Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
b8ygJBG5cb.msi

Overview

General Information

Sample name:b8ygJBG5cb.msi
renamed because original name is a hash value
Original sample name:e308c6a223d373b77c7189616db80f171e83ac026ecabf5d7f0b3977ef817801.msi
Analysis ID:1581043
MD5:1c3d44ab733b1eb6abdff0bc9f177439
SHA1:70f6337ef36fe2ecbc80fc12d2873f7aecb2fb17
SHA256:e308c6a223d373b77c7189616db80f171e83ac026ecabf5d7f0b3977ef817801
Tags:LegionLoadermsiRobotDropperyhmqpa-comuser-johnk3r
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7432 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\b8ygJBG5cb.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7468 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7564 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D1F7B76A2FEB2E4A506948573AE81708 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 7768 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7952 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ImporterREDServer.exe (PID: 8044 cmdline: "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe" MD5: F67792E08586EA936EBCAE43AAB0388D)
        • conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • createdump.exe (PID: 7960 cmdline: "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)
      • conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding D1F7B76A2FEB2E4A506948573AE81708, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7564, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7768, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding D1F7B76A2FEB2E4A506948573AE81708, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7564, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7768, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding D1F7B76A2FEB2E4A506948573AE81708, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7564, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7768, ProcessName: powershell.exe
Sigma detected: Msiexec Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.67.194.29, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7564, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
Sigma detected: Suspicious MsiExec Embedding Parent
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding D1F7B76A2FEB2E4A506948573AE81708, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7564, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7768, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding D1F7B76A2FEB2E4A506948573AE81708, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7564, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7768, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-26T19:49:13.708294+010028292021A Network Trojan was detected192.168.2.449730172.67.194.29443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 87.5% probability
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{800C31D3-CBAB-4CD6-A61E-E690018AFCBC}Jump to behavior
Source: unknownHTTPS traffic detected: 172.67.194.29:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000000.1823762380.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: b8ygJBG5cb.msi
Source: Binary string: ucrtbase.pdb source: b8ygJBG5cb.msi
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: b8ygJBG5cb.msi
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: b8ygJBG5cb.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: b8ygJBG5cb.msi
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000A.00000002.1829973195.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: b8ygJBG5cb.msi
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: b8ygJBG5cb.msi
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_system\lib\win\release\64\boost_system.pdb source: boost_system.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000A.00000000.1826261631.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: b8ygJBG5cb.msi
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000000.1823762380.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: b8ygJBG5cb.msi
Source: Binary string: ucrtbase.pdbUGP source: b8ygJBG5cb.msi
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: b8ygJBG5cb.msi, MSI287B.tmp.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: b8ygJBG5cb.msi, MSI3A4F.tmp.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000A.00000000.1826261631.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: b8ygJBG5cb.msi
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: b8ygJBG5cb.msi
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: b8ygJBG5cb.msi, MSI3A4F.tmp.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: b8ygJBG5cb.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: b8ygJBG5cb.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: b8ygJBG5cb.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: b8ygJBG5cb.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: b8ygJBG5cb.msi
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: b8ygJBG5cb.msi
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: b8ygJBG5cb.msi
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: b8ygJBG5cb.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: b8ygJBG5cb.msi
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: b8ygJBG5cb.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: b8ygJBG5cb.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: b8ygJBG5cb.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: b8ygJBG5cb.msi
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE013FA330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,10_2_00007FFE013FA330

