100->3112 3102 7ff680272ecc 7 API calls 3103 7ff6802727b5 3102->3103 3104 7ff680272734 _RTC_Initialize 3109 7ff680272797 3104->3109 3120 7ff680272e64 InitializeSListHead 3104->3120 3109->3102 3111 7ff6802727a5 3109->3111 3113 7ff680272be9 3112->3113 3118 7ff680272c1b 3112->3118 3114 7ff680272c58 3113->3114 3117 7ff680272bee __scrt_release_startup_lock 3113->3117 3115 7ff680272ecc 7 API calls 3114->3115 3116 7ff680272c62 3115->3116 3117->3118 3119 7ff680272c0b _initialize_onexit_table 3117->3119 3118->3104 3119->3118

                                                                Executed Functions

                                                                Function 00007FF680271060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214stringCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 0 7ff680271060-7ff6802710ae 1 7ff680271386-7ff680271394 call 7ff680271450 0->1 2 7ff6802710b4-7ff6802710c6 0->2 5 7ff680271399 1->5 4 7ff6802710d0-7ff6802710d6 2->4 6 7ff6802710dc-7ff6802710df 4->6 7 7ff68027127f-7ff680271283 4->7 8 7ff68027139e-7ff6802713b7 5->8 10 7ff6802710ed 6->10 11 7ff6802710e1-7ff6802710e5 6->11 7->4 9 7ff680271289-7ff680271299 7->9 9->1 13 7ff68027129f-7ff6802712b7 call 7ff680272688 9->13 12 7ff6802710f0-7ff6802710fc 10->12 11->10 14 7ff6802710e7-7ff6802710eb 11->14 16 7ff680271110-7ff680271113 12->16 17 7ff6802710fe-7ff680271102 12->17 26 7ff68027132a-7ff680271336 call 7ff6802723c0 13->26 27 7ff6802712b9-7ff6802712c9 GetTempPathA 13->27 14->10 15 7ff680271104-7ff68027110b 14->15 19 7ff68027127b 15->19 20 7ff680271125-7ff680271136 strcmp 16->20 21 7ff680271115-7ff680271119 16->21 17->12 17->15 19->7 24 7ff68027113c-7ff68027113f 20->24 25 7ff680271267-7ff68027126e 20->25 21->20 23 7ff68027111b-7ff68027111f 21->23 23->20 23->25 29 7ff680271151-7ff680271162 strcmp 24->29 30 7ff680271141-7ff680271145 24->30 28 7ff680271276 25->28 43 7ff680271338-7ff680271344 call 7ff6802713c0 26->43 44 7ff680271346 26->44 32 7ff6802712cb-7ff6802712e7 GetLastError call 7ff680271450 GetLastError 27->32 33 7ff6802712e9-7ff680271302 strcat_s 27->33 28->19 38 7ff680271258-7ff680271265 29->38 39 7ff680271168-7ff68027116b 29->39 30->29 36 7ff680271147-7ff68027114b 30->36 50 7ff680271313-7ff680271323 call 7ff680272680 32->50 34 7ff680271304-7ff680271312 call 7ff680271450 33->34 35 7ff680271325 33->35 34->50 35->26 36->29 36->38 38->19 45 7ff68027117d-7ff68027118e strcmp 39->45 46 7ff68027116d-7ff680271171 39->46 47 7ff68027134b-7ff680271384 __acrt_iob_func fflush __acrt_iob_func fflush call 7ff680272680 43->47 44->47 48 7ff680271247-7ff680271256 45->48 49 7ff680271194-7ff680271197 45->49 46->45 53 7ff680271173-7ff680271177 46->53 47->8 48->28 55 7ff680271199-7ff68027119d 49->55 56 7ff6802711a5-7ff6802711af 49->56 50->8 53->45 53->48 55->56 60 7ff68027119f-7ff6802711a3 55->60 61 7ff6802711b0-7ff6802711bb 56->61 60->56 63 7ff6802711c3-7ff6802711d2 60->63 64 7ff6802711bd-7ff6802711c1 61->64 65 7ff6802711d7-7ff6802711da 61->65 63->28 64->61 64->63 66 7ff6802711ec-7ff6802711f6 65->66 67 7ff6802711dc-7ff6802711e0 65->67 69 7ff680271200-7ff68027120b 66->69 67->66 68 7ff6802711e2-7ff6802711e6 67->68 68->19 68->66 70 7ff68027120d-7ff680271211 69->70 71 7ff680271215-7ff680271218 69->71 70->69 72 7ff680271213 70->72 73 7ff68027121a-7ff68027121e 71->73 74 7ff680271226-7ff680271237 strcmp 71->74 72->19 73->74 75 7ff680271220-7ff680271224 73->75 74->19 76 7ff680271239-7ff680271245 atoi 74->76 75->19 75->74 76->19
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
                                                                • String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
                                                                • API String ID: 2647627392-2367407095
                                                                • Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                                • Instruction ID: b90aa977de6beaed962bc8bf5900021eaf708efa11ea06c156dd6835647a3d2b
                                                                • Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                                • Instruction Fuzzy Hash: 38A15871D0D782E9EB61CB24A6202F96EB4BF46754F484939CA4E867D6DFBCE844C300
                                                                Function 00007FF6802727EC Relevance: 13.6, APIs: 9, Instructions: 102COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                                • String ID:
                                                                • API String ID: 2308368977-0
                                                                • Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                                • Instruction ID: f91ebe85e979b89e157d96c95950ab56dee0e7b16e0e485dd2a2e195e0a487db
                                                                • Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                                • Instruction Fuzzy Hash: DB313B31E08243E2FA14AB2596723F91AF1BF45784F44583DDA0D8B3D3DEADA848C251
                                                                Function 00007FF680271450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                                • String ID: [createdump]
                                                                • API String ID: 3735572767-2657508301
                                                                • Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                                • Instruction ID: 8dc21d58e4269d982c04fad97b577865ef7016846fd1325a03962a5d9fb7bebf
                                                                • Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                                • Instruction Fuzzy Hash: 55014F31A08B81D2E6009B50F9251AAAB74FF84BD1F004939DE8D437A6CF7CD895C700

                                                                Non-executed Functions

                                                                Function 00007FF680272ECC Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                • String ID:
                                                                • API String ID: 3140674995-0
                                                                • Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                                • Instruction ID: 46bd79f323f593c617f99422d8dfd96c9eed81664d0aac70c503d365faa62d19
                                                                • Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                                • Instruction Fuzzy Hash: 9C315A72609A81D6EB609F60E8503EA77B1FF84744F40483ADA4E87BD8EF78D548C710
                                                                Function 00007FF680273074 Relevance: .0, Instructions: 2COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                                • Instruction ID: 7924e1b678973cb5420506e17bfb92debb06b6ac0ec4770acb5632b26f08cd56
                                                                • Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                                • Instruction Fuzzy Hash: 0FA0023194CC02F0E6448B11EA751B12B30FF60300B404C39D00DC12E0EFBDA458C311
                                                                Function 00007FF6802723C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68027242D
                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68027243B
                                                                  • Part of subcall function 00007FF680271450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF680271475
                                                                  • Part of subcall function 00007FF680271450: fprintf.MSPDB140-MSVCRT ref: 00007FF680271485
                                                                  • Part of subcall function 00007FF680271450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF680271494
                                                                  • Part of subcall function 00007FF680271450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6802714B3
                                                                  • Part of subcall function 00007FF680271450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6802714BE
                                                                  • Part of subcall function 00007FF680271450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6802714C7
                                                                • K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF680272466
                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF680272470
                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF680272487
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6802725F3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
                                                                • String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
                                                                • API String ID: 3971781330-1292085346
                                                                • Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                                • Instruction ID: 1768e3e0e20ed40f78f99208c9672c91790f241ed6aac89aa83717e066e6e7c3
                                                                • Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                                • Instruction Fuzzy Hash: 6A616131A08A42D1E614DB15E6606BA7BB1FF85790F500939EE9E83BE5DFBCE449C700
                                                                Function 00007FF6802749A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316COMMONLIBRARYCODE
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 177 7ff6802749a4-7ff680274a07 call 7ff680274518 180 7ff680274a09-7ff680274a12 call 7ff6802743d0 177->180 181 7ff680274a20-7ff680274a29 call 7ff6802743d0 177->181 188 7ff680274a18-7ff680274a1e 180->188 189 7ff680274e99-7ff680274e9f abort 180->189 186 7ff680274a2b-7ff680274a38 call 7ff6802743d0 * 2 181->186 187 7ff680274a3f-7ff680274a42 181->187 186->187 187->189 191 7ff680274a48-7ff680274a54 187->191 188->187 193 7ff680274a56-7ff680274a7d 191->193 194 7ff680274a7f 191->194 196 7ff680274a81-7ff680274a83 193->196 194->196 196->189 198 7ff680274a89-7ff680274a8f 196->198 199 7ff680274b59-7ff680274b6f call 7ff680275724 198->199 200 7ff680274a95-7ff680274a99 198->200 205 7ff680274b75-7ff680274b79 199->205 206 7ff680274def-7ff680274df3 199->206 200->199 202 7ff680274a9f-7ff680274aaa 200->202 202->199 204 7ff680274ab0-7ff680274ab5 202->204 204->199 207 7ff680274abb-7ff680274ac5 call 7ff6802743d0 204->207 205->206 210 7ff680274b7f-7ff680274b8a 205->210 208 7ff680274e2b-7ff680274e35 call 7ff6802743d0 206->208 209 7ff680274df5-7ff680274dfc 206->209 218 7ff680274acb-7ff680274af1 call 7ff6802743d0 * 2 call 7ff680273be8 207->218 219 7ff680274e37-7ff680274e56 call 7ff680272660 207->219 208->189 208->219 209->189 213 7ff680274e02-7ff680274e26 call 7ff680274ea0 209->213 210->206 215 7ff680274b90-7ff680274b94 210->215 213->208 216 7ff680274b9a-7ff680274bd1 call 7ff6802736d0 215->216 217 7ff680274dd4-7ff680274dd8 215->217 216->217 231 7ff680274bd7-7ff680274be2 216->231 217->208 225 7ff680274dda-7ff680274de7 call 7ff680273670 217->225 246 7ff680274af3-7ff680274af7 218->246 247 7ff680274b11-7ff680274b1b call 7ff6802743d0 218->247 233 7ff680274ded 225->233 234 7ff680274e81-7ff680274e98 call 7ff6802743d0 * 2 terminate 225->234 235 7ff680274be6-7ff680274bf6 231->235 233->208 234->189 238 7ff680274bfc-7ff680274c02 235->238 239 7ff680274d2f-7ff680274dce 235->239 238->239 242 7ff680274c08-7ff680274c31 call 7ff6802756a8 238->242 239->217 239->235 242->239 252 7ff680274c37-7ff680274c7e call 7ff680273bbc * 2 242->252 246->247 250 7ff680274af9-7ff680274b04 246->250 247->199 256 7ff680274b1d-7ff680274b3d call 7ff6802743d0 * 2 call 7ff680275fd8 247->256 250->247 253 7ff680274b06-7ff680274b0b 250->253 264 7ff680274cba-7ff680274cd0 call 7ff680275ab0 252->264 265 7ff680274c80-7ff680274ca5 call 7ff680273bbc call 7ff6802752d0 252->265 253->189 253->247 273 7ff680274b54 256->273 274 7ff680274b3f-7ff680274b49 call 7ff6802760c8 256->274 275 7ff680274d2b 264->275 276 7ff680274cd2 264->276 279 7ff680274cd7-7ff680274d26 call 7ff6802748d0 265->279 280 7ff680274ca7-7ff680274cb3 265->280 273->199 283 7ff680274e7b-7ff680274e80 terminate 274->283 284 7ff680274b4f-7ff680274e7a call 7ff680274090 call 7ff680275838 call 7ff680273f84 274->284 275->239 276->252 279->275 280->265 282 7ff680274cb5 280->282 282->264 283->234 284->283
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                • String ID: csm$csm$csm
                                                                • API String ID: 695522112-393685449
                                                                • Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                                • Instruction ID: e3e0f470beda979913e21d8ed6e34b83e17f71d8ff5645b0ac0e591886c300ed
                                                                • Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                                • Instruction Fuzzy Hash: 7FE1BE33908682DAE7209F65D5A02ED7BB0FF44758F144939EA8D87796CFB8E485C700
                                                                Function 00007FF6802713C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                                • String ID: [createdump]
                                                                • API String ID: 3735572767-2657508301
                                                                • Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                                • Instruction ID: 09d4d796253cb29d6443eda31febd6a1931f9a41f17d207c0626c1e68cc28773
                                                                • Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                                • Instruction Fuzzy Hash: FA012C31A08B81D6E7009B50F9241AAAB70FF84BD1F004939DE8D437A6CFBCD895C740
                                                                Function 00007FF680271800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92networkCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • WSAStartup.WS2_32 ref: 00007FF68027186C
                                                                  • Part of subcall function 00007FF680271450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF680271475
                                                                  • Part of subcall function 00007FF680271450: fprintf.MSPDB140-MSVCRT ref: 00007FF680271485
                                                                  • Part of subcall function 00007FF680271450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF680271494
                                                                  • Part of subcall function 00007FF680271450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6802714B3
                                                                  • Part of subcall function 00007FF680271450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6802714BE
                                                                  • Part of subcall function 00007FF680271450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6802714C7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
                                                                • String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
                                                                • API String ID: 3378602911-3973674938
                                                                • Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                                • Instruction ID: 954f1bc8b333db214fa59a1b24a8503d6b1de7e1601256bd9a70aa719df3546d
                                                                • Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                                • Instruction Fuzzy Hash: C331AE72A08A81EAE759CB5999657F92BB1BF46784F44083AEE4D833D1CFBCE145C700
                                                                Function 00007FF680276498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF68027669F,?,?,?,00007FF68027441E,?,?,?,00007FF6802743D9), ref: 00007FF68027651D
                                                                • GetLastError.KERNEL32(?,00000000,00007FF68027669F,?,?,?,00007FF68027441E,?,?,?,00007FF6802743D9,?,?,?,?,00007FF680273524), ref: 00007FF68027652B
                                                                • LoadLibraryExW.KERNEL32(?,00000000,00007FF68027669F,?,?,?,00007FF68027441E,?,?,?,00007FF6802743D9,?,?,?,?,00007FF680273524), ref: 00007FF680276555
                                                                • FreeLibrary.KERNEL32(?,00000000,00007FF68027669F,?,?,?,00007FF68027441E,?,?,?,00007FF6802743D9,?,?,?,?,00007FF680273524), ref: 00007FF68027659B
                                                                • GetProcAddress.KERNEL32(?,00000000,00007FF68027669F,?,?,?,00007FF68027441E,?,?,?,00007FF6802743D9,?,?,?,?,00007FF680273524), ref: 00007FF6802765A7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                • String ID: api-ms-
                                                                • API String ID: 2559590344-2084034818
                                                                • Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                                • Instruction ID: 7d97727ba810ebdd145eaa76531b4c9adf523e1c2b1ba6d235e6a13b2128987a
                                                                • Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                                • Instruction Fuzzy Hash: 98319431A1A642E1EE219B129A245F52BB4FF44B60F994A38DD1D867D4EFBCE445C300
                                                                Function 00007FF680271B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 360 7ff680271b18-7ff680271b32 _time64 361 7ff680271b34-7ff680271b37 360->361 362 7ff680271b80-7ff680271ba8 360->362 363 7ff680271b40-7ff680271b68 361->363 362->362 364 7ff680271baa-7ff680271bd8 362->364 363->363 365 7ff680271b6a-7ff680271b71 363->365 366 7ff680271bfa-7ff680271c32 364->366 367 7ff680271bda-7ff680271bf5 call 7ff680271ee0 364->367 365->364 369 7ff680271c64-7ff680271c78 call 7ff680272230 366->369 370 7ff680271c34-7ff680271c43 366->370 367->366 377 7ff680271c7d-7ff680271c88 369->377 372 7ff680271c48-7ff680271c62 call 7ff6802768c0 370->372 373 7ff680271c45 370->373 372->377 373->372 379 7ff680271c8a-7ff680271c98 377->379 380 7ff680271cbb-7ff680271cde 377->380 381 7ff680271c9a-7ff680271cad 379->381 382 7ff680271cb3-7ff680271cb6 call 7ff680272680 379->382 383 7ff680271d55-7ff680271d70 380->383 381->382 384 7ff680271da2-7ff680271dce _invalid_parameter_noinfo_noreturn WSAGetLastError call 7ff680271450 call 7ff680272680 381->384 382->380 387 7ff680271d76 383->387 388 7ff6802718a0-7ff6802718a3 383->388 392 7ff680271d78-7ff680271da1 call 7ff680272660 384->392 387->392 390 7ff6802718a5-7ff6802718b7 388->390 391 7ff6802718f3-7ff6802718fe 388->391 394 7ff6802718b9-7ff6802718c8 390->394 395 7ff6802718e2-7ff6802718ee call 7ff6802720c0 390->395 397 7ff680271904-7ff680271915 391->397 398 7ff680271dd0-7ff680271dde call 7ff680271450 391->398 400 7ff6802718cd-7ff6802718dd 394->400 401 7ff6802718ca 394->401 395->383 397->383 398->392 400->383 401->400
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID: _time64
                                                                • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                • API String ID: 1670930206-4114407318
                                                                • Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                                • Instruction ID: 91595030081aa180071fb2233a984b38949417ce9f952ae72d9c862515c771ca
                                                                • Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                                • Instruction Fuzzy Hash: 5551F172A18B819AEB00CB28E5A03EA6BA4FF417D0F40053ADA5D53BE9DF7CE045D740
                                                                Function 00007FF680274EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID: EncodePointerabort
                                                                • String ID: MOC$RCC
                                                                • API String ID: 1188231555-2084237596
                                                                • Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                                • Instruction ID: a9528c41d74ab629a45742d1b01c13449bed5f2f79594dafe1ea7caa64b9b68e
                                                                • Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                                • Instruction Fuzzy Hash: 9791D373A08B92DAE710CB69D9902ED7BB0FB04788F144539EA8D87B94DFB8D195C700
                                                                Function 00007FF680275414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 459 7ff680275414-7ff680275461 call 7ff6802763f4 call 7ff6802743d0 464 7ff680275463-7ff680275469 459->464 465 7ff68027548e-7ff680275492 459->465 464->465 466 7ff68027546b-7ff68027546e 464->466 467 7ff680275498-7ff68027549b 465->467 468 7ff6802755b2-7ff6802755c7 call 7ff680275724 465->468 472 7ff680275480-7ff680275483 466->472 473 7ff680275470-7ff680275474 466->473 469 7ff680275680 467->469 470 7ff6802754a1-7ff6802754d1 467->470 480 7ff6802755c9-7ff6802755cc 468->480 481 7ff6802755d2-7ff6802755d8 468->481 475 7ff680275685-7ff6802756a1 469->475 470->469 474 7ff6802754d7-7ff6802754de 470->474 472->465 478 7ff680275485-7ff680275488 472->478 477 7ff680275476-7ff68027547e 473->477 473->478 474->469 479 7ff6802754e4-7ff6802754e8 474->479 477->465 477->472 478->465 478->469 482 7ff6802754ee-7ff6802754f1 479->482 483 7ff68027559f-7ff6802755ad call 7ff680273678 479->483 480->469 480->481 484 7ff6802755da-7ff6802755de 481->484 485 7ff680275647-7ff68027567b call 7ff6802749a4 481->485 487 7ff680275556-7ff680275559 482->487 488 7ff6802754f3-7ff680275508 call 7ff680274520 482->488 483->469 484->485 490 7ff6802755e0-7ff6802755e7 484->490 485->469 487->483 494 7ff68027555b-7ff680275563 487->494 496 7ff6802756a2-7ff6802756a7 abort 488->496 500 7ff68027550e-7ff680275511 488->500 490->485 493 7ff6802755e9-7ff6802755f0 490->493 493->485 498 7ff6802755f2-7ff680275605 call 7ff680273bbc 493->498 495 7ff680275569-7ff680275593 494->495 494->496 495->496 499 7ff680275599-7ff68027559d 495->499 498->485 506 7ff680275607-7ff680275645 498->506 502 7ff680275546-7ff680275551 call 7ff680275cf0 499->502 503 7ff68027553a-7ff68027553d 500->503 504 7ff680275513-7ff680275538 500->504 502->469 503->496 507 7ff680275543 503->507 504->503 506->475 507->502
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID: __except_validate_context_recordabort
                                                                • String ID: csm$csm
                                                                • API String ID: 746414643-3733052814
                                                                • Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                                • Instruction ID: 12a02dfaf58bce9741e13339cad8422629c74e8536e2094a6431a595ad292996
                                                                • Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                                • Instruction Fuzzy Hash: FB71A272508691DAD7208F2992606B9BFB1FF40B99F448539DA8D87BC5CFBCE491CB00
                                                                Function 00007FF68027195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                • API String ID: 0-4114407318
                                                                • Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                                • Instruction ID: e226b5a9d18b87a624537e6858e03e945a89b5a9f24efd5097c10a9ec9de1f6d
                                                                • Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                                • Instruction Fuzzy Hash: 7451CF32A18B8696E710CB2DA5A07EA6BA1FF817D0F400539EA9D53BE9CF7DD045D700
                                                                Function 00007FF680275860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID: CreateFrameInfo__except_validate_context_record
                                                                • String ID: csm
                                                                • API String ID: 2558813199-1018135373
                                                                • Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                                • Instruction ID: e100a9744fe819de0213ea1bb41d8db129afdca54fd5458fefe240260bb71240
                                                                • Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                                • Instruction Fuzzy Hash: 44515233618752D6E6209B16E5502AE7BF4FB88B94F141538EB8D87B95CFBCD460CB00