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49730 -> 172.67.194.29:443
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: yhmqpa.com
Source: unknownHTTP traffic detected: POST /updater.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: yhmqpa.comContent-Length: 71Cache-Control: no-cache
Source: b8ygJBG5cb.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: b8ygJBG5cb.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: b8ygJBG5cb.msiString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: b8ygJBG5cb.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: b8ygJBG5cb.msiString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: b8ygJBG5cb.msiString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: b8ygJBG5cb.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: b8ygJBG5cb.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: b8ygJBG5cb.msiString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
Source: b8ygJBG5cb.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000003.00000002.1773925798.00000000059ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: b8ygJBG5cb.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: b8ygJBG5cb.msiString found in binary or memory: http://ocsp.digicert.com0K
Source: b8ygJBG5cb.msiString found in binary or memory: http://ocsp.digicert.com0N
Source: b8ygJBG5cb.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000003.00000002.1772028745.0000000004AD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: b8ygJBG5cb.msiString found in binary or memory: http://schemas.mick
Source: powershell.exe, 00000003.00000002.1772028745.0000000004981000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1772028745.0000000004AD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: b8ygJBG5cb.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ImporterREDServer.exe, 0000000A.00000002.1829973195.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.drString found in binary or memory: http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-
Source: powershell.exe, 00000003.00000002.1772028745.0000000004981000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: b8ygJBG5cb.msiString found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
Source: powershell.exe, 00000003.00000002.1773925798.00000000059ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1773925798.00000000059ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1773925798.00000000059ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.1772028745.0000000004AD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1772028745.0000000005041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: classes_nocoops.jsa.1.drString found in binary or memory: https://java.oracle.com/
Source: powershell.exe, 00000003.00000002.1773925798.00000000059ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: b8ygJBG5cb.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, boost_system.dll.1.drString found in binary or memory: https://www.digicert.com/CPS0
Source: b8ygJBG5cb.msiString found in binary or memory: https://yhmqpa.com/updater.phpx
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownHTTPS traffic detected: 172.67.194.29:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\631d79.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI26B0.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI274E.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI278D.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI27CD.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI281C.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI284C.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI287B.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3A4F.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{800C31D3-CBAB-4CD6-A61E-E690018AFCBC}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4637.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4657.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\631d7c.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\631d7c.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI26B0.tmpJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_000000014001222010_2_0000000140012220
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_000000014000839010_2_0000000140008390
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_0000000140007FC010_2_0000000140007FC0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE013FF9B010_2_00007FFE013FF9B0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE0141220810_2_00007FFE01412208
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE0142F9DA10_2_00007FFE0142F9DA
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE0142288010_2_00007FFE01422880
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE013FE8B010_2_00007FFE013FE8B0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE014060D010_2_00007FFE014060D0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE0140ABB010_2_00007FFE0140ABB0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE0141434010_2_00007FFE01414340
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE0142A27C10_2_00007FFE0142A27C
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE0141633810_2_00007FFE01416338
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE0142BDA010_2_00007FFE0142BDA0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE014295A810_2_00007FFE014295A8
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE01422D7010_2_00007FFE01422D70
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE0140CDF010_2_00007FFE0140CDF0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE01416C8410_2_00007FFE01416C84
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE0140644010_2_00007FFE01406440
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE0141547010_2_00007FFE01415470
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE0140946010_2_00007FFE01409460
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE01410C6010_2_00007FFE01410C60
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE0140BCD010_2_00007FFE0140BCD0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE014244E010_2_00007FFE014244E0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE013FC78010_2_00007FFE013FC780
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE0141478010_2_00007FFE01414780
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE01408FB010_2_00007FFE01408FB0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE013FD81010_2_00007FFE013FD810
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE0142B69810_2_00007FFE0142B698
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE0140DF1010_2_00007FFE0140DF10
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE0141071010_2_00007FFE01410710
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE01413F0010_2_00007FFE01413F00
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A53750810_2_00007FFE1A537508
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: String function: 000000014000BC30 appears 53 times
Source: api-ms-win-core-handle-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: b8ygJBG5cb.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs b8ygJBG5cb.msi
Source: b8ygJBG5cb.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs b8ygJBG5cb.msi
Source: b8ygJBG5cb.msiBinary or memory string: OriginalFilenameDataUploader.dllF vs b8ygJBG5cb.msi
Source: b8ygJBG5cb.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs b8ygJBG5cb.msi
Source: b8ygJBG5cb.msiBinary or memory string: OriginalFilenameucrtbase.dllj% vs b8ygJBG5cb.msi
Source: b8ygJBG5cb.msiBinary or memory string: OriginalFilenamevcruntime140.dllT vs b8ygJBG5cb.msi
Source: b8ygJBG5cb.msiBinary or memory string: OriginalFilenamemsvcp140.dllT vs b8ygJBG5cb.msi
Source: b8ygJBG5cb.msiBinary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs b8ygJBG5cb.msi
Source: b8ygJBG5cb.msiBinary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs b8ygJBG5cb.msi
Source: b8ygJBG5cb.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs b8ygJBG5cb.msi
Source: dvacore.dll.1.drBinary string: Win.FileUtils path: Throw file exception with last error (HRESULT): $$$/dvacore/utility/FileUtils_WIN/Unknown=Unknown$$$/dvacore/utility/FileUtils_WIN/Invalid=Invalid$$$/dvacore/utility/FileUtils_WIN/Removable=Removable$$$/dvacore/utility/FileUtils_WIN/Fixed=Local Disk$$$/dvacore/utility/FileUtils_WIN/Network=Network$$$/dvacore/utility/FileUtils_WIN/CDROM=CD-ROM$$$/dvacore/utility/FileUtils_WIN/RAMDisk=RAM Disk_:\Device\Floppy\\?\\\?\UNC (error Unable to delete \/.\\127.0.0.1xt4
Source: classification engineClassification label: mal64.evad.winMSI@17/91@1/1
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_0000000140010BE0 GetLastError,FormatMessageA,10_2_0000000140010BE0
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE013FA7B0 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn,10_2_00007FFE013FA7B0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML4CB7.tmpJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7976:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:120:WilError_03
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFEA434C703339BAD4.TMPJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\b8ygJBG5cb.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D1F7B76A2FEB2E4A506948573AE81708
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D1F7B76A2FEB2E4A506948573AE81708Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: dvacore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: libzip.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_system.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_date_time.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_threads.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: boost_filesystem.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: dvaunittesting.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: utest.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{800C31D3-CBAB-4CD6-A61E-E690018AFCBC}Jump to behavior
Source: b8ygJBG5cb.msiStatic file information: File size 60154880 > 1048576
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000007.00000000.1823762380.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: b8ygJBG5cb.msi
Source: Binary string: ucrtbase.pdb source: b8ygJBG5cb.msi
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: b8ygJBG5cb.msi
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: b8ygJBG5cb.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: b8ygJBG5cb.msi
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000A.00000002.1829973195.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: b8ygJBG5cb.msi
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: b8ygJBG5cb.msi
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\third_party\projects\boost_system\lib\win\release\64\boost_system.pdb source: boost_system.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000A.00000000.1826261631.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: b8ygJBG5cb.msi
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000007.00000000.1823762380.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: b8ygJBG5cb.msi
Source: Binary string: ucrtbase.pdbUGP source: b8ygJBG5cb.msi
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: b8ygJBG5cb.msi, MSI287B.tmp.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: b8ygJBG5cb.msi, MSI3A4F.tmp.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000A.00000000.1826261631.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: b8ygJBG5cb.msi
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: b8ygJBG5cb.msi
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: b8ygJBG5cb.msi, MSI3A4F.tmp.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: b8ygJBG5cb.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: b8ygJBG5cb.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: b8ygJBG5cb.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: b8ygJBG5cb.msi
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: b8ygJBG5cb.msi
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: b8ygJBG5cb.msi
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: b8ygJBG5cb.msi
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: b8ygJBG5cb.msi
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: b8ygJBG5cb.msi
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: b8ygJBG5cb.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: b8ygJBG5cb.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: b8ygJBG5cb.msi
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: b8ygJBG5cb.msi
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]
Source: vcruntime140.dll.1.drStatic PE information: section name: _RDATA
Source: UnRar.exe.1.drStatic PE information: section name: _RDATA
Source: BCUninstaller.exe.1.drStatic PE information: section name: _RDATA
Source: createdump.exe.1.drStatic PE information: section name: _RDATA
Source: MSI4657.tmp.1.drStatic PE information: section name: .fptable
Source: MSI26B0.tmp.1.drStatic PE information: section name: .fptable
Source: MSI274E.tmp.1.drStatic PE information: section name: .fptable
Source: MSI278D.tmp.1.drStatic PE information: section name: .fptable
Source: MSI27CD.tmp.1.drStatic PE information: section name: .fptable
Source: MSI281C.tmp.1.drStatic PE information: section name: .fptable
Source: MSI284C.tmp.1.drStatic PE information: section name: .fptable
Source: MSI287B.tmp.1.drStatic PE information: section name: .fptable
Source: MSI3A4F.tmp.1.drStatic PE information: section name: .fptable
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_06A2BD82 push esp; ret 3_2_06A2BD93
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3A4F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_threads.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI26B0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI284C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI274E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI27CD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\utest.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI281C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4657.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI287B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI278D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_system.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_date_time.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_filesystem.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3A4F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI281C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4657.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI287B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI26B0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI27CD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI284C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI278D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI274E.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE0142C0C0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_00007FFE0142C0C0
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3222Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2333Jump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3A4F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI281C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4657.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI287B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI26B0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI284C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI278D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI274E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI27CD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeAPI coverage: 8.2 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7848Thread sleep count: 3222 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7848Thread sleep count: 2333 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7880Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7868Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE013FA330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,10_2_00007FFE013FA330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: classes_nocoops.jsa.1.drBinary or memory string: [Ljava/lang/VirtualMachineError;
Source: classes_nocoops.jsa.1.drBinary or memory string: ,jdk.vm.ci.hotspot.HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: ()Ljdk/vm/ci/runtime/JVMCICompiler;
Source: classes_nocoops.jsa.1.drBinary or memory string: VirtualMachineError.java
Source: b8ygJBG5cb.msiBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk/vm/ci/common/JVMCIError
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk.vm.ci.services.JVMCIServiceLocator
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk.vm.ci.hotspot.aarch64.AArch64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: &jdk.vm.ci.services.JVMCIServiceLocator
Source: classes_nocoops.jsa.1.drBinary or memory string: ()Ljdk/vm/ci/runtime/JVMCIRuntime;
Source: classes_nocoops.jsa.1.drBinary or memory string: java/lang/VirtualMachineError.class
Source: classes_nocoops.jsa.1.drBinary or memory string: 7jdk.vm.ci.hotspot.amd64.AMD64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: <"()Ljdk/vm/ci/runtime/JVMCIRuntime;
Source: classes_nocoops.jsa.1.drBinary or memory string: [Ljava/lang/VirtualMachineError;
Source: classes_nocoops.jsa.1.drBinary or memory string: java/lang/VirtualMachineError
Source: classes_nocoops.jsa.1.drBinary or memory string: org.graalvm.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
Source: classes_nocoops.jsa.1.drBinary or memory string: %jdk/vm/ci/hotspot/HotSpotJVMCIRuntime
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk/vm/ci/hotspot/HotSpotJVMCIRuntime
Source: classes_nocoops.jsa.1.drBinary or memory string: ;jdk.vm.ci.hotspot.aarch64.AArch64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk/vm/ci/runtime/JVMCI
Source: classes_nocoops.jsa.1.drBinary or memory string: )()Ljdk/vm/ci/hotspot/HotSpotJVMCIRuntime;
Source: classes_nocoops.jsa.1.drBinary or memory string: UG#java/lang/VirtualMachineError.class
Source: classes_nocoops.jsa.1.drBinary or memory string: #()Ljdk/vm/ci/runtime/JVMCICompiler;
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk.vm.ci.hotspot.HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: jdk.vm.ci.hotspot.amd64.AMD64HotSpotJVMCIBackendFactory
Source: classes_nocoops.jsa.1.drBinary or memory string: <org.graalvm.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
Source: classes_nocoops.jsa.1.drBinary or memory string: Ljava/lang/VirtualMachineError;
Source: classes_nocoops.jsa.1.drBinary or memory string: ()Ljdk/vm/ci/hotspot/HotSpotJVMCIRuntime;
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 7_2_00007FF632BC2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF632BC2ECC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 7_2_00007FF632BC2984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF632BC2984
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 7_2_00007FF632BC2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF632BC2ECC
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 7_2_00007FF632BC3074 SetUnhandledExceptionFilter,7_2_00007FF632BC3074
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_0000000140011004 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0000000140011004
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_0000000140011D78 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0000000140011D78
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_0000000140011F24 SetUnhandledExceptionFilter,10_2_0000000140011F24
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE01442CDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FFE01442CDC
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: 10_2_00007FFE1A54004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FFE1A54004C