                                                                Function 00007FF6802717E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • std::_Xinvalid_argument.LIBCPMT ref: 00007FF6802717EB
                                                                • WSAStartup.WS2_32 ref: 00007FF68027186C
                                                                  • Part of subcall function 00007FF680271450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF680271475
                                                                  • Part of subcall function 00007FF680271450: fprintf.MSPDB140-MSVCRT ref: 00007FF680271485
                                                                  • Part of subcall function 00007FF680271450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF680271494
                                                                  • Part of subcall function 00007FF680271450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6802714B3
                                                                  • Part of subcall function 00007FF680271450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6802714BE
                                                                  • Part of subcall function 00007FF680271450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6802714C7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
                                                                • String ID: --name$Pipe syntax in dump name not supported$string too long
                                                                • API String ID: 1412700758-3183687674
                                                                • Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                                • Instruction ID: 55b23f5752124a9e8e6214e48b9167fb62395997e33780d220c154bb4e95ccec
                                                                • Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                                • Instruction Fuzzy Hash: 9201B532A18981E9F761DF12ED627EA6B70BF49794F00043AEE0C46791CE7CD496C700
                                                                Function 00007FF680271CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID: ErrorLastgethostname
                                                                • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                • API String ID: 3782448640-4114407318
                                                                • Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                                • Instruction ID: 2378d90c5eb8dfba17400b54dd19464ab53ac4fd9ff406944edc8894018d1dcb
                                                                • Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                                • Instruction Fuzzy Hash: BC11C431A08142E9E654DB21A9717FA2AA4BF867B0F001939D95F973D6DE7CD046C740
                                                                Function 00007FF680274158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID: terminate
                                                                • String ID: MOC$RCC$csm
                                                                • API String ID: 1821763600-2671469338
                                                                • Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                                • Instruction ID: 538432d8d5dfe81ab2e2801a0e125a0a26be29da43dbd7dc58a025bc063e5314
                                                                • Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                                • Instruction Fuzzy Hash: AEF08137908246E1E3246B91A3510EC3A74FF58B44F5958B9D70C8A3D2CFFCE4A0CA01
                                                                Function 00007FF6802720C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF6802718EE), ref: 00007FF6802721E0
                                                                • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68027221E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                • String ID: Invalid process id '%d' error %d
                                                                • API String ID: 73155330-4244389950
                                                                • Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                                • Instruction ID: e49179614f5f6124d10ab49aa4db7cfbebfd206b793c0100c311138f8ef374d9
                                                                • Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                                • Instruction Fuzzy Hash: A831DE32B09782E5EA149B1696142E9ABF1FF05BD0F480A39DB6D477D6CEBCE058C300
                                                                Function 00007FF680273F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68027173F), ref: 00007FF680273FC8
                                                                • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68027173F), ref: 00007FF68027400E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.1572807102.00007FF680271000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF680270000, based on PE: true
                                                                • Associated: 00000009.00000002.1572767760.00007FF680270000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572862355.00007FF680278000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1572943081.00007FF68027C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000009.00000002.1573026162.00007FF68027D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_7ff680270000_createdump.jbxd
                                                                Similarity
                                                                • API ID: ExceptionFileHeaderRaise
                                                                • String ID: csm
                                                                • API String ID: 2573137834-1018135373
                                                                • Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                                • Instruction ID: c48ca90cab62c1c873733093ca03bf25cf542c03240e0cb7d6d2ceb64601dd1c
                                                                • Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                                • Instruction Fuzzy Hash: 04112B32A18B8192EB108B15E5502A97BB0FF88B84F188635EE8D47B98DF7DD555C700

                                                                Non-executed Functions

                                                                Function 00007FF8F859C0C0 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: AddressProc$HandleModule
                                                                • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                                • API String ID: 667068680-295688737
                                                                • Opcode ID: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                                • Instruction ID: f0cffffd01af08355e77dd4fc618d3eace74c1198c591de493b6b9505259a862
                                                                • Opcode Fuzzy Hash: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                                • Instruction Fuzzy Hash: D6A18E64E09B0B9FEB058F55BC6516423A1FB7CBD5F949031C86E032A4EF7CA149E398
                                                                Function 00007FF8FF5B7508 Relevance: 90.2, APIs: 36, Strings: 15, Instructions: 913COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Name::operator+
                                                                • String ID: /$[thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
                                                                • API String ID: 2943138195-2884338863
                                                                • Opcode ID: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
                                                                • Instruction ID: a71cd00b97b9b86a6982512cc542c284ef855624f75e7135ea1f3e8d6481a0a6
                                                                • Opcode Fuzzy Hash: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
                                                                • Instruction Fuzzy Hash: 9A9245729186828AE751CF24E8812BEB7A0FB98384F501235FBAE476D9DF7CD545CB40
                                                                Function 00007FF8F859F9DA Relevance: 34.3, APIs: 16, Strings: 3, Instructions: 1065COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                • API String ID: 2003779279-1866435925
                                                                • Opcode ID: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
                                                                • Instruction ID: 7135327d10c6b796df82122537a0dbdfd5a4fa0ee21a0e4439486f0084d5feb5
                                                                • Opcode Fuzzy Hash: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
                                                                • Instruction Fuzzy Hash: 1BA28C22619B858AEB54CF19E8803A9B760FBA9FC0F448036DA9D43BB5DF3DD485D704
                                                                Function 00007FF8F8592D70 Relevance: 27.7, APIs: 14, Strings: 1, Instructions: 1490COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memchr.VCRUNTIME140 ref: 00007FF8F85930AA
                                                                • memchr.VCRUNTIME140 ref: 00007FF8F8593470
                                                                • memchr.VCRUNTIME140 ref: 00007FF8F85936A5
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F859410D
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F8594114
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F859411B
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F8594122
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F8594129
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F8594130
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F8594137
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F859413E
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F8594145
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F859414C
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F85942D3
                                                                  • Part of subcall function 00007FF8F8571DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FF8F856C320), ref: 00007FF8F8571DFB
                                                                  • Part of subcall function 00007FF8F8571DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FF8F856C320), ref: 00007FF8F8571E08
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$memchr$memmovememset
                                                                • String ID: 0123456789-
                                                                • API String ID: 3572500260-3850129594
                                                                • Opcode ID: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
                                                                • Instruction ID: b951152aae89f157a5b1bb5fa32c7d645e1485ffdd9aef3c55d00327a0983552
                                                                • Opcode Fuzzy Hash: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
                                                                • Instruction Fuzzy Hash: 89E2AC22A09A85CEEB408F69D8443BC2761FB68BD8F556131DA6E077E5DF3DD881E304
                                                                Function 0000000140008390 Relevance: 19.7, APIs: 13, Instructions: 152fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00000001400078C0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                                  • Part of subcall function 00000001400078C0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                                  • Part of subcall function 00000001400078C0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                                  • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                                  • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                                  • Part of subcall function 00000001400078C0: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                                  • Part of subcall function 00000001400078C0: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                                • OpenEventA.KERNEL32 ref: 00000001400083D0
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008411
                                                                • OpenEventA.KERNEL32 ref: 0000000140008454
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008495
                                                                • CloseHandle.KERNEL32 ref: 00000001400084B4
                                                                  • Part of subcall function 0000000140007A80: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                                  • Part of subcall function 0000000140007A80: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                                  • Part of subcall function 0000000140007A80: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                                  • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                                  • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                                  • Part of subcall function 0000000140007A80: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                                  • Part of subcall function 0000000140007A80: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                                • OpenFileMappingA.KERNEL32 ref: 00000001400084F4
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008535
                                                                • CloseHandle.KERNEL32 ref: 0000000140008554
                                                                • CloseHandle.KERNEL32 ref: 0000000140008561
                                                                • MapViewOfFile.KERNEL32 ref: 0000000140008592
                                                                • CloseHandle.KERNEL32 ref: 00000001400085AB
                                                                • CloseHandle.KERNEL32 ref: 00000001400085B8
                                                                • CloseHandle.KERNEL32 ref: 00000001400085C5
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: U?$char_traits@$D@std@@@std@@$CloseHandle$??6?$basic_ostream@V01@$Open_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@D@std@@@1@_EventFileV?$basic_streambuf@$MappingView
                                                                • String ID:
                                                                • API String ID: 1089015687-0
                                                                • Opcode ID: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                                • Instruction ID: fd742db5588232a2ef73a73be7c7ffe6f8b637fdc8693f60d02eba1a373aa13c
                                                                • Opcode Fuzzy Hash: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                                • Instruction Fuzzy Hash: 93613DB1210A4482FB17DB27F85539963A2BB8EBE4F404215FB9E4B7B6DE3DC1818700
                                                                Function 0000000140007FC0 Relevance: 18.2, APIs: 12, Instructions: 159fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: File$CloseCreateHandleMappingView_invalid_parameter_noinfo_noreturnmemcpymemset$Unmap
                                                                • String ID:
                                                                • API String ID: 2074253140-0
                                                                • Opcode ID: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                                • Instruction ID: c383ff2e5a2ae1bd4c41fba5bb50c967b221784ccd91ddafc61d096c64d59825
                                                                • Opcode Fuzzy Hash: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                                • Instruction Fuzzy Hash: F471AA71305A4185FB22CB56F8907E973A2FB8DBD4F404225ABAD4B7B9DE3DC0818704
                                                                Function 00007FF8F859B698 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 225COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: iswdigit$btowclocaleconv
                                                                • String ID: 0$0
                                                                • API String ID: 240710166-203156872
                                                                • Opcode ID: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                                • Instruction ID: e2480a9b631ffd658604a4d7651e01f449826f7f9dc809d7905fa24dff3846f3
                                                                • Opcode Fuzzy Hash: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                                • Instruction Fuzzy Hash: A8815B72A1855A8FF7258F25DC5027933A1FFA8B84F084235DA9A462D1EF3CE845D705
                                                                Function 00007FF8F856C780 Relevance: 17.0, APIs: 8, Strings: 1, Instructions: 1257COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 0123456789-+Ee
                                                                • API String ID: 0-1347306980
                                                                • Opcode ID: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
                                                                • Instruction ID: a397fc36d8bda1681f7a7840e1cc8857c22ba21067bf316f5f79627eb041ff02
                                                                • Opcode Fuzzy Hash: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
                                                                • Instruction Fuzzy Hash: D4C2C366A09A818EEB518F29C85027C3761FB69BC4F548431DB6D077E1EF3EE865E304
                                                                Function 00007FF8F859A27C Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 247COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: memchr$isdigit$localeconv
                                                                • String ID: 0$0123456789abcdefABCDEF
                                                                • API String ID: 1981154758-1185640306
                                                                • Opcode ID: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                                • Instruction ID: f3c8404b26b8ec14a8b70b786ee87b3b4604b55e8906bc7497527ac724f9162a
                                                                • Opcode Fuzzy Hash: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                                • Instruction Fuzzy Hash: 1E913C22A085964FEB268F24DC113BA7B91FB6C788F485034DEAE476C5DB3CE845E744
                                                                Function 00007FF8F856D810 Relevance: 15.3, APIs: 7, Strings: 1, Instructions: 1307COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: memchr$_invalid_parameter_noinfo_noreturn$localeconv
                                                                • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                                • API String ID: 2141594249-3606100449
                                                                • Opcode ID: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
                                                                • Instruction ID: 57eb48f2325e682822f075f08c9105742f2d816fb22158d9361ab799215697ee
                                                                • Opcode Fuzzy Hash: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
                                                                • Instruction Fuzzy Hash: 92D29F32A0AA958EEB558F29C85017C3761EB68FC4F648531DA6D077E1EF3DE852E304
                                                                Function 00007FF8F8582208 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1497COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _Find_elem.LIBCPMT ref: 00007FF8F8582C08
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F85835B9
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F85835C0
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F85835C7
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F8583776
                                                                  • Part of subcall function 00007FF8F8571DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FF8F856C320), ref: 00007FF8F8571DFB
                                                                  • Part of subcall function 00007FF8F8571DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FF8F856C320), ref: 00007FF8F8571E08
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
                                                                • String ID: 0123456789-
                                                                • API String ID: 2779821303-3850129594
                                                                • Opcode ID: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
                                                                • Instruction ID: 481b48a051a0ed963b2ccb34222d9619328966eaf8cda62f5689814f68e2baae
                                                                • Opcode Fuzzy Hash: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
                                                                • Instruction Fuzzy Hash: EEE2A126A09A958EEB508F19D8502BD3B70FB68BC4F649036DA6E077E5CF3DD881D704
                                                                Function 00007FF8F8580C60 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1497COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _Find_elem.LIBCPMT ref: 00007FF8F8581660
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F8582011
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F8582018
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F858201F
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F85821CE
                                                                  • Part of subcall function 00007FF8F8571DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FF8F856C320), ref: 00007FF8F8571DFB
                                                                  • Part of subcall function 00007FF8F8571DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FF8F856C320), ref: 00007FF8F8571E08
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
                                                                • String ID: 0123456789-
                                                                • API String ID: 2779821303-3850129594
                                                                • Opcode ID: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
                                                                • Instruction ID: b14f698f6173279611c8850e50d96c0fe6caae7a109de56c187d055e70fd0c5a
                                                                • Opcode Fuzzy Hash: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
                                                                • Instruction Fuzzy Hash: C9E28E26A09A858AEF508F29D85027D3B74FB68BC4F649036DA6E077E5CF3DD881D704
                                                                Function 00007FF8F859BDA0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 239COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: iswdigit$localeconv
                                                                • String ID: 0$0$0123456789abcdefABCDEF
                                                                • API String ID: 2634821343-613610638
                                                                • Opcode ID: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                                • Instruction ID: 8cb83baa3714e936ca98f4f791148e9e93816ead209bcc1b5e00e7cc9bc2ade4
                                                                • Opcode Fuzzy Hash: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                                • Instruction Fuzzy Hash: 9D814962E0856A8BFB258F24DC5027936A0FB68B84F088131DF9A476C0EB3CE845D785
                                                                Function 00007FF8F856A330 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Findmemmove$CloseFileFirst_invalid_parameter_noinfo_noreturnwcscpy_s
                                                                • String ID: .$.