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss46ed.ps1" -propfile "c:\users\user\appdata\local\temp\msi46ea.txt" -scriptfile "c:\users\user\appdata\local\temp\scr46eb.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr46ec.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss46ed.ps1" -propfile "c:\users\user\appdata\local\temp\msi46ea.txt" -scriptfile "c:\users\user\appdata\local\temp\scr46eb.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr46ec.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exeCode function: ___lc_locale_name_func,GetLocaleInfoEx,10_2_00007FFE0141EFC0
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exeCode function: 7_2_00007FF632BC2DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_00007FF632BC2DA0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		1
Replication Through Removable Media		1
Command and Scripting Interpreter		1
Windows Service		1
Windows Service		21
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		1
Scripting		11
Process Injection		1
Disable or Modify Tools		LSASS Memory11
Security Software Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS21
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Obfuscated Files or Information		Cached Domain Credentials11
Peripheral Device Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Timestomp		DCSync1
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc Filesystem24
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
File Deletion		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581043 Sample: b8ygJBG5cb.msi Startdate: 26/12/2024 Architecture: WINDOWS Score: 64 49 yhmqpa.com 2->49 55 Suricata IDS alerts for network traffic 2->55 57 AI detected suspicious sample 2->57 59 Sigma detected: Suspicious Script Execution From Temp Folder 2->59 61 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->61 9 msiexec.exe 139 107 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 35 C:\Windows\Installer\MSI4657.tmp, PE32 9->35 dropped 37 C:\Windows\Installer\MSI3A4F.tmp, PE32 9->37 dropped 39 C:\Windows\Installer\MSI287B.tmp, PE32 9->39 dropped 41 52 other files (none is malicious) 9->41 dropped 14 msiexec.exe 14 9->14         started        19 cmd.exe 1 9->19         started        21 createdump.exe 1 9->21         started        process6 dnsIp7 51 yhmqpa.com 172.67.194.29, 443, 49730 CLOUDFLARENETUS United States 14->51 43 C:\Users\user\AppData\Local\...\scr46EB.ps1, Unicode 14->43 dropped 45 C:\Users\user\AppData\Local\...\pss46ED.ps1, Unicode 14->45 dropped 47 C:\Users\user\AppData\Local\...\msi46EA.txt, Unicode 14->47 dropped 53 Bypasses PowerShell execution policy 14->53 23 powershell.exe 17 14->23         started        25 ImporterREDServer.exe 1 19->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        file8 signatures9 process10 process11 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_date_time.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_filesystem.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_system.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_threads.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\msvcp140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\utest.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140_1.dll0%ReversingLabs
C:\Windows\Installer\MSI26B0.tmp0%ReversingLabs
C:\Windows\Installer\MSI274E.tmp0%ReversingLabs
C:\Windows\Installer\MSI278D.tmp0%ReversingLabs
C:\Windows\Installer\MSI27CD.tmp0%ReversingLabs
C:\Windows\Installer\MSI281C.tmp0%ReversingLabs
C:\Windows\Installer\MSI284C.tmp0%ReversingLabs
C:\Windows\Installer\MSI287B.tmp0%ReversingLabs
C:\Windows\Installer\MSI3A4F.tmp0%ReversingLabs
C:\Windows\Installer\MSI4657.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://yhmqpa.com/updater.php0%Avira URL Cloudsafe
https://java.oracle.com/0%Avira URL Cloudsafe
https://yhmqpa.com/updater.phpx0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
yhmqpa.com
172.67.194.29
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://yhmqpa.com/updater.phptrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1773925798.00000000059ED000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1772028745.0000000004AD6000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1772028745.0000000004981000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1772028745.0000000004AD6000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://go.micropowershell.exe, 00000003.00000002.1772028745.0000000005041000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/powershell.exe, 00000003.00000002.1773925798.00000000059ED000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://java.oracle.com/classes_nocoops.jsa.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1773925798.00000000059ED000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Licensepowershell.exe, 00000003.00000002.1773925798.00000000059ED000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Iconpowershell.exe, 00000003.00000002.1773925798.00000000059ED000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.mickb8ygJBG5cb.msifalse
                        		high
                        http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-ImporterREDServer.exe, 0000000A.00000002.1829973195.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.drfalse
                          		high
                          https://yhmqpa.com/updater.phpxb8ygJBG5cb.msifalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://aka.ms/winui2/webview2download/Reload():b8ygJBG5cb.msifalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1772028745.0000000004981000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1772028745.0000000004AD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                172.67.194.29
                                		yhmqpa.comUnited States
                                		13335CLOUDFLARENETUStrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1581043
                                Start date and time:2024-12-26 19:48:14 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 7m 22s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:15
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:b8ygJBG5cb.msi
                                renamed because original name is a hash value
                                Original Sample Name:e308c6a223d373b77c7189616db80f171e83ac026ecabf5d7f0b3977ef817801.msi
                                Detection:MAL
                                Classification:mal64.evad.winMSI@17/91@1/1
                                EGA Information:
                                • Successful, ratio: 33.3%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 15
                                • Number of non-executed functions: 198
                                Cookbook Comments:
                                • Found application associated with file extension: .msi

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target ImporterREDServer.exe, PID 8044 because there are no executed function
                                • Execution Graph export aborted for target powershell.exe, PID 7768 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • VT rate limit hit for: b8ygJBG5cb.msi

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                13:49:14API Interceptor4x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                CLOUDFLARENETUStBnELFfQoe.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 104.21.49.159
                                phish_alert_iocp_v1.4.48 - 2024-12-26T095152.060.emlGet hashmaliciousUnknownBrowse
                                • 104.17.25.14
                                phish_alert_iocp_v1.4.48 - 2024-12-26T092852.527.emlGet hashmaliciousUnknownBrowse
                                • 104.17.25.14
                                installer_1.05_36.4.zipGet hashmaliciousNetSupport RAT, LummaC, LummaC StealerBrowse
                                • 172.67.214.186
                                https://contractnerds.com/Get hashmaliciousUnknownBrowse
                                • 104.17.25.14
                                Z4D3XAZ2jB.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 104.21.93.162
                                http://vanessa.nilsson@dmava.nj.govGet hashmaliciousUnknownBrowse
                                • 104.21.50.150
                                https://www.gglusa.us/Get hashmaliciousUnknownBrowse
                                • 104.18.11.207
                                0zBsv1tnt4.exeGet hashmaliciousLummaCBrowse
                                • 104.21.11.101
                                cqHMm0ykDG.exeGet hashmaliciousLummaCBrowse
                                • 104.21.11.101

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                37f463bf4616ecd445d4a1937da06e19setup.msiGet hashmaliciousUnknownBrowse
                                • 172.67.194.29
                                installer.msiGet hashmaliciousUnknownBrowse
                                • 172.67.194.29
                                setup.msiGet hashmaliciousUnknownBrowse
                                • 172.67.194.29
                                setup.msiGet hashmaliciousUnknownBrowse
                                • 172.67.194.29
                                HVlonDQpuI.exeGet hashmaliciousVidarBrowse
                                • 172.67.194.29
                                00000.ps1Get hashmaliciousLummaCBrowse
                                • 172.67.194.29
                                123.ps1Get hashmaliciousLummaCBrowse
                                • 172.67.194.29
                                Purchase Order No. G02873362-Docx.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                • 172.67.194.29
                                blq.exeGet hashmaliciousGh0stCringe, RunningRAT, XRedBrowse
                                • 172.67.194.29