                                                                • API String ID: 479945582-3769392785
                                                                • Opcode ID: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                                • Instruction ID: 58b88bbd8a0c2d85d1325a053533ccffbbb18abcd94d2ad542472b2de6f2dd6a
                                                                • Opcode Fuzzy Hash: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                                • Instruction Fuzzy Hash: 91418122A186818AEB119F65EC492797360FB697E4F404235EBBD036D4EF7CD485D704
                                                                Function 00007FF8F857ABB0 Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1289COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 0123456789-+Ee
                                                                • API String ID: 0-1347306980
                                                                • Opcode ID: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
                                                                • Instruction ID: e4d61c18141c580c504e271dc2f01ba970248a09e0fd807b311f44b7654eeb91
                                                                • Opcode Fuzzy Hash: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
                                                                • Instruction Fuzzy Hash: D1C25936A09A8A8EEB548F19D85017D3761FB68BC4F948031DA6E077D1CF3DE8A5E305
                                                                Function 00007FF8F857BCD0 Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1289COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 0123456789-+Ee
                                                                • API String ID: 0-1347306980
                                                                • Opcode ID: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
                                                                • Instruction ID: fcb3eb8895b630418022fb7b4b3ef152a7f02b2aaf162c5747ca77c9d5c8bddc
                                                                • Opcode Fuzzy Hash: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
                                                                • Instruction Fuzzy Hash: C3C25C66A09A8A8AEB548F19D85017D3761FB68BC4F94C031DE6E077D1CF3DE8A5E304
                                                                Function 00007FF8F8586338 Relevance: 9.6, APIs: 6, Instructions: 626COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F85865AB
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F858663D
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F85866E0
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F8586B9C
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F8586BEE
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F8586C35
                                                                  • Part of subcall function 00007FF8F858EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FF8F857923E), ref: 00007FF8F858EC08
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                                • String ID:
                                                                • API String ID: 15630516-0
                                                                • Opcode ID: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
                                                                • Instruction ID: 81b881630292985e9a8b32813944243674312dd847aa74757fc1927f2684e37e
                                                                • Opcode Fuzzy Hash: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
                                                                • Instruction Fuzzy Hash: 0152C562A08B858AEB508F29D8481BD77A1FB68BD8F605132DB6D03BD5EF3CD584D344
                                                                Function 00007FF8F8586C84 Relevance: 9.6, APIs: 6, Instructions: 626COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F8586EF7
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F8586F89
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F858702C
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F85874E8
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F858753A
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F8587581
                                                                  • Part of subcall function 00007FF8F858EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FF8F857923E), ref: 00007FF8F858EC08
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                                • String ID:
                                                                • API String ID: 15630516-0
                                                                • Opcode ID: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
                                                                • Instruction ID: e809344ad3413ba4dfc885dcbbbbd7abfa7f44b2746e6cf8a30f2f6f11db9434
                                                                • Opcode Fuzzy Hash: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
                                                                • Instruction Fuzzy Hash: 5B52A322A18B858AEB50CF29D8451BD6761FBA8BD8F605132EB6D03BD5EF3CD580D344
                                                                Function 0000000140012220 Relevance: 8.9, APIs: 7, Instructions: 138COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ExceptionThrow$MemoryRecycle@Recycler@allocator@dvacore@@$_invalid_parameter_noinfo_noreturn
                                                                • String ID:
                                                                • API String ID: 1799700165-0
                                                                • Opcode ID: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                                • Instruction ID: 3a6b280c2881091f38a62e61b74d670a019ca3ad59059a788fa850ef2ffa55ac
                                                                • Opcode Fuzzy Hash: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                                • Instruction Fuzzy Hash: D52112B5611A80CAE71DEE37A8523EA1362E79C7C4F149536BF594FAAEDE31C4218340
                                                                Function 00007FF8F857CDF0 Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 1331COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$localeconv
                                                                • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                                • API String ID: 1825414929-3606100449
                                                                • Opcode ID: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
                                                                • Instruction ID: 01114c055054077c95a7038a91af36b055c10f6840f26504ccd84d8a79417bad
                                                                • Opcode Fuzzy Hash: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
                                                                • Instruction Fuzzy Hash: 43D25A26A09A8A8EEB548F19C85013C3761FB68BC4F54D131DA6E077E8DF3DE856E314
                                                                Function 00007FF8F857DF10 Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 1331COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$localeconv
                                                                • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                                • API String ID: 1825414929-3606100449
                                                                • Opcode ID: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
                                                                • Instruction ID: a15e628afaa2ab971756002208fca49637335cc06b53958cdf9167aec5895d63
                                                                • Opcode Fuzzy Hash: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
                                                                • Instruction Fuzzy Hash: 0ED24A26A09BAA8AEB548F19D85013C3761EB68FC4F94D031DA6E077E0DF3DE855E314
                                                                Function 00007FF8F8579460 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                                • String ID:
                                                                • API String ID: 1326169664-0
                                                                • Opcode ID: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                                • Instruction ID: 05250dfb929c1675e26dbb20099590d344b7a1f4cdfc50a875158aa6b90d6b06
                                                                • Opcode Fuzzy Hash: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                                • Instruction Fuzzy Hash: AFE18C22B09B468AEB00CFA5D8441AC6372FB6CBD8F508126DE6D17B99DF3CD44AD314
                                                                Function 00007FF8F8578FB0 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                                • String ID:
                                                                • API String ID: 1326169664-0
                                                                • Opcode ID: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                                • Instruction ID: 174a74bc13a6d22423eb881c93d3c05c0111b7146d6c6677be44551ff6f95da2
                                                                • Opcode Fuzzy Hash: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                                • Instruction Fuzzy Hash: FBE17B22B19B468AEB00CFA5D8441AC6371FB6CBD8F508126DE6D17B98DF3CD44AD314
                                                                Function 00007FF8F856E8B0 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 634COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$memchr
                                                                • String ID: 0123456789ABCDEFabcdef-+Xx
                                                                • API String ID: 2740501399-2799312399
                                                                • Opcode ID: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
                                                                • Instruction ID: 02ba71d358277a524d72058b35997cd000fb8d173071cb3f33b785f43d2a64a8
                                                                • Opcode Fuzzy Hash: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
                                                                • Instruction Fuzzy Hash: 2052B122B0A6958EFB518F29C85017C3B61BB29BD4F648431CE6D177D1EF39E856E304
                                                                Function 00007FF8F8585470 Relevance: 5.3, APIs: 3, Instructions: 815COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00007FF8F8597600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF8F8563887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8F859760F
                                                                  • Part of subcall function 00007FF8F856F6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FF8F8594C66,?,?,0000003F,00000000,?,0000003F,?,00007FF8F856FE66), ref: 00007FF8F856F6FC
                                                                • _W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FF8F856FE77), ref: 00007FF8F8585F35
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FF8F856FE77), ref: 00007FF8F8585F4A
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FF8F856FE77), ref: 00007FF8F8585F58
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: free$Gettnames_lock_localesrealloc
                                                                • String ID:
                                                                • API String ID: 3705959680-0
                                                                • Opcode ID: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
                                                                • Instruction ID: 034b26473570beb2f0848f0304d526aac64c2c469a296db45b51fb2f086b29fd
                                                                • Opcode Fuzzy Hash: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
                                                                • Instruction Fuzzy Hash: 39822821A09A128FEB55DF25DC512B927A0AF6C7C0F944136E93E463E2EF3CE541E348
                                                                Function 00007FF8F8584780 Relevance: 5.3, APIs: 3, Instructions: 815COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00007FF8F8597600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF8F8563887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8F859760F
                                                                  • Part of subcall function 00007FF8F856F6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FF8F8594C66,?,?,0000003F,00000000,?,0000003F,?,00007FF8F856FE66), ref: 00007FF8F856F6FC
                                                                • _W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FF8F856FE88), ref: 00007FF8F8585245
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FF8F856FE88), ref: 00007FF8F858525A
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FF8F856FE88), ref: 00007FF8F8585268
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: free$Gettnames_lock_localesrealloc
                                                                • String ID:
                                                                • API String ID: 3705959680-0
                                                                • Opcode ID: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
                                                                • Instruction ID: 9112dccb65a89a6ad723592ad568ee2175d109e35b3305aff845f3eee4086c52
                                                                • Opcode Fuzzy Hash: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
                                                                • Instruction Fuzzy Hash: 22822A21A09A128FEB45DF25DC512B927A1AF7CBC4F544136E92E467E2EF3CE441E308
                                                                Function 0000000140010BE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ErrorFormatLastMessage
                                                                • String ID: GetLastError() = 0x%X
                                                                • API String ID: 3479602957-3384952017
                                                                • Opcode ID: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                                • Instruction ID: 03957f339625c86e619908699dc07c15f857aa178ffe48bb474e222578fe156c
                                                                • Opcode Fuzzy Hash: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                                • Instruction Fuzzy Hash: 63219032A18BC083E7118B2AE400399B7A4F7D97A4F159315EBE8036E9EB78C545CB40
                                                                Function 00007FF8F85944E0 Relevance: 5.0, APIs: 3, Instructions: 509COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00007FF8F8591E70: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F8591F72
                                                                  • Part of subcall function 00007FF8F8597600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF8F8563887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8F859760F
                                                                • _Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FF8F856FE66,?,?,?,?,?,?,?,00007FF8F856F7E7), ref: 00007FF8F8594BCF
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FF8F856FE66,?,?,?,?,?,?,?,00007FF8F856F7E7), ref: 00007FF8F8594BE4
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FF8F856FE66,?,?,?,?,?,?,?,00007FF8F856F7E7), ref: 00007FF8F8594BF3
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: free$Gettnames_invalid_parameter_noinfo_noreturn_lock_locales
                                                                • String ID:
                                                                • API String ID: 962949324-0
                                                                • Opcode ID: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
                                                                • Instruction ID: 6d945d0f15fa3d0663273c339ddf1da34814b5632f3b9f29576b3f027d98b4b1
                                                                • Opcode Fuzzy Hash: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
                                                                • Instruction Fuzzy Hash: DD321C25A09A028FEB469F65DC511B926A1AF7C7C4F884035D92E473E6EF3CE451E348
                                                                Function 00007FF8F8584340 Relevance: 3.3, APIs: 2, Instructions: 297COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F85846ED
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F858473B
                                                                  • Part of subcall function 00007FF8F858EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FF8F857923E), ref: 00007FF8F858EC08
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                                • String ID:
                                                                • API String ID: 15630516-0
                                                                • Opcode ID: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
                                                                • Instruction ID: a2bd4b369d14f4b004b7419ec80a8daa628c9a4c86e48b045b21db28b7f1c76d
                                                                • Opcode Fuzzy Hash: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
                                                                • Instruction Fuzzy Hash: E7D16D22B09B858AFB00CFA5D9412AC6372EB6CBD8F544132DE6D27B99DF38D449D344
                                                                Function 00007FF8F8583F00 Relevance: 3.3, APIs: 2, Instructions: 297COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F85842AD
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8F85842FB
                                                                  • Part of subcall function 00007FF8F858EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FF8F857923E), ref: 00007FF8F858EC08
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                                • String ID:
                                                                • API String ID: 15630516-0
                                                                • Opcode ID: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
                                                                • Instruction ID: 7d04cd4c999ae728ddbdfae41563a8a3800ec2f6ad5e5918789fdf37a0887541
                                                                • Opcode Fuzzy Hash: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
                                                                • Instruction Fuzzy Hash: 29D16D22B09B468AFB00CFA5D9412AC6372EB6CBD8F544132DE6D27B99DF38D449D344
                                                                Function 00007FF8F8576440 Relevance: 3.3, APIs: 2, Instructions: 251COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                                • String ID:
                                                                • API String ID: 1654775311-0
                                                                • Opcode ID: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
                                                                • Instruction ID: 3db46de885f8e0c21b0872b45962d7a548fceec375cdfc8c07976f655e3ee2d4
                                                                • Opcode Fuzzy Hash: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
                                                                • Instruction Fuzzy Hash: 11A1A162F096A68EFF108F6598506BC27B1BB29BD8F948035DE6E17BC5DF389441E304
                                                                Function 00007FF8F85760D0 Relevance: 3.3, APIs: 2, Instructions: 251COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                                • String ID:
                                                                • API String ID: 1654775311-0
                                                                • Opcode ID: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
                                                                • Instruction ID: 1ff46d27fd1b77a0716cb29142512429111a599349be4daf2214ec5fc23b8d18
                                                                • Opcode Fuzzy Hash: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
                                                                • Instruction Fuzzy Hash: 82A1BF62B0969A8EFF508FA59C506BC27A1BB29BD8F548035DE6D17BC5CF38E441E304
                                                                Function 00007FF8F856A7B0 Relevance: 3.1, APIs: 2, Instructions: 98COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: DiskFreeSpace_invalid_parameter_noinfo_noreturnmemcpymemmove
                                                                • String ID:
                                                                • API String ID: 1762017149-0
                                                                • Opcode ID: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                                • Instruction ID: e624bad42a290fc3cab8e48ef6e8eefa5be1a4141c9cc604e1c7745b98b3aa76
                                                                • Opcode Fuzzy Hash: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                                • Instruction Fuzzy Hash: A9415622B04B459DFB00CFA5D8412AC37B5BB68BA8F545626DE6D23B98EF38D085C340
                                                                Function 00007FF8F858EFC0 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: InfoLocale___lc_locale_name_func
                                                                • String ID:
                                                                • API String ID: 3366915261-0
                                                                • Opcode ID: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                                • Instruction ID: 0d1874571ead84452a63015b11d5240133d4bbb37c345b4d74772188dc0439b8
                                                                • Opcode Fuzzy Hash: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                                • Instruction Fuzzy Hash: 89F0583292C042CFE3A95B18DC597382260FBAC385F600032E12F422D0DF6CD584A745
                                                                Function 00007FF8F8580710 Relevance: .4, Instructions: 410COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
                                                                • Instruction ID: 843d7aa980a19adee75c0d84c6a739dd42f01127d42b22f0abf4dcdd6da91d5b
                                                                • Opcode Fuzzy Hash: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
                                                                • Instruction Fuzzy Hash: 34021D26A09A458EEF508F15C85037D23A1EB68FC8F649032DA6E177D5CF3DD88AE714
                                                                Function 00007FF8F8592880 Relevance: .4, Instructions: 391COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
                                                                • Instruction ID: ca554c8f9c0acc3c736f0db00c16a258ce5f1322916959c3c95233c0eb698975
                                                                • Opcode Fuzzy Hash: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
                                                                • Instruction Fuzzy Hash: 60024F22A09A458EFB518F29C85037C37A1AB68FD8F549031CA6D477E5CF7DD886E314
                                                                Function 00007FF8F856F9B0 Relevance: .3, Instructions: 331COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _lock_locales
                                                                • String ID:
                                                                • API String ID: 3756862740-0
                                                                • Opcode ID: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
                                                                • Instruction ID: 3385f418564718c6ea18014ada4a4b63c03865126150dc378473e8ec73026e82
                                                                • Opcode Fuzzy Hash: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
                                                                • Instruction Fuzzy Hash: 1DE17A21E09A028FEB569F25DC611B926A1AF7C7C0F944136E96D477E6EF3CE441A308
                                                                Function 0000000140004730 Relevance: 67.0, APIs: 5, Strings: 33, Instructions: 470COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.VCRUNTIME140 ref: 000000014000475B
                                                                  • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                                  • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                                  • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                                • ?RationalApproximation@utility@dvacore@@YA?AV?$rational@H@boost@@N@Z.DVACORE ref: 0000000140004866
                                                                  • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140004A15
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$memcmp$Approximation@utility@dvacore@@H@boost@@RationalV?$rational@memset
                                                                • String ID: brightness$camera_firmware_version$camera_id$channel_mask$clip_id$contrast$digital_gain_blue$digital_gain_green$digital_gain_red$exposure_compensation$exposure_time$framerate_denominator$framerate_numerator$genlock_setting$gmt_date$gmt_time$iso$jamsync_setting$local_date$local_time$pixel_aspect_ratio$reel_id_full$sample_size$samplerate$saturation$sensor_id$sensor_name$shutter_degrees$shutter_fractions$shutter_phase_offset$user_timecode_preference$white_balance_kelvin$white_balance_tint
                                                                • API String ID: 2423274481-1946953090
                                                                • Opcode ID: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                                • Instruction ID: 3df9d643723a61ec3293b9608ef6f05312d7ec0c5a500361e19cd6c4bd00b042
                                                                • Opcode Fuzzy Hash: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                                • Instruction Fuzzy Hash: 2C32FAB1204A4091EB07EF27E5913EA2762AB8EBD8F444522FB5D4F7B7EE39C5458340
                                                                Function 00007FF8FF5B8C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Name::operator+
                                                                • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
                                                                • API String ID: 2943138195-1388207849
                                                                • Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                                • Instruction ID: edfb89190989dfd4da42f7cfa8723fa1dd6efd03824d1452dfcb8d2f35737360
                                                                • Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                                • Instruction Fuzzy Hash: D5F12A72E18A169CFB148F64DC942B82AB0BB297C4F405635CB3E56AE8DF7DE645C340
                                                                Function 00007FF8FF5BC3C8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Name::operator+
                                                                • String ID: `anonymous namespace'
                                                                • API String ID: 2943138195-3062148218
                                                                • Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                                • Instruction ID: f8c7bbe8730bcc1ece6767742977525aee6b4560216566db5445d88df98889b4
                                                                • Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                                • Instruction Fuzzy Hash: C3E19EB2A08B8299EB10CF24EC841AD77A0FB68784F444235EB7E57B95DF38E654C700
                                                                Function 0000000140002630 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 290COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400026F4
                                                                • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002732
                                                                • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 000000014000274E
                                                                • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002782
                                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00000001400027D4
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400028A8
                                                                • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00000001400028DE
                                                                • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 00000001400028FA
                                                                • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 000000014000292E
                                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z.MSVCP140 ref: 000000014000295A
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002A28
                                                                • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A68
                                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A72
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: U?$char_traits@$D@std@@@std@@$_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??6?$basic_ostream@D@std@@@1@@V01@V?$basic_streambuf@$??1?$basic_ios@??1?$basic_iostream@
                                                                • String ID: (
                                                                • API String ID: 703713002-3887548279
                                                                • Opcode ID: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                                • Instruction ID: baf078011914228b1285121be46ed74d2e86fc5146668a69ad3868f5cbe279a1