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exesetup.msiGet hashmaliciousUnknownBrowse
                                  installer.msiGet hashmaliciousUnknownBrowse
                                    setup.msiGet hashmaliciousUnknownBrowse
                                      setup.msiGet hashmaliciousUnknownBrowse
                                        installer.msiGet hashmaliciousUnknownBrowse
                                          E8vC8KRIp1.msiGet hashmaliciousUnknownBrowse
                                            installer.msiGet hashmaliciousUnknownBrowse
                                              3gPZmVbozD.msiGet hashmaliciousUnknownBrowse
                                                setup.msiGet hashmaliciousUnknownBrowse
                                                  installer.msiGet hashmaliciousUnknownBrowse

                                                    Created / dropped Files

                                                    C:\Config.Msi\631d7b.rbs

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:modified
                                                    Size (bytes):20604
                                                    Entropy (8bit):5.826336646164111
                                                    Encrypted:false
                                                    SSDEEP:384:8Y8vg7yReIYGaUbJlty/6Igz2S4qhCTThZhN4NtqLBHsIR5MA74mHI5dSsZhThhS:8Tvg7yReIYGaUbJlty/6Igz2S4qhCTTJ
                                                    MD5:64CD90D750A52244D424B5AB9502476F
                                                    SHA1:CFAD8C09F840DC510D95EF9717DCB15E8D03B19D
                                                    SHA-256:A92788AC639BADC43A2D10E2D324320B045F6917CA061A6CE7970CBB56ED489F
                                                    SHA-512:3FB19E039862E70B8EC1D910A03F2FE3FDF186C8917D391B000913A9EACF46DBFB67BB17B87F4926BA6ACF80C0496FF4AC1A170A02A25468AE5C5710FF591664
                                                    Malicious:false
                                                    Preview:...@IXOS.@.....@(n.Y.@.....@.....@.....@.....@.....@......&.{800C31D3-CBAB-4CD6-A61E-E690018AFCBC}..Cave App..b8ygJBG5cb.msi.@.....@.....@.....@......icon_24.exe..&.{52452393-09E5-4A48-806B-98930A631B95}.....@.....@.....@.....@.......@.....@.....@.......@......Cave App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{800C31D3-CBAB-4CD6-A61E-E690018AFCBC}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{800C31D3-CBAB-4CD6-A61E-E690018AFCBC}.@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}&.{800C31D3-CBAB-4CD6-A61E-E690018AFCBC}.@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}&.{800C31D3-CBAB-4CD6-A61E-E690018AFCBC}.@......&.{DE28A560-E5E1-4035-8CA3-44934686A249}&.{800C31D3-CBAB-4CD6-A61E-E690018AFCBC}.@......&.{03D39B98-E7BB-4062-BD92-307D642A5CF1}&.{800C31D3-CBAB-4CD6-A61E-E690018AFCBC}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{800C31D3-CBAB-4

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):1360
                                                    Entropy (8bit):5.410752962027976
                                                    Encrypted:false
                                                    SSDEEP:24:3yWSKco4KmZjKbmOIKod6lss4RPQoUP7mZ9t7J0gt/NK3R82ia8HSVbV:CWSU4xympgv4RIoUP7mZ9tK8NWR82TVx
                                                    MD5:F9222996DEFEA104BEDEC6A52DF544DD
                                                    SHA1:0DFE192B0A5B12880AEAD1C1CC7524049E682A2E
                                                    SHA-256:A594DDE7BA3468167DF7F70BB6F4F09A12F40BCA9F1CA65CAD2159FC634B62F4
                                                    SHA-512:42B7ABDA4883CC575804707673CB6250A397A428EC4C1E152BAC3CFCA4B8FA160121E18FACA99C6DADBF088D8E99AB15CBC36E4CDD4688CDF562EF34ED724A2F
                                                    Malicious:false
                                                    Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dcxxbhyn.rqm.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m2urd3hm.mzj.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\msi46EA.txt

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\msiexec.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):100
                                                    Entropy (8bit):3.0073551160284637
                                                    Encrypted:false
                                                    SSDEEP:3:Q0JUINRYplflrOdlVWNlANf5Yplf955:Q0JB0LJOn03ANqLN
                                                    MD5:7A131AC8F407D08D1649D8B66D73C3B0
                                                    SHA1:D93E1B78B1289FB51E791E524162D69D19753F22
                                                    SHA-256:9ACBF0D3EEF230CC2D5A394CA5657AE42F3E369292DA663E2537A278A811FF5B
                                                    SHA-512:47B6FF38B4DF0845A83F17E0FE889747A478746E1E7F17926A5CCAC1DD39C71D93F05A88E0EC176C1E5D752F85D4BDCFFB5C64125D1BA92ACC91D03D6031848D
                                                    Malicious:true
                                                    Preview:..Q.u.i.t.e.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .E.x.t.e.n.d.E.x.p.i.r.e. .:.<.-.>.:. .0. .<.<.:.>.>. .

                                                    C:\Users\user\AppData\Local\Temp\pss46ED.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\msiexec.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):6668
                                                    Entropy (8bit):3.5127462716425657
                                                    Encrypted:false
                                                    SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                    MD5:30C30EF2CB47E35101D13402B5661179
                                                    SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                    SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                    SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                    Malicious:true
                                                    Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                                    C:\Users\user\AppData\Local\Temp\scr46EB.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\msiexec.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):254
                                                    Entropy (8bit):3.555045878547657
                                                    Encrypted:false
                                                    SSDEEP:6:QfFok79idK3fOlFogltHN+KiVmMXFVrMTlP1LlG7JidK3falnUOn03AnfInO:QfF3KvogM/XFVrMTQNeFUr3+
                                                    MD5:E8A84AE0A0597E0C4FBB7FA36F7D0CA7
                                                    SHA1:B97096DF7801FA5F91542F0F9A70616DD5D49B03
                                                    SHA-256:9F2D8F053895BF9377A4686714833304E87A4E926B7581599D44B45380B5DFDE
                                                    SHA-512:83960868B8DBFFEF2B3EE557AD89BB18CF80043FEB2A7BFDB0630F32A1870585158E4F4B367C72BBFDD760A586E5D1FEB73192C0E769507A6ED81E90BF4925EB
                                                    Malicious:true
                                                    Preview:..$.o.i.g.n.q.p. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".Q.u.i.t.e.S.e.s.".....$.a.v.o.i.j.g. .=. .[.u.i.n.t.3.2.].(.$.o.i.g.n.q.p. .-.r.e.p.l.a.c.e. .'.t.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".E.x.t.e.n.d.E.x.p.i.r.e.". .$.a.v.o.i.j.g.

                                                    C:\Users\user\AppData\Roaming\Microsoft\Installer\{800C31D3-CBAB-4CD6-A61E-E690018AFCBC}\icon_24.exe

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:MS Windows icon resource - 9 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                    Category:dropped
                                                    Size (bytes):195906
                                                    Entropy (8bit):4.669224805215773
                                                    Encrypted:false
                                                    SSDEEP:1536:k1Z0Ceau0a/r3NLZZOjjDcC7uFFy9Z8YJNs9Z7E9ykl:k1Z0vZXJZYDFufyXbJNCcr
                                                    MD5:E40B08C6FF5F07916B45741B7D0C5E87
                                                    SHA1:94C2357A59BAA3B537993F570CEA03EC51C1917B
                                                    SHA-256:131ABD59B7D4B6177F2815E8CEB0F3DA325CB1074AEFBE99F61A382F1895AF44
                                                    SHA-512:FA8453DD4936F772381E50533CD91DB8857F1A608CEB91F225300FC4E9DE8475EB416A3682D0C85829058570EBB9BBDF18CC650D36FA87E13BC262C827D0C695
                                                    Malicious:false
                                                    Preview:............ .............. .(.......``.... .........HH.... ..T..R"..@@.... .(B...v..00.... ..%...... .... ............... .....R......... .h........PNG........IHDR.............\r.f....pHYs..........o.d.. .IDATx..yx.e.>|.Ug?Y.N..d%...6M."....".=......v..f....5}..3.b.h#v..".....b.(...@.}..........8kr...}]\".N.[u.y.g....|....|....|....|....|....|....|...[..F/......h4..h$...5.....Z.f..J%322...... .p...\HH.l6.a..c.............rC>.8|..&..;....f.Y.q....a.?.e.x..eY6F....a..DBH...F....@..R.\v.!...QJ[....(...Z.!.@#!d.R..l'!.3..V........s3..|..|.`.b..LSS...._A.Q.....@. ...2.o...J)C.a(...B.a.s.B......>N.......PB.O..(.m...t..P.0L...^&..p.g.....<x..g...S......2.L..h4..a.y..#.,..A.I..@)..`.!.!.qv>W...D...Z.R...cLA..Z.|G)..p.a.J..8..t..9......S.7.EEEZ..Q*.I..;.AXJ.Y.0L....0......8Z#.....B,..*J...e...p..~???...n..+...)...7.[[[.4.M0.%..{(........jA.m..)...A.x.).+.."....|E...y.p..q..Y.m....a....CBB.,..0.s/...q.^.@1Q@nvaw.W./..#.p...J.Q.e..B..,;..._.o.Ro.....`...^....ls.!......