                                                                • Opcode Fuzzy Hash: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                                • Instruction Fuzzy Hash: 38D18DB2214B8495EB11CF6AE4903EE7761F789BD4F509206EB8E57BA9DF39C085C700
                                                                Function 00000001400107F0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 268libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$Library$ByteCharErrorLastLoadMultiWide$AddressFreeProc
                                                                • String ID: [NOT FOUND ] %s
                                                                • API String ID: 2350601386-3340296899
                                                                • Opcode ID: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                                • Instruction ID: 89755aee4be5230680617513bdac96f2938001ccf8c1f4c7198f5862e1eb9078
                                                                • Opcode Fuzzy Hash: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                                • Instruction Fuzzy Hash: 84B1BE32605B9481FB169B26E54039D6761F788BE4F048615FBE90BBE6DFBAC5D0C340
                                                                Function 00007FF8FF5BA83C Relevance: 22.9, APIs: 15, Instructions: 358COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Name::operator+
                                                                • String ID:
                                                                • API String ID: 2943138195-0
                                                                • Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                                • Instruction ID: 3fa09191d25553c5321de1bb2d385631cc92d459f782b10254314ac2f3a81f4d
                                                                • Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                                • Instruction Fuzzy Hash: D0F15B72A08A829EE711DFA4D8901EC37B1FB28788B444275EF7D67AD5DE38D609C340
                                                                Function 000000014001189C Relevance: 22.6, APIs: 15, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__p___argc__p___argv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                                • String ID:
                                                                • API String ID: 1818695170-0
                                                                • Opcode ID: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                                • Instruction ID: 023b0e87761b9852ca56ff973ea6cc8ec164607202ff5c8f9f76f90c0a7f0558
                                                                • Opcode Fuzzy Hash: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                                • Instruction Fuzzy Hash: BA315E3120520192FA5BEB67E5223E927A1AB9D7C4F444025BB994F2F7DE7FC805C351
                                                                Function 00007FF8FF5BD20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Name::operator+
                                                                • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
                                                                • API String ID: 2943138195-2309034085
                                                                • Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                                • Instruction ID: 5e037f452f092f65260d0a8ca8e000d2cff699790d7e97136e3c834363e9b83d
                                                                • Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                                • Instruction Fuzzy Hash: 10E14962E086528CFB199F649D951FC27A0AF6D7C8F540336CF3E66AD9EE3CA5058340
                                                                Function 0000000140003320 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 422COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: memcmp$_invalid_parameter_noinfo_noreturn$clockmemcpymemset
                                                                • String ID: B8RB$MRDH$SideCarLut$flip_horizontal$flip_vertical
                                                                • API String ID: 140832405-680935841
                                                                • Opcode ID: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                                • Instruction ID: 18037ac5236aebefbc83965bda8a7e26ab6d0ca403e2fb1aff30bf3622b6eda0
                                                                • Opcode Fuzzy Hash: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                                • Instruction Fuzzy Hash: BD2270B2605BC485EB22DF2AE8413E93364F799798F449215EB9C5B7A6EF35C285C300
                                                                Function 00007FF8FF5B2CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                • String ID: csm$csm$csm
                                                                • API String ID: 3436797354-393685449
                                                                • Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                                • Instruction ID: 741bf3c1373479112645bea0116029017bc0786cd794bdfaf2946ce71b18b046
                                                                • Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                                • Instruction Fuzzy Hash: 1AD17332A087458EEB109F65D8412AD7BA4FB69BD8F100235DF6D67B99CF38E455C700
                                                                Function 00007FF8F85626E0 Relevance: 18.2, APIs: 12, Instructions: 238COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ByteCharMultiWide$__strncntfreemalloc$CompareInfoString
                                                                • String ID:
                                                                • API String ID: 3420081407-0
                                                                • Opcode ID: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                                • Instruction ID: d1ac6c5df3e84ae8f665cca8de371ecb958f8bece9d0c6eff034a14ff0969e59
                                                                • Opcode Fuzzy Hash: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                                • Instruction Fuzzy Hash: 71A1C362A087828FFB758F108C043B96692AF68BE4F484631DA7D56BC5EFBCD4459348
                                                                Function 00007FF8F857692C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00007FF8F859B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B0
                                                                  • Part of subcall function 00007FF8F859B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B8
                                                                  • Part of subcall function 00007FF8F859B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0C1
                                                                  • Part of subcall function 00007FF8F859B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0DD
                                                                • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8F857A87E), ref: 00007FF8F8576971
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8F857A87E), ref: 00007FF8F857698E
                                                                • _Maklocstr.LIBCPMT ref: 00007FF8F85769AA
                                                                • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8F857A87E), ref: 00007FF8F85769B3
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8F857A87E), ref: 00007FF8F85769D0
                                                                • _Maklocstr.LIBCPMT ref: 00007FF8F85769EC
                                                                • _Maklocstr.LIBCPMT ref: 00007FF8F8576A01
                                                                  • Part of subcall function 00007FF8F8564D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8F8572124,?,?,?,00007FF8F85643DB,?,?,?,00007FF8F8565B31), ref: 00007FF8F8564D72
                                                                  • Part of subcall function 00007FF8F8564D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8F8572124,?,?,?,00007FF8F85643DB,?,?,?,00007FF8F8565B31), ref: 00007FF8F8564D98
                                                                  • Part of subcall function 00007FF8F8564D50: memcpy.VCRUNTIME140(?,?,?,00007FF8F8572124,?,?,?,00007FF8F85643DB,?,?,?,00007FF8F8565B31), ref: 00007FF8F8564DB0
                                                                Strings
                                                                • :AM:am:PM:pm, xrefs: 00007FF8F85769FA
                                                                • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FF8F85769DB
                                                                • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FF8F8576999
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Maklocstrfree$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                                • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                • API String ID: 2460671452-35662545
                                                                • Opcode ID: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                                • Instruction ID: 391f03332e572762130cf139420dcdb11bd551540cde2e077eaab666a9a79199
                                                                • Opcode Fuzzy Hash: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                                • Instruction Fuzzy Hash: 7C216D22A04B458BEB04DF21E8502A973A1EBADFC4F448231DA6D03796EF3CE585D384
                                                                Function 00007FF8F8562B20 Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ByteCharMultiStringWide$freemalloc$__strncnt
                                                                • String ID:
                                                                • API String ID: 1733283546-0
                                                                • Opcode ID: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                                • Instruction ID: 30cd57b3a90fda8003daff7e693531adc32f4094beb387cf8e435ac7f56c6b00
                                                                • Opcode Fuzzy Hash: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                                • Instruction Fuzzy Hash: C1918032A08B828BEB648F11D84037977A1FB68BE4F144635EA6D57BD4EF7CE4459308
                                                                Function 00007FF8F8599350 Relevance: 16.7, APIs: 11, Instructions: 168COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Xp_setw$Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                                • String ID:
                                                                • API String ID: 3166507417-0
                                                                • Opcode ID: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                                • Instruction ID: 2f7d67e8722b677fab1abc32cf8fab16462fe98b3c0965f2b55ea29312a9b907
                                                                • Opcode Fuzzy Hash: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                                • Instruction Fuzzy Hash: 0B61AD22F086429FFB11DBA2D8811ED2721AB6C788F504536DE2D63AD5DF38E54E9708
                                                                Function 00000001400071E0 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetDllDirectoryW.KERNEL32 ref: 000000014000721A
                                                                • ?AppDir@Dir@filesupport@dvacore@@SA?AV123@XZ.DVACORE ref: 0000000140007225
                                                                • ?FullPath@Dir@filesupport@dvacore@@QEBA?AV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@std@@XZ.DVACORE ref: 0000000140007236
                                                                • ?UTF16to8@string@dvacore@@YA?AV?$basic_string@EU?$char_traits@E@std@@U?$SBAAllocator@E@allocator@dvacore@@@std@@AEBV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@4@@Z.DVACORE ref: 0000000140007245
                                                                • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140007275
                                                                • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 00000001400072A6
                                                                • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400072B6
                                                                • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007362
                                                                • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007372
                                                                • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 000000014000738A
                                                                  • Part of subcall function 0000000140008300: WaitForMultipleObjects.KERNEL32 ref: 0000000140008346
                                                                  • Part of subcall function 0000000140008300: ResetEvent.KERNEL32 ref: 0000000140008355
                                                                  • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007859
                                                                  • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007866
                                                                  • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007873
                                                                  • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007880
                                                                  • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000788D
                                                                  • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000789A
                                                                • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400073F6
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Dir@filesupport@dvacore@@$CloseHandle$Allocator@_Allocator@allocator@dvacore@@BlockDispose@FileSmallU?$char_traits@_UnmapV?$basic_string@_ViewW@std@@atoi$Allocator@Dir@DirectoryE@allocator@dvacore@@@std@@E@std@@EventF16to8@string@dvacore@@FullMultipleObjectsPath@ResetU?$char_traits@V123@V?$basic_string@W@allocator@dvacore@@@4@@W@allocator@dvacore@@@std@@Wait
                                                                • String ID:
                                                                • API String ID: 2702579277-0
                                                                • Opcode ID: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                                • Instruction ID: 4e02132fa2518a481f17a5c3ad5963577c23686a774b89ce01035fe16d76d46e
                                                                • Opcode Fuzzy Hash: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                                • Instruction Fuzzy Hash: 09618EB2608A4082FB12CB26F8947EA67A2F78EBD0F505121FB9D476B5DF3DC5498700
                                                                Function 00007FF8F85A9BC0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 229COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                • API String ID: 2003779279-1866435925
                                                                • Opcode ID: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                                • Instruction ID: 7a3e5828d7897222d96fffd5d958b0798508d459691fbf3e8628d7661159c7ec
                                                                • Opcode Fuzzy Hash: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                                • Instruction Fuzzy Hash: 5591C122A18A468BEF648F15D8953B82760FB68FC4F544036CA6E877F5DF2DD486D308
                                                                Function 00007FF8FF5BE350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                                • API String ID: 0-3207858774
                                                                • Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                                • Instruction ID: eadd2bafc71da89fdfe0355a4fae02a31388acadcb32c963bc6b7e412eaf65d0
                                                                • Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                                • Instruction Fuzzy Hash: E9915A62A08A569EFB118F21D8902BC37A0AB6DBC4F484232DA7E437D5DF3CE545C350
                                                                Function 00007FF8FF5BA13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Name::operator+$Name::operator+=
                                                                • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                                • API String ID: 179159573-1464470183
                                                                • Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                                • Instruction ID: 51535f47d78f8801d5198ac95c394f40e7fefb3157edda2a978ce2a9922052b3
                                                                • Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                                • Instruction Fuzzy Hash: 3C513772E18A568DFB14CFA4EC805BC27B0BB287C4F504235EE3E66A98DF69E545C700
                                                                Function 00007FF8F859B440 Relevance: 15.2, APIs: 10, Instructions: 167COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Xp_setw$Xp_setn$Xp_addx$iswspaceiswxdigit
                                                                • String ID:
                                                                • API String ID: 3781602613-0
                                                                • Opcode ID: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                                • Instruction ID: b04eda0242c44adb8092c06fd5e6a5021cd03d9013e2d8dcfed8f148617a3214
                                                                • Opcode Fuzzy Hash: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                                • Instruction Fuzzy Hash: BD619D22F085569FFB10DBA2D8811FD2721AB6C788F504536DE2D67AC5DF38E50EA708
                                                                Function 00007FF8FF5B88E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Name::operator+
                                                                • String ID:
                                                                • API String ID: 2943138195-0
                                                                • Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                                • Instruction ID: e0c1166cb893cde7c55c8e10dfbf61aea7b5c44a17cb90420cebb7ea50df215b
                                                                • Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                                • Instruction Fuzzy Hash: D8617962B04B629CFB00DFA0EC811EC27B1BB18788B445636DF2D6BA99DF78D546C340
                                                                Function 00007FF8FF5B31A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                                • String ID: csm$csm$csm
                                                                • API String ID: 211107550-393685449
                                                                • Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                                • Instruction ID: 982dbcce40ddce5600cac1b29760221f0d90cdad2633f613e642efb7984afb74
                                                                • Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                                • Instruction Fuzzy Hash: EEE19072A086828EE7109F74D8912AD7BA0FB68B88F154235DBBD677D5DF38E485C700
                                                                Function 00007FF8F859A080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 148COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: memchrtolower$_errnoisspace
                                                                • String ID: 0$0123456789abcdefghijklmnopqrstuvwxyz
                                                                • API String ID: 3508154992-2692187688
                                                                • Opcode ID: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                                • Instruction ID: f173d9f804c655fee78d7a23f10168571171613c6100e57ea77eff1918d2ad7a
                                                                • Opcode Fuzzy Hash: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                                • Instruction Fuzzy Hash: CB51E812A0DAC64FEB678FA49C163B97691AB697D4F584030CDBD063D5EF3CA442B324
                                                                Function 00007FF8FF5BBE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Name::operator+
                                                                • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                                • API String ID: 2943138195-2239912363
                                                                • Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                                • Instruction ID: 6945e22c960619270406ee12c35e7ad0fe7d597e1c1f31d842e68cd1a33b0d4f
                                                                • Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                                • Instruction Fuzzy Hash: 71510562E18B56ACFB118F60DC852AC77A0BB28785F444236DB7D12BE5DFBCA144CB50
                                                                Function 00000001400078C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                                • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                                • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                                  • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                  • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                  • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                  • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                                  • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                  • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                  • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                                • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                                • String ID: ImptRED_CEvent_
                                                                • API String ID: 2242036409-942587184
                                                                • Opcode ID: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                                • Instruction ID: 9b405900c275d478bf9193c59fc3990d56eeb31e22b03c6e117ca8d8066cf312
                                                                • Opcode Fuzzy Hash: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                                • Instruction Fuzzy Hash: 1D519AB2204B8096EB11CB6AE89079E7B70F389B98F504111EF8D57BA9DF3DC549CB00
                                                                Function 0000000140007E00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E41
                                                                • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007E60
                                                                • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E94
                                                                  • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                  • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                  • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                  • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007ECB
                                                                  • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                  • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                  • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007EE5
                                                                • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F92
                                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F9C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                                • String ID: ImptRED_SEvent_
                                                                • API String ID: 2242036409-1609572862
                                                                • Opcode ID: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                                • Instruction ID: 8a97eb910a4fcdb6b4de6865597d3f36b8df7ed7ebbeccb018c797ebbaee1b0b
                                                                • Opcode Fuzzy Hash: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                                • Instruction Fuzzy Hash: 15519A72204B8096EB11CB6AE8907AE7B70F389B98F504111EF8D17BA8DF3DC549CB40
                                                                Function 0000000140007A80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                                • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                                • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                                  • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                  • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                  • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                  • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                                  • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                  • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                  • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                                • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                                • String ID: ImptRED_CmdMap_
                                                                • API String ID: 2242036409-3276274529
                                                                • Opcode ID: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                                • Instruction ID: 80f30c22282736ca9dbe0986c54b36137faedd7c3a9fa85d2e807ed86ae44cad
                                                                • Opcode Fuzzy Hash: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                                • Instruction Fuzzy Hash: BC518972204B8096EB11CB6AE8907DE7B70F389B98F504111EF8D17BA8DF79C449CB00
                                                                Function 0000000140007C40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007C81
                                                                • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007CA0
                                                                • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007CD4
                                                                  • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                  • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                  • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                  • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D0B
                                                                  • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                  • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                  • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D25
                                                                • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DD2
                                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DDC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                                • String ID: ImptRED_DMap_
                                                                • API String ID: 2242036409-2879874026
                                                                • Opcode ID: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                                • Instruction ID: 0bc148500ed73b7892a49071eae52613f37d732fbc5d9ce32192ec441dd01905
                                                                • Opcode Fuzzy Hash: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                                • Instruction Fuzzy Hash: F9518BB2204B4096EB11CB56E8807AE7B70F789B98F504116EF8D17BA8DF7DC549CB00
                                                                Function 00007FF8F8566C20 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                • API String ID: 1099746521-1866435925
                                                                • Opcode ID: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                                • Instruction ID: 5f9fd1541ad76c8ff8b65057b4f8b108176d18a45d4bc62c567addfa467c2048
                                                                • Opcode Fuzzy Hash: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                                • Instruction Fuzzy Hash: 0D21F351A1890A9FFB449B10DC826F91751EF783C0F840036D52E025F6EF2DE545E748
                                                                Function 0000000140004FF0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 275stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                                  • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                                  • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00000001400050DF
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140005233
                                                                  • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                                • memcmp.VCRUNTIME140 ref: 00000001400052B4
                                                                • memcmp.VCRUNTIME140 ref: 0000000140005325
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400053DA
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturnmemcmp$strcmp
                                                                • String ID: MRDH$SideCarLut
                                                                • API String ID: 916663099-3852011117
                                                                • Opcode ID: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                                • Instruction ID: 38950fd8b35224f21f2e144008351fd49fe11793fcade85143d264d05d5c62af
                                                                • Opcode Fuzzy Hash: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                                • Instruction Fuzzy Hash: 4DD192B2204A8496EB62DF26E8843DE2761F74A7D5F841212FB5D4BAF6EF74C645C300
                                                                Function 00007FF8F85A9940 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                • API String ID: 2003779279-1866435925
                                                                • Opcode ID: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                                • Instruction ID: 2b9d9d30c1da99f35255d6c8e4e19777d61f410251953c5065797836c090b93e
                                                                • Opcode Fuzzy Hash: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                                • Instruction Fuzzy Hash: 2161BF22608A568BEB64CF15D8953B96760FBA8FC4F548036CA6E833F5DF2DD446D304
                                                                Function 00007FF8F85743F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ExceptionThrowfputwcfwritestd::ios_base::failure::failure
                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                • API String ID: 1428583292-1866435925
                                                                • Opcode ID: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                                • Instruction ID: 50986e6827dee817f991d3201bac6a7a2d0f7f4082b4c138c205acb9865cb174
                                                                • Opcode Fuzzy Hash: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                                • Instruction Fuzzy Hash: 49718F72619A869EEB50CF25E8802BD33A0FB68BC8F848032EA5D47795DF3DD555E304
                                                                Function 00007FF8FF5B5F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
                                                                • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                                • API String ID: 1852475696-928371585
                                                                • Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                                • Instruction ID: c8d6f9f44870aa2977c49f31d15b91c3fbe6977eeff3abc2c5276627dfb8f898
                                                                • Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                                • Instruction Fuzzy Hash: 5B519F62A19A469ADF24CF25EC906B96360FB68BC4F404631DB7E476AADF3CE505C300
                                                                Function 00007FF8F85A96E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 160COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • std::ios_base::failure::failure.LIBCPMT ref: 00007FF8F85A98D3
                                                                • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8F859C678), ref: 00007FF8F85A98E4
                                                                • std::ios_base::failure::failure.LIBCPMT ref: 00007FF8F85A9927
                                                                • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8F859C678), ref: 00007FF8F85A9938
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                • API String ID: 2003779279-1866435925
                                                                • Opcode ID: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                                • Instruction ID: ef3d0879b5dec494adce4bfd949d987712f4bc5a980f5a1c0597a7dd1b10902a
                                                                • Opcode Fuzzy Hash: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                                • Instruction Fuzzy Hash: 6B618022A08A468AEB54CF19D8953B92760FBA8FC4F448036CA6E873F5DF2DD446D304
                                                                Function 00007FF8F8599E70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: memchrtolower$_errnoisspace
                                                                • String ID: 0123456789abcdefghijklmnopqrstuvwxyz
                                                                • API String ID: 3508154992-4256519037
                                                                • Opcode ID: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                                • Instruction ID: d90c192eca57aa024bf59921fa0514f33a2b72f7410709003de0a005c7cb3aea
                                                                • Opcode Fuzzy Hash: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                                • Instruction Fuzzy Hash: 77510522A0D6868FE7228F659C153B9B690AFA97D4F084034DDAD427D4DF3CE842A714
                                                                Function 00007FF8F856B280 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                • API String ID: 2003779279-1866435925
                                                                • Opcode ID: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                                • Instruction ID: bca0a6ea88e304da88bcbb7070bbc0bb710c9e32bbf32113a3adca2572e8a702
                                                                • Opcode Fuzzy Hash: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                                • Instruction Fuzzy Hash: 81518F62B0890A8BEF50DF19DC812A967A0FB68BC4F944136DA6D837F5EF2DD845D304
                                                                Function 00007FF8FF5BE148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Name::operator+$Name::operator+=
                                                                • String ID: {for
                                                                • API String ID: 179159573-864106941
                                                                • Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                                • Instruction ID: 3ff9c59f09ab1565913830e273fdc5af753ed99747d1237c120c57d63419e6e5
                                                                • Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                                • Instruction Fuzzy Hash: 69513672A08A85AEE7118F24D8413E863A1FB68788F848231EB6D57BD5DF7CE655C340
                                                                Function 00007FF8FF5B68AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryExW.KERNEL32(?,?,?,00007FF8FF5B6A6B,?,?,00000000,00007FF8FF5B689C,?,?,?,?,00007FF8FF5B65E5), ref: 00007FF8FF5B6931
                                                                • GetLastError.KERNEL32(?,?,?,00007FF8FF5B6A6B,?,?,00000000,00007FF8FF5B689C,?,?,?,?,00007FF8FF5B65E5), ref: 00007FF8FF5B693F
                                                                • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8FF5B6A6B,?,?,00000000,00007FF8FF5B689C,?,?,?,?,00007FF8FF5B65E5), ref: 00007FF8FF5B6958
                                                                • LoadLibraryExW.KERNEL32(?,?,?,00007FF8FF5B6A6B,?,?,00000000,00007FF8FF5B689C,?,?,?,?,00007FF8FF5B65E5), ref: 00007FF8FF5B696A
                                                                • FreeLibrary.KERNEL32(?,?,?,00007FF8FF5B6A6B,?,?,00000000,00007FF8FF5B689C,?,?,?,?,00007FF8FF5B65E5), ref: 00007FF8FF5B69B0
                                                                • GetProcAddress.KERNEL32(?,?,?,00007FF8FF5B6A6B,?,?,00000000,00007FF8FF5B689C,?,?,?,?,00007FF8FF5B65E5), ref: 00007FF8FF5B69BC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                                • String ID: api-ms-
                                                                • API String ID: 916704608-2084034818
                                                                • Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                                • Instruction ID: d83e64434e90de7a35f306993a8007f277f5358e6e9513aecada75554bb46c61
                                                                • Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                                • Instruction Fuzzy Hash: EE31B021A1AA4699EF11DF12AC001B56294BF2DBE0F5A4635DE3E4B3D4EF3CE145C300
                                                                Function 00007FF8F85912C4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00007FF8F859B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B0
                                                                  • Part of subcall function 00007FF8F859B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B8
                                                                  • Part of subcall function 00007FF8F859B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0C1
                                                                  • Part of subcall function 00007FF8F859B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0DD
                                                                • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8F859243E), ref: 00007FF8F8591309
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8F859243E), ref: 00007FF8F8591326
                                                                • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8F859243E), ref: 00007FF8F859134B
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8F859243E), ref: 00007FF8F8591368
                                                                  • Part of subcall function 00007FF8F8564D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8F8572124,?,?,?,00007FF8F85643DB,?,?,?,00007FF8F8565B31), ref: 00007FF8F8564D72
                                                                  • Part of subcall function 00007FF8F8564D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8F8572124,?,?,?,00007FF8F85643DB,?,?,?,00007FF8F8565B31), ref: 00007FF8F8564D98
                                                                  • Part of subcall function 00007FF8F8564D50: memcpy.VCRUNTIME140(?,?,?,00007FF8F8572124,?,?,?,00007FF8F85643DB,?,?,?,00007FF8F8565B31), ref: 00007FF8F8564DB0
                                                                Strings
                                                                • :AM:am:PM:pm, xrefs: 00007FF8F8591392
                                                                • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FF8F8591373
                                                                • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FF8F8591331
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                                • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                • API String ID: 1539549574-35662545
                                                                • Opcode ID: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                                • Instruction ID: ddde1d053b9faa1951e70b771c352b7256572fe61ff512867ffc8ac9a7005106
                                                                • Opcode Fuzzy Hash: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                                • Instruction Fuzzy Hash: E0215A36A04B418AEB14DF21E8402A873A1FBA8BD4F448231DA6D07796EF3CE585D344
                                                                Function 00007FF8F8576A20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00007FF8F859B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B0
                                                                  • Part of subcall function 00007FF8F859B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B8
                                                                  • Part of subcall function 00007FF8F859B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0C1
                                                                  • Part of subcall function 00007FF8F859B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0DD
                                                                • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8F857A96E), ref: 00007FF8F8576A5E
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8F857A96E), ref: 00007FF8F8576A7B
                                                                • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8F857A96E), ref: 00007FF8F8576A9B
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF8F857A96E), ref: 00007FF8F8576AB8
                                                                  • Part of subcall function 00007FF8F8564DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8F8576AB5,?,?,?,?,?,?,?,?,?,00007FF8F857A96E), ref: 00007FF8F8564DF9
                                                                  • Part of subcall function 00007FF8F8564DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8F8576AB5,?,?,?,?,?,?,?,?,?,00007FF8F857A96E), ref: 00007FF8F8564E28
                                                                  • Part of subcall function 00007FF8F8564DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FF8F8576AB5,?,?,?,?,?,?,?,?,?,00007FF8F857A96E), ref: 00007FF8F8564E3F
                                                                Strings
                                                                • :AM:am:PM:pm, xrefs: 00007FF8F8576AD4
                                                                • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FF8F8576A86
                                                                • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FF8F8576AC3
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                                • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                • API String ID: 1539549574-3743323925
                                                                • Opcode ID: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                                • Instruction ID: 53f623e121f164e749302f960b6f804f98c89693e96dbc1bbee0f5d4e6faf63e
                                                                • Opcode Fuzzy Hash: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                                • Instruction Fuzzy Hash: 33212A22E08B468BEB10DF21E85426973B0FBA9BC4F404235DA6E43796EF7CE584D744
                                                                Function 00007FF8FF5B25E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: abort$AdjustPointer
                                                                • String ID:
                                                                • API String ID: 1501936508-0
                                                                • Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                                • Instruction ID: 024ee4d5a0ecbadac642ef528802f905dbc8594925d1d5e9d1ac5ecc1001ffa5
                                                                • Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                                • Instruction Fuzzy Hash: 3A51A021A09A428DEF679F119C446386390AF7EFC4F054635CB7E46BD5DEACE442C324
                                                                Function 00007FF8FF5B27CC Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: abort$AdjustPointer
                                                                • String ID:
                                                                • API String ID: 1501936508-0
                                                                • Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                                • Instruction ID: 1b0e4da2aa5ad33659a60bbb8fa14aeb3990c36365d6e24dcb69ea291d058ce2
                                                                • Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                                • Instruction Fuzzy Hash: C0519221E09B4389EF669F559C442386794AF6DFC0F0A8635DB7E4A7C5DFACD4828320
                                                                Function 00007FF8F8599950 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                                • String ID:
                                                                • API String ID: 578106097-0
                                                                • Opcode ID: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                                • Instruction ID: 3d3b1972351455127d99e1038cd0d63c74dbe17a77d26d68aa7183828d8bad7f
                                                                • Opcode Fuzzy Hash: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                                • Instruction Fuzzy Hash: C161E122B1C6428BEB11DF61EC815BE6721FBA87D4F500532EA5D176C5DF3CE50A9708
                                                                Function 00007FF8F85990D0 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                                • String ID:
                                                                • API String ID: 578106097-0
                                                                • Opcode ID: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                                • Instruction ID: 09265b84a54320def3ade2c862d18269ed58e371b2fdbd5bf067fa7deeb84478
                                                                • Opcode Fuzzy Hash: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                                • Instruction Fuzzy Hash: 6D61C322B1C6428BEB11DF61EC815AE6720FBA97C4F500132EE5E57AC5DF3CE54A9B04
                                                                Function 000000014000C2E0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 164COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                                  • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                                  • Part of subcall function 000000014000C8A0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000014000C98E
                                                                • memmove.VCRUNTIME140 ref: 000000014000C3C8
                                                                • memmove.VCRUNTIME140 ref: 000000014000C427
                                                                  • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0B6
                                                                  • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0C4
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000C52F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: memcpy$memmove$__acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturn
                                                                • String ID: REDR3D-x64.dll$[LOAD PATH ] %s$[TEST TEST] IGNORING REDIRECT %s
                                                                • API String ID: 1084872782-103080910
                                                                • Opcode ID: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                                • Instruction ID: cfd617ef930489ab8aca6008b2e9167fc097850ba9bca21f1b358ae0caa8a91c
                                                                • Opcode Fuzzy Hash: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                                • Instruction Fuzzy Hash: 8E719AB2721A4086EB12CF66E8443DD37B1F749BD8F484622EF195BBA9DB38C181C340
                                                                Function 00007FF8FF5B5520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: FileHeader_local_unwind
                                                                • String ID: MOC$RCC$csm$csm
                                                                • API String ID: 2627209546-1441736206
                                                                • Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                                • Instruction ID: fec47598f0f2f15635c3bcb9369a2651bfdccdae265231ea6cd1b58eaae79292
                                                                • Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                                • Instruction Fuzzy Hash: 6D516D72A096128EEB649F25984137D66A0FFACFD4F150231EB7D567CADF3CE4818A01
                                                                Function 00000001400074F0 Relevance: 10.6, APIs: 7, Instructions: 131COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                                                • String ID:
                                                                • API String ID: 1492985063-0
                                                                • Opcode ID: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                                • Instruction ID: c8404d0b7dac135a461826d57f818375c200501a51cfbfcecc82e8383ca51cf8
                                                                • Opcode Fuzzy Hash: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                                • Instruction Fuzzy Hash: 11515F72600A4082EB62CF1BE5947A9A7A0F789FE5F15C611EF9E477F1CB7AC5468300
                                                                Function 00007FF8F856BA68 Relevance: 10.6, APIs: 7, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8F8591347), ref: 00007FF8F856BB38
                                                                • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8F8591347), ref: 00007FF8F856BB48
                                                                • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8F8591347), ref: 00007FF8F856BB5D
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8F8591347), ref: 00007FF8F856BB91
                                                                • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8F8591347), ref: 00007FF8F856BB9B
                                                                • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8F8591347), ref: 00007FF8F856BBAB
                                                                • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8F8591347), ref: 00007FF8F856BBBB
                                                                  • Part of subcall function 00007FF8F85B25AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8F8565AF8), ref: 00007FF8F85B25C6
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: memcpy$memset$_invalid_parameter_noinfo_noreturnmalloc
                                                                • String ID:
                                                                • API String ID: 2538139528-0
                                                                • Opcode ID: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                                • Instruction ID: 49ad4f154d6678147f5f4e02466228ddf1bb58e400a56ec03dd5d60a86329034
                                                                • Opcode Fuzzy Hash: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                                • Instruction Fuzzy Hash: 6041C521B08A819BEF04AF56E8442A96351FB58BD4F584532EE2D0BBDADF7CD041D345
                                                                Function 00007FF8F8572FAC Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: CurrentThread$xtime_get
                                                                • String ID:
                                                                • API String ID: 1104475336-0
                                                                • Opcode ID: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                                • Instruction ID: f3e620adf9ab218fa8204b1abeb276a1291a77a595389dfac3a26e42b9f83928
                                                                • Opcode Fuzzy Hash: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                                • Instruction Fuzzy Hash: 99413F35A0864A8FEB64CF55DC402BD63A0EB28BD4F808035D7AE426E1DF3DE485E705
                                                                Function 00007FF8F85758B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ExceptionThrowsetvbufstd::ios_base::failure::failure
                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                • API String ID: 2924853686-1866435925
                                                                • Opcode ID: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                                • Instruction ID: 61819efdc67ca99e654f27b18c34d6acc6bc1b709df38a9cde3b3e94c39d72cd
                                                                • Opcode Fuzzy Hash: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                                • Instruction Fuzzy Hash: 51418B72A14B4A9BEB548F24E8403AD33A0FB28BD8F848135DA5C47695DF3CE594D744
                                                                Function 00007FF8F8583B28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF8F8583B56
                                                                  • Part of subcall function 00007FF8F859B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B0
                                                                  • Part of subcall function 00007FF8F859B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B8
                                                                  • Part of subcall function 00007FF8F859B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0C1
                                                                  • Part of subcall function 00007FF8F859B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0DD
                                                                • _Maklocstr.LIBCPMT ref: 00007FF8F8583BCF
                                                                • _Maklocstr.LIBCPMT ref: 00007FF8F8583BE5
                                                                • _Getvals.LIBCPMT ref: 00007FF8F8583C8A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Maklocstr$Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                                • String ID: false$true
                                                                • API String ID: 2626534690-2658103896
                                                                • Opcode ID: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                                • Instruction ID: 52cb47350deb6f5c8ab7d4ee19555cbc0239a7d59720daa2f500b5580dd34594
                                                                • Opcode Fuzzy Hash: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                                • Instruction Fuzzy Hash: E1415C26B08A459EF710CF74E8401ED33B0FBA8788F445226EE5D27A99EF38D556D344
                                                                Function 00007FF8FF5BD740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: NameName::atol
                                                                • String ID: `template-parameter$void
                                                                • API String ID: 2130343216-4057429177
                                                                • Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                                • Instruction ID: a4e9580826770d9bc1a6de6f5f2425a2e9e02b6bd44a5d5139425fd4c434fa3f
                                                                • Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                                • Instruction Fuzzy Hash: 04411662A08A568CFB059FA4DC512BC23B1BB28BC4F551235DE2D67B99DF7CA505C340
                                                                Function 00007FF8FF5B8624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Name::operator+
                                                                • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                                • API String ID: 2943138195-2211150622
                                                                • Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                                • Instruction ID: 7d81f80d91f786c08d30ccc37782ad8556b26f6ed14972825f4e6edd43996a4d
                                                                • Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                                • Instruction Fuzzy Hash: F6411572A18B468CFB028F24DC802A837A0BB2C788F545235DB7E5B7A4DF3CA546C754
                                                                Function 00007FF8FF5BA31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Name::operator+
                                                                • String ID: char $int $long $short $unsigned
                                                                • API String ID: 2943138195-3894466517
                                                                • Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                                • Instruction ID: 4feffbe0dbc2ba93f94d867cce72f57a16f1231e05b0ba8d107294d9d183f5e2
                                                                • Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                                • Instruction Fuzzy Hash: 80414572A18A568DEB128FA8DC851BC37A1BB2C784F448275CE7D56BA8DF3CA544C710
                                                                Function 00007FF8F856C0A0 Relevance: 9.3, APIs: 6, Instructions: 318stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturnmemsetstrcspn$localeconvmemmove
                                                                • String ID:
                                                                • API String ID: 3009415009-0
                                                                • Opcode ID: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                                • Instruction ID: 415b86ea575fe7b62b605eb9516667504af6b7a373f14ffd79bb375175ad830d
                                                                • Opcode Fuzzy Hash: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                                • Instruction Fuzzy Hash: 01E16F66B09B858AEB11CFA5D8402AC2371FB6CBD8F504125DE6D27B99DF38D44AD304
                                                                Function 00007FF8F85986F0 Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Dunscale$_errno
                                                                • String ID:
                                                                • API String ID: 2900277114-0
                                                                • Opcode ID: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                                • Instruction ID: 9d70e2445f9b0fc08f5cfb5ee9a91046cefe8fd454263bafc6d0a125b6fc151b
                                                                • Opcode Fuzzy Hash: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                                • Instruction Fuzzy Hash: 62A19326A18E468FE711DF348C401BD1362FF7E7E4F514235EA6A6A5C5EF38E096A304
                                                                Function 00007FF8F85900EC Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Dunscale$_errno
                                                                • String ID:
                                                                • API String ID: 2900277114-0
                                                                • Opcode ID: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                                • Instruction ID: 4292100034d4ed907abba5d54322951b17a1a26f63bb32ff5759af47edf2a7d9
                                                                • Opcode Fuzzy Hash: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                                • Instruction Fuzzy Hash: 6EA19E32A086469FEF109F26C9801BC6352FF6D7D8F544A31EA6D125D5EF38F09AA704
                                                                Function 000000014000AF60 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 192COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: memmove$memcpy$_invalid_parameter_noinfo_noreturn
                                                                • String ID: R3DAPI 7.3.1-44A14 (20200513 W64S)
                                                                • API String ID: 100741404-1215215629
                                                                • Opcode ID: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                                • Instruction ID: 1f94f83d43c849715069b53280c3cf1e8531b19b99bc01c412034d7b6d4e24df
                                                                • Opcode Fuzzy Hash: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                                • Instruction Fuzzy Hash: B19122B1211A8499EB22DF27F8503DA7361F74ABD4F884222EB490B7B9DB7EC141C701
                                                                Function 00007FF8F8568F20 Relevance: 9.2, APIs: 6, Instructions: 185COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: fgetc
                                                                • String ID:
                                                                • API String ID: 2807381905-0
                                                                • Opcode ID: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                                • Instruction ID: 3d3ca34688af0dbf89f12b45e0d69e69bda5c26efd7198c025215d01dc080211
                                                                • Opcode Fuzzy Hash: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                                • Instruction Fuzzy Hash: CB915B36605A418EEB60CF25C8843AC33A1FBA8BD8F551232EA2D47BD9EF39C444D304
                                                                Function 00007FF8F859B960 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                                • String ID:
                                                                • API String ID: 3490103321-0
                                                                • Opcode ID: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                                • Instruction ID: 2ec2261aabd2318ec9859d657a84cef60f952d2ea730feb09806f07db72905c6
                                                                • Opcode Fuzzy Hash: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                                • Instruction Fuzzy Hash: 0A61F222B1C6568BEB11DF61EC815BE6721FBA83C4F500532EA5D176C9DF3CD5099708
                                                                Function 00007FF8F859B1C0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                                • String ID:
                                                                • API String ID: 3490103321-0
                                                                • Opcode ID: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                                • Instruction ID: a32db7ccfdbc177e991d5e90ab25559d362e8f965c9e131a9ea6780669f50809
                                                                • Opcode Fuzzy Hash: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                                • Instruction Fuzzy Hash: C261C322B186568BFB11DF61EC405BE6720FBA8784F500132EE5E57AC5DF3CE50A9B04
                                                                Function 00007FF8F8569A58 Relevance: 9.1, APIs: 6, Instructions: 112COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                • String ID:
                                                                • API String ID: 1775671525-0
                                                                • Opcode ID: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                                • Instruction ID: e51c0ebe558e85c4e734447ece39f9433d303ca4a7130365754b11d1e70e2b05
                                                                • Opcode Fuzzy Hash: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                                • Instruction Fuzzy Hash: 1D41E4617186459AEF149F16A8082A96351EB2CBE0F584631DE7D07BE9EF7CE041E308
                                                                Function 00007FF8F856A000 Relevance: 9.1, APIs: 6, Instructions: 93fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: FileHandle$CloseCreateInformation
                                                                • String ID:
                                                                • API String ID: 1240749428-0
                                                                • Opcode ID: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                                • Instruction ID: 70066d60d311dfb0ae004560df53e95df993ebdf6e6ea9a6bffee4a9b2bf31f6
                                                                • Opcode Fuzzy Hash: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                                • Instruction Fuzzy Hash: 04419C22F086418FF761CFA5AC517BA33A0AB687E8F015735EE2C02AD4EF3895959744
                                                                Function 00007FF8FF5B62D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                                • String ID:
                                                                • API String ID: 3741236498-0
                                                                • Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                                • Instruction ID: 541856659d2e37a022ed62e533f85b2c92351ef117abb1bad5fada05acb73802
                                                                • Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                                • Instruction Fuzzy Hash: 0A31BE22B19B9189EB158F26AC0456963A0FB2CFD4B694775DE3E433C0EE3DE452C340
                                                                Function 00000001400117B8 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_configthreadlocale_initialize_narrow_environment_initialize_onexit_table_onexit
                                                                • String ID:
                                                                • API String ID: 2153537742-0
                                                                • Opcode ID: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                                • Instruction ID: 534899ad21150968aac174715d7514135b35f9473fc5e80356d1b8ef46292b69
                                                                • Opcode Fuzzy Hash: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                                • Instruction Fuzzy Hash: 95115E38A0024155FA5FB7F398173EC11969FAC3C4F454524BB498F2F3EE7B88658662
                                                                Function 00007FF8F8562F50 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FF8F8565F96), ref: 00007FF8F8562F59
                                                                • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8F8565F96), ref: 00007FF8F8562F6B
                                                                • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FF8F8565F96), ref: 00007FF8F8562F7A
                                                                • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FF8F8565F96), ref: 00007FF8F8562FE0
                                                                • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FF8F8565F96), ref: 00007FF8F8562FEE
                                                                • _wcsdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FF8F8565F96), ref: 00007FF8F8563001
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: __pctype_func$___lc_codepage_func___lc_locale_name_func_wcsdupcalloc
                                                                • String ID:
                                                                • API String ID: 490008815-0
                                                                • Opcode ID: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                                • Instruction ID: 065dcd7c61de9634c86938e43b559f718836cdec7e59610768c10b648ba40ed6
                                                                • Opcode Fuzzy Hash: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                                • Instruction Fuzzy Hash: 23214C26D18B8587E7068F38D9012787360FBBDB88F15A224CE9C16256EF39E1D5D344
                                                                Function 0000000140007850 Relevance: 9.0, APIs: 6, Instructions: 21fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle$FileUnmapView
                                                                • String ID:
                                                                • API String ID: 260491571-0
                                                                • Opcode ID: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                                • Instruction ID: e4157fc547da492297a5d265050bc8fab675aa544c6886f43f24823cbbcadd6d
                                                                • Opcode Fuzzy Hash: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                                • Instruction Fuzzy Hash: 1DF01438616E00D5FA07DB63ECA83A427A1BB8DBD9F440211EB4E4B331DE3F85998300
                                                                Function 00007FF8FF5B38A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: abort$CallEncodePointerTranslator
                                                                • String ID: MOC$RCC
                                                                • API String ID: 2889003569-2084237596
                                                                • Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                                • Instruction ID: caa6f6d298d5b79beaa8ea310e560078198a186019ea4aaaf7a9dbd4b6e29168
                                                                • Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                                • Instruction Fuzzy Hash: 1A917E73A087858AE710CF65E8802AD7BA0F7587C8F14422AEFAD67799DF38D195C700
                                                                Function 00007FF8FF5BBB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Name::operator+
                                                                • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                                • API String ID: 2943138195-757766384
                                                                • Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                                • Instruction ID: 5bcd1ac13462a667b846c4a2d9c358a1476b45efd9be01fd3d804fec5bc93695
                                                                • Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                                • Instruction Fuzzy Hash: B67148B2A08A46ACEB14CF25DD451BC66A0BB297C4F444735DA7E47AE9DF7CE650C300
                                                                Function 000000014000ABD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 150COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memcmp.VCRUNTIME140 ref: 000000014000AD12
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000ADD5
                                                                  • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                                  • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: __acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnmemcmp
                                                                • String ID: @$[FAIL INT. ] path '%s' already exists at index %u$[FAIL INT. ] too many paths
                                                                • API String ID: 3207467095-2931640462
                                                                • Opcode ID: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                                • Instruction ID: 2da19ac7c4dfbac8c42f28ebd32a6b72bd3b2cb838895640dc67fbc0c8e08b7c
                                                                • Opcode Fuzzy Hash: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                                • Instruction Fuzzy Hash: DC5169B2B10A5489EB11CF6AE8407DD37B1F709BA8F504216EF2A67BE9DB74C581C740
                                                                Function 00007FF8FF5B3690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: abort$CallEncodePointerTranslator
                                                                • String ID: MOC$RCC
                                                                • API String ID: 2889003569-2084237596
                                                                • Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                                • Instruction ID: 6d555c5db1c1ed5d65ffcce399f7535b6c422986445fcf5a4fd667711ec13504
                                                                • Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                                • Instruction Fuzzy Hash: 82615B72A09B858AE714CF65D8803AD77A0FB58BC8F144225EF6D23B98DF38E155C700
                                                                Function 00007FF8F859BBD8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8F859B212), ref: 00007FF8F859BBFE
                                                                • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8F859B212), ref: 00007FF8F859BC0F
                                                                • iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8F859B212), ref: 00007FF8F859BC76
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: iswspace$iswxdigit
                                                                • String ID: (
                                                                • API String ID: 3812816871-3887548279
                                                                • Opcode ID: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                                • Instruction ID: 9c504f6d1932090a76b5d027cb203fb235d3994af410b3964e858862d100c142
                                                                • Opcode Fuzzy Hash: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                                • Instruction Fuzzy Hash: 9E510452D0866B8BFB249F619D403F972A5EF38BC4F488431DA58060D4EF3DE840E256
                                                                Function 00007FF8F8599CD4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8F8599122), ref: 00007FF8F8599CFA
                                                                • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8F8599122), ref: 00007FF8F8599D0B
                                                                • isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8F8599122), ref: 00007FF8F8599D64
                                                                • isalnum.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8F8599122), ref: 00007FF8F8599E14
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: isspace$isalnumisxdigit
                                                                • String ID: (
                                                                • API String ID: 3355161242-3887548279
                                                                • Opcode ID: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                                • Instruction ID: fdc29989aaa2b8e8b4a6a891ffc3dc62ab52160e4da79a981b00dcda865f5781
                                                                • Opcode Fuzzy Hash: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                                • Instruction Fuzzy Hash: CA41F557D0C6825FEB254F34AD5A3F96B969F39BC4F089070CAA8071C6DF1EE806A714
                                                                Function 00007FF8F85839E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00007FF8F859B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B0
                                                                  • Part of subcall function 00007FF8F859B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B8
                                                                  • Part of subcall function 00007FF8F859B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0C1
                                                                  • Part of subcall function 00007FF8F859B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0DD
                                                                • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FF8F857A22C), ref: 00007FF8F8583A25
                                                                  • Part of subcall function 00007FF8F856B794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8F8591347,?,?,?,?,?,?,?,?,?,00007FF8F859243E), ref: 00007FF8F856B7BF
                                                                  • Part of subcall function 00007FF8F856B794: memcpy.VCRUNTIME140(?,?,00000000,00007FF8F8591347,?,?,?,?,?,?,?,?,?,00007FF8F859243E), ref: 00007FF8F856B7DB
                                                                • _Getvals.LIBCPMT ref: 00007FF8F8583A61
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                                • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                                • API String ID: 3848194746-3573081731
                                                                • Opcode ID: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                                • Instruction ID: a9242d4b2a533ff46378fae7e6073cc51a39c2e6eb6c55dd7cd452a53085b4a2
                                                                • Opcode Fuzzy Hash: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                                • Instruction Fuzzy Hash: 6C41E572A08B819BE724CF21D9804BD7BA0FB687C1B184132DBA943E91DF78F562D704
                                                                Function 00007FF8F8583CB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF8F8583CE2
                                                                  • Part of subcall function 00007FF8F859B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B0
                                                                  • Part of subcall function 00007FF8F859B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B8
                                                                  • Part of subcall function 00007FF8F859B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0C1
                                                                  • Part of subcall function 00007FF8F859B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0DD
                                                                • _Maklocstr.LIBCPMT ref: 00007FF8F8583D5B
                                                                • _Maklocstr.LIBCPMT ref: 00007FF8F8583D71
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                                • String ID: false$true
                                                                • API String ID: 309754672-2658103896
                                                                • Opcode ID: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                                • Instruction ID: 3a0d7363c00019c65b97e39a63c7b2b33acac11aba69ddeaf8dfc6872ea7103c
                                                                • Opcode Fuzzy Hash: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                                • Instruction Fuzzy Hash: F2416926B18B459AE710CF70E8501ED33B0FB6C788F404126EE5D27A99EF38D595D398
                                                                Function 00007FF8F85683E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                • API String ID: 2003779279-1866435925
                                                                • Opcode ID: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                                • Instruction ID: 2704687da44029e49c05e0749fbc7a5a77ef177203c542e19fd4564f20252efc
                                                                • Opcode Fuzzy Hash: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                                • Instruction Fuzzy Hash: 5321C162A086469BEB50DB11E9413B96760FF787C8F840031D66D4BBE5EF3CE0A5D344
                                                                Function 00007FF8F8568D10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                • API String ID: 2003779279-1866435925
                                                                • Opcode ID: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                                • Instruction ID: 3a2dd27afb067f6769943060466414457672e41f205744f7b9c836eb6216356a
                                                                • Opcode Fuzzy Hash: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                                • Instruction Fuzzy Hash: 74F0FD21A0850A9FEB54CB00DC826E82321EB783C4FA40435D22E4A5F5EF3DE586D748
                                                                Function 0000000140006B70 Relevance: 7.8, APIs: 5, Instructions: 255COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?Recycle@MemoryRecycler@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140006CC6
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140006CF5
                                                                • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006D52
                                                                • memcpy.VCRUNTIME140 ref: 0000000140006DD5
                                                                • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006E6E
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: D@std@@@std@@Pninc@?$basic_streambuf@U?$char_traits@$MemoryRecycle@Recycler@allocator@dvacore@@_invalid_parameter_noinfo_noreturnmemcpy
                                                                • String ID:
                                                                • API String ID: 3275830057-0
                                                                • Opcode ID: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                                • Instruction ID: 3173563bc62d35887f7c9779bdd612006aafe20ffacca945d5b8f48763ffbb63
                                                                • Opcode Fuzzy Hash: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                                • Instruction Fuzzy Hash: 5CA16BB2704B8485EB16CF2AE5443A977A2F389FE8F584516EF8D177A4DB38C895C340
                                                                Function 00007FF8F8574A60 Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: fgetwc
                                                                • String ID:
                                                                • API String ID: 2948136663-0
                                                                • Opcode ID: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                                • Instruction ID: ccf782d046cf5d087ce79904d68923ea29e988616351dd93cc0db9f47df02932
                                                                • Opcode Fuzzy Hash: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                                • Instruction Fuzzy Hash: C9816973605A85CEEB208F25C8903AC37A5FB68B88F555232EB6E47AD9DF39C444D304
                                                                Function 0000000140009FD0 Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                                                • String ID:
                                                                • API String ID: 2665656946-0
                                                                • Opcode ID: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                                • Instruction ID: 6f8685d0ee64a854513a2710a76b76ebba126a19a16799565d604b2c87d49ee9
                                                                • Opcode Fuzzy Hash: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                                • Instruction Fuzzy Hash: 884191B2304B8495EE16DB27B9043D9A395A74EBE0F440625BF6D0B7E5DE7CC081C304
                                                                Function 00007FF8F856B90C Relevance: 7.6, APIs: 5, Instructions: 101COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF8F8591347), ref: 00007FF8F856B9D3
                                                                • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF8F8591347), ref: 00007FF8F856B9E1
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF8F8591347), ref: 00007FF8F856BA1A
                                                                • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF8F8591347), ref: 00007FF8F856BA24
                                                                • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF8F8591347), ref: 00007FF8F856BA32
                                                                  • Part of subcall function 00007FF8F85B25AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8F8565AF8), ref: 00007FF8F85B25C6
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: memcpymemset$_invalid_parameter_noinfo_noreturnmalloc
                                                                • String ID:
                                                                • API String ID: 3375828981-0
                                                                • Opcode ID: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                                • Instruction ID: bf1766af94add24d3e0c8c6e5d87689211e791bd4e8b93c3628bc1d8c6d5ba6b
                                                                • Opcode Fuzzy Hash: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                                • Instruction Fuzzy Hash: B331C921708A828AEF149F56990437A6352FB2CBD4F584531DE7D0B7DAEF7CD141A309
                                                                Function 00007FF8FF5B9FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: NameName::$Name::operator+
                                                                • String ID:
                                                                • API String ID: 826178784-0
                                                                • Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                                • Instruction ID: 15e60a612e522fb479dc4d202d59b35068498c876eb937a990578b23618d1ba8
                                                                • Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                                • Instruction Fuzzy Hash: 75414922A09A5A88EB10CF61DC811B83BA4BB69BC0B544272EF7E537D5DF38E955C300
                                                                Function 00007FF8F8564C30 Relevance: 7.5, APIs: 6, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00007FF8F8572160: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FF8F8564C3E,?,?,00000000,00007FF8F8565B5B), ref: 00007FF8F857216F
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8F8565B5B), ref: 00007FF8F8564C47
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8F8565B5B), ref: 00007FF8F8564C5B
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8F8565B5B), ref: 00007FF8F8564C6F
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8F8565B5B), ref: 00007FF8F8564C83
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8F8565B5B), ref: 00007FF8F8564C97
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8F8565B5B), ref: 00007FF8F8564CAB
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: free$setlocale
                                                                • String ID:
                                                                • API String ID: 294139027-0
                                                                • Opcode ID: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                                • Instruction ID: 69c5e1e8543f15340b0de4d638c89faf1f70cb86c189cbdb1f481ad9cd725cc2
                                                                • Opcode Fuzzy Hash: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                                • Instruction Fuzzy Hash: B5111222A06A058FFB599F61CCE533923A1EF6CF88F180134C51E092C5DF6DD894E398
                                                                Function 00007FF8F8573380 Relevance: 7.5, APIs: 5, Instructions: 17COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: __acrt_iob_func$abortfputcfputs
                                                                • String ID:
                                                                • API String ID: 2697642930-0
                                                                • Opcode ID: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                                • Instruction ID: ab6cc4633cec109ebaafe9ad03cccec8a3f2da70ff172e00cb6c16879e5b336c
                                                                • Opcode Fuzzy Hash: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                                • Instruction Fuzzy Hash: 07E0E664A149414FE74C5F61FC1937453169F7CBD3F240038C91F467D6DF2C54485215
                                                                Function 00007FF8F858C480 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                                • String ID: %.0Lf$0123456789-
                                                                • API String ID: 4032823789-3094241602
                                                                • Opcode ID: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                                • Instruction ID: ebc35eeac13d345a03a636307a6b2ddde81619185fbac8b620f3201e6e005a03
                                                                • Opcode Fuzzy Hash: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                                • Instruction Fuzzy Hash: 7A718D62B09B558AEB40CFA5D8542AC3371EB68BC8F504036DE6D17BD9DF38D84AD308
                                                                Function 00007FF8F8596E40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturnmemchrmemmove
                                                                • String ID: 0123456789-
                                                                • API String ID: 2457263114-3850129594
                                                                • Opcode ID: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                                • Instruction ID: 5805478147ddb9c9119d24c17242d0eade921877f10d69cad4e7880d6e66910f
                                                                • Opcode Fuzzy Hash: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                                • Instruction Fuzzy Hash: BB716926B09B858EEB01CFA5D8502AC77B1AB69BD8F440036DE6D17B99CF38D45AD304
                                                                Function 000000014000CA70 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 174COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CB86
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CCD1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                                • String ID: gfffffff$gfffffff
                                                                • API String ID: 3668304517-161084747
                                                                • Opcode ID: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                                • Instruction ID: 0937b4d6cc115db4af66b3ecbb46b401b0ea56f4de858bbb036e92e46f157e0a
                                                                • Opcode Fuzzy Hash: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                                • Instruction Fuzzy Hash: D151B5B2311B8942EE25CB17F945799B355E748BE4F048226AFAD8B7E4DF38D081C301
                                                                Function 00007FF8F85970C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: memset$_invalid_parameter_noinfo_noreturnswprintf_s
                                                                • String ID: %.0Lf
                                                                • API String ID: 1248405305-1402515088
                                                                • Opcode ID: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                                • Instruction ID: 011d38875fda64dca4a85c36d49429b5668f343c974be4d190d62abde533c1fa
                                                                • Opcode Fuzzy Hash: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                                • Instruction Fuzzy Hash: 8B617022B08B858EEB01CF75EC402AD6761EB69BD4F544136EE5D27B9ADF38D045E304
                                                                Function 00007FF8FF5B4044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00007FF8FF5B6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8FF5B239E), ref: 00007FF8FF5B671E
                                                                • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8FF5B41C3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: abort
                                                                • String ID: $csm$csm
                                                                • API String ID: 4206212132-1512788406
                                                                • Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                                • Instruction ID: c677900ee17605d145487d1630e6385a4a6e1cef9d6761fb8dbaab4cc4ec49b1
                                                                • Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                                • Instruction Fuzzy Hash: 19718E729086818ADB748F259890779BBA0FB69BC8F148235DFBD47AC9CB3CD451C741
                                                                Function 00007FF8FF5B3E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00007FF8FF5B6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8FF5B239E), ref: 00007FF8FF5B671E
                                                                • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8FF5B3F13
                                                                • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF8FF5B3F23
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Frameabort$EmptyHandler3::StateUnwind
                                                                • String ID: csm$csm
                                                                • API String ID: 4108983575-3733052814
                                                                • Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                                • Instruction ID: 0059fb203194b8ade7bc91dd1d1ac370853dcec1ee749a1c101340cfc75e93ea
                                                                • Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                                • Instruction Fuzzy Hash: AA513F329086828EEB748F1598842687AA0FB68BD5F144236DBBD67BD5CF3CE451CB41
                                                                Function 00007FF8F8562500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Exception$RaiseThrowabort
                                                                • String ID: csm
                                                                • API String ID: 3758033050-1018135373
                                                                • Opcode ID: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                                • Instruction ID: 973041cadbccc0a0edac4ad253aacf6d7d6fbac837eadc83fffe3d1fb48fcd6a
                                                                • Opcode Fuzzy Hash: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                                • Instruction Fuzzy Hash: B9515022904BC58ADB15CF28C8502A833A0FB68B98F559325DB6D077A6EF39E5D5D300
                                                                Function 00007FF8F856F950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF8F856F8D4
                                                                • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF8F856F8E6
                                                                • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF8F856F96B
                                                                  • Part of subcall function 00007FF8F8564D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8F8572124,?,?,?,00007FF8F85643DB,?,?,?,00007FF8F8565B31), ref: 00007FF8F8564D72
                                                                  • Part of subcall function 00007FF8F8564D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8F8572124,?,?,?,00007FF8F85643DB,?,?,?,00007FF8F8565B31), ref: 00007FF8F8564D98
                                                                  • Part of subcall function 00007FF8F8564D50: memcpy.VCRUNTIME140(?,?,?,00007FF8F8572124,?,?,?,00007FF8F85643DB,?,?,?,00007FF8F8565B31), ref: 00007FF8F8564DB0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: setlocale$freemallocmemcpy
                                                                • String ID: bad locale name
                                                                • API String ID: 1663771476-1405518554
                                                                • Opcode ID: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                                • Instruction ID: 3c839ffe52cb7df7249ccc2b03eec82027694d0ce0e1e0a22fb7cada8468c3d2
                                                                • Opcode Fuzzy Hash: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                                • Instruction Fuzzy Hash: DD310822F086828BFB54CB19EC4017963A1AFACBC0F188075DA6D477D5EF3CE881A344
                                                                Function 00007FF8F859430C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00007FF8F859B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B0
                                                                  • Part of subcall function 00007FF8F859B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B8
                                                                  • Part of subcall function 00007FF8F859B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0C1
                                                                  • Part of subcall function 00007FF8F859B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0DD
                                                                • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,0000003F,?,00000001,00007FF8F8592278), ref: 00007FF8F859434D
                                                                  • Part of subcall function 00007FF8F856B794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8F8591347,?,?,?,?,?,?,?,?,?,00007FF8F859243E), ref: 00007FF8F856B7BF
                                                                  • Part of subcall function 00007FF8F856B794: memcpy.VCRUNTIME140(?,?,00000000,00007FF8F8591347,?,?,?,?,?,?,?,?,?,00007FF8F859243E), ref: 00007FF8F856B7DB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                                • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                                • API String ID: 3376215315-3573081731
                                                                • Opcode ID: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                                • Instruction ID: 643480e9162973c849ab048b59a886c176f075eff3311d89bad1f4322a8ac619
                                                                • Opcode Fuzzy Hash: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                                • Instruction Fuzzy Hash: DB41D372A08B819BE725CF35D98056E7BA0FB68B81B044135DB5D43E81DF38F9A1DB04
                                                                Function 00007FF8F85838A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00007FF8F859B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B0
                                                                  • Part of subcall function 00007FF8F859B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B8
                                                                  • Part of subcall function 00007FF8F859B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0C1
                                                                  • Part of subcall function 00007FF8F859B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0DD
                                                                • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FF8F857A07C), ref: 00007FF8F85838E1
                                                                  • Part of subcall function 00007FF8F856B794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8F8591347,?,?,?,?,?,?,?,?,?,00007FF8F859243E), ref: 00007FF8F856B7BF
                                                                  • Part of subcall function 00007FF8F856B794: memcpy.VCRUNTIME140(?,?,00000000,00007FF8F8591347,?,?,?,?,?,?,?,?,?,00007FF8F859243E), ref: 00007FF8F856B7DB
                                                                  • Part of subcall function 00007FF8F85767B0: _Maklocstr.LIBCPMT ref: 00007FF8F85767E0
                                                                  • Part of subcall function 00007FF8F85767B0: _Maklocstr.LIBCPMT ref: 00007FF8F85767FF
                                                                  • Part of subcall function 00007FF8F85767B0: _Maklocstr.LIBCPMT ref: 00007FF8F857681E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                                • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                                • API String ID: 2904694926-3573081731
                                                                • Opcode ID: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                                • Instruction ID: 0a6dc3b49050f0fc4adb45370d84b5e9de4d74494dcfa32eaacdf50b2db6d5b9
                                                                • Opcode Fuzzy Hash: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                                • Instruction Fuzzy Hash: 4841F472A08B818BE720CF21D9801AD7BA1FBA87C1B144136CBAD43E41EF38F465D704
                                                                Function 00007FF8FF5BA714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: NameName::
                                                                • String ID: %lf
                                                                • API String ID: 1333004437-2891890143
                                                                • Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                                • Instruction ID: 156595c1757f21d4be27d06d81650aad56a0b3990116420f9677c41a0805211a
                                                                • Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                                • Instruction Fuzzy Hash: 9131837290CA8589EB21CF75AC502796760FBADBC4F548271EABE876D5CF3CE5018740
                                                                Function 00007FF8F856A4C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: FileFindNext$wcscpy_s
                                                                • String ID: .
                                                                • API String ID: 544952861-248832578
                                                                • Opcode ID: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                                • Instruction ID: 1719dbee1b65d5fbe4ae6f2b9055a8b6a721c36c823b65892d77d52a0c3db333
                                                                • Opcode Fuzzy Hash: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                                • Instruction Fuzzy Hash: B221B062A0C6818BEF61CF61EC053B933A0EBAC7C1F444130DAAC426D4EF3CD4859604
                                                                Function 00007FF8F8566C00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                                • String ID: ios_base::badbit set
                                                                • API String ID: 1099746521-3882152299
                                                                • Opcode ID: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                                • Instruction ID: db5a4bd52e349c06c278a1e0bdb8ece8500aa66da30cc7488af9a4e0c521ea12
                                                                • Opcode Fuzzy Hash: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                                • Instruction Fuzzy Hash: 69017B51F289075FF718CB11DC419B90642EFB83C0F148036C42E029E5EF3DE106A608
                                                                Function 00007FF8FF5B2400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00007FF8FF5B6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8FF5B239E), ref: 00007FF8FF5B671E
                                                                • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8FF5B243E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: abortterminate
                                                                • String ID: MOC$RCC$csm
                                                                • API String ID: 661698970-2671469338
                                                                • Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                                • Instruction ID: f8048c9d87a727d9b4549fc5c1d321391ecef9880a0819bed674d2587f3cea91
                                                                • Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                                • Instruction Fuzzy Hash: 55F0C236918642C9EB505F20E98106C3270FF6CB80F185671D779036D2CF7CD4A0C711
                                                                Function 00007FF8FF5BE9E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __C_specific_handler.LIBVCRUNTIME ref: 00007FF8FF5BE9F0
                                                                  • Part of subcall function 00007FF8FF5BEC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FF8FF5BECF0
                                                                  • Part of subcall function 00007FF8FF5BEC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF8FF5BE9F5), ref: 00007FF8FF5BED3F
                                                                  • Part of subcall function 00007FF8FF5B6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8FF5B239E), ref: 00007FF8FF5B671E
                                                                • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8FF5BEA1A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
                                                                • String ID: csm$f
                                                                • API String ID: 2451123448-629598281
                                                                • Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                                • Instruction ID: bdc5164ff1bb8839d5ba955c429272b4c50b0b4e41b07b701cbaff5022635062
                                                                • Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                                • Instruction Fuzzy Hash: 0FE06535D1825286EB606F61B98513D2BA4FF3DBD4F188235DB79076C6CE3CE8E08601
                                                                Function 00007FF8FF5B9CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Name::operator+
                                                                • String ID:
                                                                • API String ID: 2943138195-0
                                                                • Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                                • Instruction ID: 685c1d67f85d1b5fbe0d281fdf9855387f0e1f07775489e58db67c1fdf9d2414
                                                                • Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                                • Instruction Fuzzy Hash: 9E915862E08A568DFB128F60DC403AC27B1BB28798F544236DB7E676D5DF7CA945C340
                                                                Function 00007FF8FF5BA44C Relevance: 6.1, APIs: 4, Instructions: 134COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Name::operator+$NameName::
                                                                • String ID:
                                                                • API String ID: 168861036-0
                                                                • Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                                • Instruction ID: 74cd0ec14019cdc00e9fe2a95def0507a576e8cfb64964d0f5e70937845e6e3d
                                                                • Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                                • Instruction Fuzzy Hash: 7C5127B2E18A568DEB118FA0EC407B837A0BB69B84F544271DA3E477D5DF3DE5418740
                                                                Function 0000000140001ED0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: memset$_invalid_parameter_noinfo_noreturnmemmove
                                                                • String ID:
                                                                • API String ID: 48703092-0
                                                                • Opcode ID: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                                • Instruction ID: 948ad675966271c9991ceaad39470193d7d81f5c1b48440d7dc352eab6ab828f
                                                                • Opcode Fuzzy Hash: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                                • Instruction Fuzzy Hash: B431B4B2711A9451EA06DF66F5443EDA291A788BE0F548635AF6C077E5EF38C4E2C300
                                                                Function 00007FF8F8576DC8 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memcpy.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FF8F85767E5), ref: 00007FF8F8576EA1
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FF8F85767E5), ref: 00007FF8F8576EF2
                                                                • memcpy.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FF8F85767E5), ref: 00007FF8F8576EFC
                                                                • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF8F8576F3D
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                • String ID:
                                                                • API String ID: 1775671525-0
                                                                • Opcode ID: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                                • Instruction ID: 7e9d9c0c82f74b157978c50b384cc7699254c8cbf3fa1038314a5eae4903ce62
                                                                • Opcode Fuzzy Hash: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                                • Instruction Fuzzy Hash: B241E66170864A9AEF149F12E90417E6395AB2CBE4F548631EE7D07BD8EF3CE041D314
                                                                Function 00007FF8F8569BE8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                • String ID:
                                                                • API String ID: 1775671525-0
                                                                • Opcode ID: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                                • Instruction ID: 5eefee599e55360472b21201d118600e1e1782b9a7bcf1fca708a762cb7f98e2
                                                                • Opcode Fuzzy Hash: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                                • Instruction Fuzzy Hash: 3D31F861B086468EEF149F16ED48269A394AF2CBE4F544231DE7D077E5EF7CE041A308
                                                                Function 00007FF8F858FD50 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Xp_movx$Xp_setw_errnoldexpmemcpy
                                                                • String ID:
                                                                • API String ID: 2233944734-0
                                                                • Opcode ID: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                                • Instruction ID: 1d359a8688850c58475c95a627b85aaeb2384bb2996b6e14e6f05415a0bf4097
                                                                • Opcode Fuzzy Hash: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                                • Instruction Fuzzy Hash: B941D832B1CA468FFB919B159C411B96350AFBC7C0F644532DA7D136D6DF3CE909AA08
                                                                Function 00007FF8F8563160 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcislower
                                                                • String ID:
                                                                • API String ID: 2234106055-0
                                                                • Opcode ID: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                                • Instruction ID: b0ada5f9ea406b0ea96742e5515a18af30f1b0f77075c09a681ccc4cb2409906
                                                                • Opcode Fuzzy Hash: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                                • Instruction Fuzzy Hash: F231F722A0C7418BF7214F16AC502BD6A91FBA8BD1F184035DEAA077D9EF3CE445D718
                                                                Function 00007FF8F8563020 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcisupper
                                                                • String ID:
                                                                • API String ID: 3857474680-0
                                                                • Opcode ID: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                                • Instruction ID: 7856f5f3658829d7ed70d5c4bc55baf53285af84079637e4119b1408e1939662
                                                                • Opcode Fuzzy Hash: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                                • Instruction Fuzzy Hash: 70310532A0C6418BF7154B169C503BD6A91EBA8BE1F184035DAAA077D9EF3CE488E714
                                                                Function 00007FF8FF5BC87C Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Name::operator+
                                                                • String ID:
                                                                • API String ID: 2943138195-0
                                                                • Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                                • Instruction ID: 277d41baa5218bb518b43e154b2ef8cfef01402af047479a119b66438c67d692
                                                                • Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                                • Instruction Fuzzy Hash: 5A4178B2A08B568DF701CF64E8453AC37B0B769B88F548225DB6D67799CF7C9541C310
                                                                Function 00007FF8F859AF70 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,00000000,?,?,?,00007FF8F858E921), ref: 00007FF8F859AFB7
                                                                • memcpy.VCRUNTIME140(?,00000000,?,?,?,00007FF8F858E921), ref: 00007FF8F859AFDB
                                                                • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FF8F858E921), ref: 00007FF8F859AFE8
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FF8F858E921), ref: 00007FF8F859B05B
                                                                  • Part of subcall function 00007FF8F8562E30: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8F8562E5A
                                                                  • Part of subcall function 00007FF8F8562E30: LCMapStringEx.KERNEL32 ref: 00007FF8F8562E9E
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: String___lc_locale_name_funcfreemallocmemcpywcsnlen
                                                                • String ID:
                                                                • API String ID: 2888714520-0
                                                                • Opcode ID: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                                • Instruction ID: d88240faf8c404029f85036a3ee005e155faf725f9ba28e251abe3a1baf6e4c2
                                                                • Opcode Fuzzy Hash: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                                • Instruction Fuzzy Hash: 4D21E161B18B928FE7209F12AC0042AAA90BB68BE4F584231DE7D17BD5DF3CD4029308
                                                                Function 00007FF8F856AAA0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _fsopen$fclosefseek
                                                                • String ID:
                                                                • API String ID: 410343947-0
                                                                • Opcode ID: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                                • Instruction ID: 8fb53993c77a9f42750d4016351e59f9b423cd7f1a69a0fa5275930207f3c8a7
                                                                • Opcode Fuzzy Hash: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                                • Instruction Fuzzy Hash: F531D121B286414BEB6A8B56AC466793292EFACFC5F4C4134CE1E437E0EF3CE8419304
                                                                Function 00007FF8F856ABB4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _wfsopen$fclosefseek
                                                                • String ID:
                                                                • API String ID: 1261181034-0
                                                                • Opcode ID: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                                • Instruction ID: 2df483b505566aa80f5896f179d7f165c420ff91d467ddd373c06936f7966d77
                                                                • Opcode Fuzzy Hash: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                                • Instruction Fuzzy Hash: 9931D421B18A454FFB5ACB56AC426763691AFA8FC5F485134DE1E437D0EF3CE8419348
                                                                Function 0000000140010660 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$FormatFreeLibraryMessage
                                                                • String ID:
                                                                • API String ID: 4174221723-0
                                                                • Opcode ID: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                                • Instruction ID: 329cc6dd5267e1a20a6fc7da630ad77381380cdf8f0f417e816be49fa379c834
                                                                • Opcode Fuzzy Hash: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                                • Instruction Fuzzy Hash: F4315072A18B8441EB128B26E4453AE6751E79DBF4F249301F7FD0B6F9DBB9D5C08600
                                                                Function 00007FF8F859A5D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FF8F859576B), ref: 00007FF8F859A604
                                                                • ___lc_collate_cp_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FF8F859576B), ref: 00007FF8F859A60E
                                                                  • Part of subcall function 00007FF8F85626E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8F8562728
                                                                  • Part of subcall function 00007FF8F85626E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8F856274E
                                                                  • Part of subcall function 00007FF8F85626E0: GetCPInfo.KERNEL32 ref: 00007FF8F8562792
                                                                • memcmp.VCRUNTIME140(?,?,?,?,?,?,?,00007FF8F859576B), ref: 00007FF8F859A631
                                                                • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FF8F859576B), ref: 00007FF8F859A66F
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: __strncnt$Info___lc_collate_cp_func___lc_locale_name_func_errnomemcmp
                                                                • String ID:
                                                                • API String ID: 3421985146-0
                                                                • Opcode ID: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                                • Instruction ID: 116a4c1d6f1a89a3e3f21ca33ee9b23f5a658015e764b697392165f10d1841c9
                                                                • Opcode Fuzzy Hash: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                                • Instruction Fuzzy Hash: 4F217F31A087828BEB118F6ADD41029BBA4BBA8FD4F854135DA6D537D5CF3CE8019708
                                                                Function 000000014000FAA0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                                  • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                                  • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: __acrt_iob_func__stdio_common_vfprintfmemset
                                                                • String ID: [FINALIZE ] %08X %s$[UNLOAD LIB]$[UNLOAD LIB] %08X %s
                                                                • API String ID: 1351999747-1487749591
                                                                • Opcode ID: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                                • Instruction ID: 71482a23b425682d2a021b79c21f529c824127a60a25d7ce3ea3483a94a8a675
                                                                • Opcode Fuzzy Hash: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                                • Instruction Fuzzy Hash: 42213972215B8485E352DF22E5503DE37A4F74CF88F588129EB890BB69CF39C662D750
                                                                Function 00007FF8F8598620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: memmove$FormatFreeLocalMessage
                                                                • String ID: unknown error
                                                                • API String ID: 725469203-3078798498
                                                                • Opcode ID: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                                • Instruction ID: f70e2e102e1dc944c520fc560a6075105e27b58c2e8b28cbbd78e8d1fc297a5f
                                                                • Opcode Fuzzy Hash: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                                • Instruction Fuzzy Hash: F7118E226087898AE7109F25E90036DB7A0FBADBC8F488130DA9D0F7DADF7CC1109748
                                                                Function 00007FF8F859B090 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B0
                                                                • ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B8
                                                                • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0C1
                                                                • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0DD
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_func
                                                                • String ID:
                                                                • API String ID: 3203701943-0
                                                                • Opcode ID: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                                • Instruction ID: bf8e6c8d6f499435561ac89476ade445b47d0805b41a3e29482f9870f8ff7d1c
                                                                • Opcode Fuzzy Hash: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                                • Instruction Fuzzy Hash: 8501E5A2E147558BEB058F799C00028B7A0FB6CBD4F148235DA5E87251DB3DD0C18704
                                                                Function 00007FF8F8562468 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: malloc
                                                                • String ID: MOC$RCC$csm
                                                                • API String ID: 2803490479-2671469338
                                                                • Opcode ID: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                                • Instruction ID: c58058f2f67a9077bf0bbe9fc50e8de367799e150496680d7e9f56d0e16d20b7
                                                                • Opcode Fuzzy Hash: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                                • Instruction Fuzzy Hash: B8018439E082028FEF659F159D8517D22A1EF6CBC5F184032DA2D077C5EF2CE881D606
                                                                Function 00007FF8F858C9A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                                • String ID: 0123456789-
                                                                • API String ID: 4032823789-3850129594
                                                                • Opcode ID: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                                • Instruction ID: e3e42f19ee3ae28598e8be2a4f97d6ce84af9a578f9e25e522c45cb286fe0a90
                                                                • Opcode Fuzzy Hash: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                                • Instruction Fuzzy Hash: 18717A62B09B558EEB40CFA5D8502AC2371EB68BC8F504036DE6D17BD8DF38D94AD348
                                                                Function 00007FF8F858CC30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                                • String ID: %.0Lf
                                                                • API String ID: 296878162-1402515088
                                                                • Opcode ID: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                                • Instruction ID: a70764fef1b941384f6288aa144a78b2dbceceaa068545766ebac78093e71884
                                                                • Opcode Fuzzy Hash: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                                • Instruction Fuzzy Hash: 6E71B062B09B858AEB41CF65E8402AD77A1EBA87D8F104132EE6D17BA9DF38D445D304
                                                                Function 00007FF8F858C710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                                • String ID: %.0Lf
                                                                • API String ID: 296878162-1402515088
                                                                • Opcode ID: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                                • Instruction ID: 53cfa6d8cf63f20a22a5b19b8661b83ccec085b8f501c12c170b8f52a22a38af
                                                                • Opcode Fuzzy Hash: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                                • Instruction Fuzzy Hash: A5719262B08B858AEB41CF65EC402AD6361EF68BD4F104136EE6D67BA5DF3CD445D304
                                                                Function 00007FF8F8598F00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: rand_s
                                                                • String ID: invalid random_device value
                                                                • API String ID: 863162693-3926945683
                                                                • Opcode ID: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                                • Instruction ID: a4e64ae4138d3d9a9e1402b8e9b04cd6556c0a33cb980b9be38543f1acb19bc2
                                                                • Opcode Fuzzy Hash: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                                • Instruction Fuzzy Hash: EB51F322D18E468FF3429F358C561BA6364BF3E3C4F144772E53E265E5DF29A492A204
                                                                Function 00007FF8FF5B4710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: abort$CreateFrameInfo
                                                                • String ID: csm
                                                                • API String ID: 2697087660-1018135373
                                                                • Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                                • Instruction ID: 0fac4249532da30d27ccf38fc5df187e35004b93a24492469df37aff00df0398
                                                                • Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                                • Instruction Fuzzy Hash: B1513F366197828AD7609F16E84126E77A4FB9DBD0F140635EBAD07B95CF3CE461CB00
                                                                Function 00007FF8F8597330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Strftime_invalid_parameter_noinfo_noreturn
                                                                • String ID: !%x
                                                                • API String ID: 1195835417-1893981228
                                                                • Opcode ID: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                                • Instruction ID: c67e577c4e89285dfbc3b2b891f7d45209123d1836ed6237a1b4ba8ec65c32cd
                                                                • Opcode Fuzzy Hash: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                                • Instruction Fuzzy Hash: B2418C26F14A918EFB00CFA5DC417EC2B71BB687D8F448536EE6D17A8ADF3891459304
                                                                Function 00007FF8F85632D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF8F8563305
                                                                  • Part of subcall function 00007FF8F85B25AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8F8565AF8), ref: 00007FF8F85B25C6
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8F85657FA,?,?,?,00007FF8F8564438), ref: 00007FF8F85632FE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                                • String ID: ios_base::failbit set
                                                                • API String ID: 1934640635-3924258884
                                                                • Opcode ID: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                                • Instruction ID: 64c1a8d3df6ce2a9aa2ca815d6258be621208aac65088128ae0aab63fadb6a4c
                                                                • Opcode Fuzzy Hash: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                                • Instruction Fuzzy Hash: 6721D721B09B828ADB60CB11A8402AAB394FB5CBE0F544635EEAC47BD5FF3CC545D704
                                                                Function 00007FF8FF5B9BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: Name::operator+
                                                                • String ID: void$void
                                                                • API String ID: 2943138195-3746155364
                                                                • Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                                • Instruction ID: 6fa54eab6e8d2e6f5f5def173b80a148e7327bc34342f949778ef70f984a9a0b
                                                                • Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                                • Instruction Fuzzy Hash: 85310262E18A599CFB018FA4EC410AC37B4BB6C788B444236EB6E63B99DF389144C750
                                                                Function 000000014000E370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 000000014000FAA0: memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000E441
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                                • String ID: [FAIL LOAD ] %s$[LOAD LIB ] %s
                                                                • API String ID: 1654775311-1428855073
                                                                • Opcode ID: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                                • Instruction ID: e1e0474e3a99f30cd742c56738cdfbd4506b2c38850e860c1e011aff6007d584
                                                                • Opcode Fuzzy Hash: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                                • Instruction Fuzzy Hash: EC218EB2714B8481FA16CB1AF44439A6362E78DBE4F544321BBA94BAF9DF38C181C740
                                                                Function 00007FF8F856F1B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF8F856C744), ref: 00007FF8F856F1D4
                                                                  • Part of subcall function 00007FF8F859B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B0
                                                                  • Part of subcall function 00007FF8F859B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0B8
                                                                  • Part of subcall function 00007FF8F859B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0C1
                                                                  • Part of subcall function 00007FF8F859B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FF8F8566093), ref: 00007FF8F859B0DD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                                • String ID: false$true
                                                                • API String ID: 2502581279-2658103896
                                                                • Opcode ID: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                                • Instruction ID: c561576b558a7d091defe294e2b479282fb31403ce9f8fe8133e537f31053a70
                                                                • Opcode Fuzzy Hash: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                                • Instruction Fuzzy Hash: 45218536508B858AE720DF20E8413A93760FBACBE4F444532D6AC07795DF38D154D784
                                                                Function 00007FF8FF5B604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: FileHeader$ExceptionRaise
                                                                • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                                • API String ID: 3685223789-3176238549
                                                                • Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                                • Instruction ID: ef780d8b1fb69bd7b7d52177fc88f2ce2b2d283a9c959675184481617c959139
                                                                • Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                                • Instruction Fuzzy Hash: EF01B161A29A4A99EF409F24EC901786320FFA8BC4F405231D63F476EAEF6CD405C700
                                                                Function 00007FF8FF5B63F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ExceptionFileHeaderRaise
                                                                • String ID: csm
                                                                • API String ID: 2573137834-1018135373
                                                                • Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                                • Instruction ID: a974151fa3a838fbcd9493fd50aeb57a8557ea325f17c82a5b6cdf57401b28ea
                                                                • Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                                • Instruction Fuzzy Hash: D8112B32618F8186EB518F25E8402697BA5FB98BC4F184271DFAD07798DF3DD5518700
                                                                Function 00007FF8F85669E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8F85669ED
                                                                  • Part of subcall function 00007FF8F8564DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8F8576AB5,?,?,?,?,?,?,?,?,?,00007FF8F857A96E), ref: 00007FF8F8564DF9
                                                                  • Part of subcall function 00007FF8F8564DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8F8576AB5,?,?,?,?,?,?,?,?,?,00007FF8F857A96E), ref: 00007FF8F8564E28
                                                                  • Part of subcall function 00007FF8F8564DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FF8F8576AB5,?,?,?,?,?,?,?,?,?,00007FF8F857A96E), ref: 00007FF8F8564E3F
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8F8566A0A
                                                                Strings
                                                                • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FF8F8566A15
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: free$Getdaysmallocmemcpy
                                                                • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                • API String ID: 1347072587-3283725177
                                                                • Opcode ID: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                                • Instruction ID: 3bff85a073645305720c407fcaad20478dfbacec3f80f95964d99a7ab0e90175
                                                                • Opcode Fuzzy Hash: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                                • Instruction Fuzzy Hash: A3E06D21A14B429BEB148F02F98436963A0EF6CBD0F844034DA1D03B91EF3CE4A4D704
                                                                Function 00007FF8F8566A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8F8566A3D
                                                                  • Part of subcall function 00007FF8F8564DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8F8576AB5,?,?,?,?,?,?,?,?,?,00007FF8F857A96E), ref: 00007FF8F8564DF9
                                                                  • Part of subcall function 00007FF8F8564DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8F8576AB5,?,?,?,?,?,?,?,?,?,00007FF8F857A96E), ref: 00007FF8F8564E28
                                                                  • Part of subcall function 00007FF8F8564DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FF8F8576AB5,?,?,?,?,?,?,?,?,?,00007FF8F857A96E), ref: 00007FF8F8564E3F
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8F8566A5A
                                                                Strings
                                                                • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FF8F8566A65
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: free$Getmonthsmallocmemcpy
                                                                • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece
                                                                • API String ID: 1628830074-2030377133
                                                                • Opcode ID: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                                • Instruction ID: 660cfef8d618e684e370603bc7f904ae30838ac1f460ebc963fcd3a6ddf8faed
                                                                • Opcode Fuzzy Hash: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                                • Instruction Fuzzy Hash: 33E03921A05B029BEB448F02F98436963A0FF68BC0F845034DA1E03B91EF3CE4A4D304
                                                                Function 00007FF8F85662C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8F85662CD
                                                                  • Part of subcall function 00007FF8F8564D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8F8572124,?,?,?,00007FF8F85643DB,?,?,?,00007FF8F8565B31), ref: 00007FF8F8564D72
                                                                  • Part of subcall function 00007FF8F8564D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8F8572124,?,?,?,00007FF8F85643DB,?,?,?,00007FF8F8565B31), ref: 00007FF8F8564D98
                                                                  • Part of subcall function 00007FF8F8564D50: memcpy.VCRUNTIME140(?,?,?,00007FF8F8572124,?,?,?,00007FF8F85643DB,?,?,?,00007FF8F8565B31), ref: 00007FF8F8564DB0
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8F85662EA
                                                                Strings
                                                                • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FF8F85662F5
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: free$Getdaysmallocmemcpy
                                                                • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                • API String ID: 1347072587-3283725177
                                                                • Opcode ID: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                                • Instruction ID: 579b64487d3184ad39bb336c8037f21c0e38ab68c43f389adb437b2d4e999203
                                                                • Opcode Fuzzy Hash: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                                • Instruction Fuzzy Hash: B8E0C021A147429BDB099F12F9543656360EB68BC4F844435DA2D07795EF3CD4A49714
                                                                Function 00007FF8F8566330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8F856633D
                                                                  • Part of subcall function 00007FF8F8564D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8F8572124,?,?,?,00007FF8F85643DB,?,?,?,00007FF8F8565B31), ref: 00007FF8F8564D72
                                                                  • Part of subcall function 00007FF8F8564D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF8F8572124,?,?,?,00007FF8F85643DB,?,?,?,00007FF8F8565B31), ref: 00007FF8F8564D98
                                                                  • Part of subcall function 00007FF8F8564D50: memcpy.VCRUNTIME140(?,?,?,00007FF8F8572124,?,?,?,00007FF8F85643DB,?,?,?,00007FF8F8565B31), ref: 00007FF8F8564DB0
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8F856635A
                                                                Strings
                                                                • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FF8F8566365
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: free$Getmonthsmallocmemcpy
                                                                • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
                                                                • API String ID: 1628830074-4232081075
                                                                • Opcode ID: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                                • Instruction ID: 355685a7cb7776804d198b3b002790f6dc8ec1fa7da379f4ccec760e4354504d
                                                                • Opcode Fuzzy Hash: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                                • Instruction Fuzzy Hash: 1AE03921A15B429BEF048F12F98426863B0EB28BC0F880034DA2D03791EF3CE4E4D784
                                                                Function 0000000140012990 Relevance: 5.1, APIs: 4, Instructions: 105COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ExceptionThrow
                                                                • String ID:
                                                                • API String ID: 432778473-0
                                                                • Opcode ID: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                                • Instruction ID: 3f6ef9a8942bd25f1c030384d86529519749b139d31aef7b6ed3ba5bf9942206
                                                                • Opcode Fuzzy Hash: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                                • Instruction Fuzzy Hash: 582153B6610A8489E729EE37E8523E92311F78C7D8F149426BF4D4FBAECE31C4518340
                                                                Function 00000001400124D0 Relevance: 5.1, APIs: 4, Instructions: 77COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1574522481.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                • Associated: 0000000C.00000002.1574496856.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574549912.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574570996.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574588304.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1574605680.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ExceptionThrow$_invalid_parameter_noinfo_noreturn
                                                                • String ID:
                                                                • API String ID: 2822070131-0
                                                                • Opcode ID: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                                • Instruction ID: fb8aed582c15149af4c4f009e579fb1eee3dc1aedb4e9a74b926e9b9865ab3f7
                                                                • Opcode Fuzzy Hash: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                                • Instruction Fuzzy Hash: 331151B5710A40C9E71DEB73A8423EA1211EB887C4F149536BF480BA6ECE76C4518740
                                                                Function 00007FF8FF5B672C Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLastError.KERNEL32(?,?,?,00007FF8FF5B65B9,?,?,?,?,00007FF8FF5BFB22,?,?,?,?,?), ref: 00007FF8FF5B674B
                                                                • SetLastError.KERNEL32(?,?,?,00007FF8FF5B65B9,?,?,?,?,00007FF8FF5BFB22,?,?,?,?,?), ref: 00007FF8FF5B67D4
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575959433.00007FF8FF5B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8FF5B0000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575934875.00007FF8FF5B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575987278.00007FF8FF5C1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576005876.00007FF8FF5C2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576024914.00007FF8FF5C6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1576043744.00007FF8FF5C7000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8ff5b0000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast
                                                                • String ID:
                                                                • API String ID: 1452528299-0
                                                                • Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                                • Instruction ID: 3fedabdd47e2fcea7b5a31ef5ea2e8145adc8aaa84273dcc230dbfbb8c927e75
                                                                • Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                                • Instruction Fuzzy Hash: 36113A24E096528AFF549F31AC251382691AF6CBE0F198B74DA7F57BD5DE2CE842C700
                                                                Function 00007FF8F8578C60 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: free
                                                                • String ID:
                                                                • API String ID: 1294909896-0
                                                                • Opcode ID: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                                • Instruction ID: e727c60d85cf713c3a7f608c956eb029225a5e0fddc74c0408c8fc4af6e73bb0
                                                                • Opcode Fuzzy Hash: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                                • Instruction Fuzzy Hash: 42F01921A18B029FDB448F16ED941686360FBACBD0F144031CA6D03BA1DF2CE4A6D304
                                                                Function 00007FF8F8578CD0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: free
                                                                • String ID:
                                                                • API String ID: 1294909896-0
                                                                • Opcode ID: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                                • Instruction ID: 7d1d0da33396e425f900e50c5b0ad13e1320451cb78c95e75339eed5ca98f161
                                                                • Opcode Fuzzy Hash: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                                • Instruction Fuzzy Hash: 85F0C922A18B069BDB449F16EDA416863A0FBACBD0F144031DA6D43BA1DF6CE4A6D304
                                                                Function 00007FF8F8591DB0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: free
                                                                • String ID:
                                                                • API String ID: 1294909896-0
                                                                • Opcode ID: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                                • Instruction ID: 7af678c1054ca125c1d5d0b95b143a8f13ad2101dc6122630f6ec4c7bb4796e3
                                                                • Opcode Fuzzy Hash: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                                • Instruction Fuzzy Hash: 99F03C21A18B029FDB448F16ED941686360FBACFD0F544031CA6D03BB1DF2CE4A6D304
                                                                Function 00007FF8F8578A08 Relevance: 5.0, APIs: 4, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1575329949.00007FF8F8561000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8560000, based on PE: true
                                                                • Associated: 0000000C.00000002.1575248674.00007FF8F8560000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575402395.00007FF8F85B5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575446653.00007FF8F85B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575876363.00007FF8F85E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575895002.00007FF8F85E4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 0000000C.00000002.1575912445.00007FF8F85E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ff8f8560000_ImporterREDServer.jbxd
                                                                Similarity
                                                                • API ID: free
                                                                • String ID:
                                                                • API String ID: 1294909896-0
                                                                • Opcode ID: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                                • Instruction ID: 320407f23456538c3a93b21aa7371d2479e613cf6f465891a773d476ea8c45a4
                                                                • Opcode Fuzzy Hash: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                                • Instruction Fuzzy Hash: 5BE0BF62E14A018BEB589F21DCA40386370FFBCF95F181032CE2E463A5CF68D496D318