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\BCUninstaller.exe

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):310928
                                                    Entropy (8bit):6.001677789306043
                                                    Encrypted:false
                                                    SSDEEP:3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
                                                    MD5:147B71C906F421AC77F534821F80A0C6
                                                    SHA1:3381128CA482A62333E20D0293FDA50DC5893323
                                                    SHA-256:7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
                                                    SHA-512:2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Joe Sandbox View:
                                                    • Filename: setup.msi, Detection: malicious, Browse
                                                    • Filename: installer.msi, Detection: malicious, Browse
                                                    • Filename: setup.msi, Detection: malicious, Browse
                                                    • Filename: setup.msi, Detection: malicious, Browse
                                                    • Filename: installer.msi, Detection: malicious, Browse
                                                    • Filename: E8vC8KRIp1.msi, Detection: malicious, Browse
                                                    • Filename: installer.msi, Detection: malicious, Browse
                                                    • Filename: 3gPZmVbozD.msi, Detection: malicious, Browse
                                                    • Filename: setup.msi, Detection: malicious, Browse
                                                    • Filename: installer.msi, Detection: malicious, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}|...|...|....../p....../v....../1...u.a.l....../u...|........./v....../}...Rich|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):117496
                                                    Entropy (8bit):6.136079902481222
                                                    Encrypted:false
                                                    SSDEEP:1536:P4ynPKh5ilvitpOeRZBMZTWTKnSU3hGe+K8b9Ate83CtyxZMPXR0qmOi4:PjoiaUDahe+B92e9tiMPXR0qmOX
                                                    MD5:F67792E08586EA936EBCAE43AAB0388D
                                                    SHA1:4A5B4009DE72DB003D57F8A4416D17F95B3539A8
                                                    SHA-256:4D434BB99C771524C35222E5C65EBEE87FD2F16DDA05BF6191F9723EECE2434D
                                                    SHA-512:F9E69377201E2DC577792F01B71ED3C9AF6C8AD52DD9E139C99EF1D9096F3EB7796F89642242BE8CEE4030EA9CF60EF1AA93D1B0890326A83CB9063E919F1E4A
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,|..B/..B/..B/.../..B/.G...B/.F...B/.A...B/.C...B/.C...B/..G...B/<.C...B/..C/..B/<.G...B/<../..B/.../..B/<.@...B/Rich..B/................PE..d.....-a..........#............................@.....................................].... .................................................D...,...............`....................]..T...................P_..(...P^...............0..H............................text............................... ..`.rdata...o...0...p..."..............@..@.data...@...........................@....pdata..`...........................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\UnRar.exe

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):506008
                                                    Entropy (8bit):6.4284173495366845
                                                    Encrypted:false
                                                    SSDEEP:6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
                                                    MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
                                                    SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
                                                    SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
                                                    SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12224
                                                    Entropy (8bit):6.596101286914553
                                                    Encrypted:false
                                                    SSDEEP:192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
                                                    MD5:919E653868A3D9F0C9865941573025DF
                                                    SHA1:EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
                                                    SHA-256:2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
                                                    SHA-512:6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-console-l1-2-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12224
                                                    Entropy (8bit):6.640081558424349
                                                    Encrypted:false
                                                    SSDEEP:192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
                                                    MD5:7676560D0E9BC1EE9502D2F920D2892F
                                                    SHA1:4A7A7A99900E41FF8A359CA85949ACD828DDB068
                                                    SHA-256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
                                                    SHA-512:F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-datetime-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11712
                                                    Entropy (8bit):6.6023398138369505
                                                    Encrypted:false
                                                    SSDEEP:192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
                                                    MD5:AC51E3459E8FCE2A646A6AD4A2E220B9
                                                    SHA1:60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
                                                    SHA-256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
                                                    SHA-512:6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-debug-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11720
                                                    Entropy (8bit):6.614262942006268
                                                    Encrypted:false
                                                    SSDEEP:192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
                                                    MD5:B0E0678DDC403EFFC7CDC69AE6D641FB
                                                    SHA1:C1A4CE4DED47740D3518CD1FF9E9CE277D959335
                                                    SHA-256:45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
                                                    SHA-512:2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-errorhandling-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11720
                                                    Entropy (8bit):6.654155040985372
                                                    Encrypted:false
                                                    SSDEEP:192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
                                                    MD5:94788729C9E7B9C888F4E323A27AB548
                                                    SHA1:B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
                                                    SHA-256:ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
                                                    SHA-512:AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):15304
                                                    Entropy (8bit):6.548897063441128
                                                    Encrypted:false
                                                    SSDEEP:192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
                                                    MD5:580D9EA2308FC2D2D2054A79EA63227C
                                                    SHA1:04B3F21CBBA6D59A61CD839AE3192EA111856F65
                                                    SHA-256:7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
                                                    SHA-512:97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l1-2-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11712
                                                    Entropy (8bit):6.622041192039296
                                                    Encrypted:false
                                                    SSDEEP:192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
                                                    MD5:35BC1F1C6FBCCEC7EB8819178EF67664
                                                    SHA1:BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
                                                    SHA-256:7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
                                                    SHA-512:9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-file-l2-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11720
                                                    Entropy (8bit):6.730719514840594
                                                    Encrypted:false
                                                    SSDEEP:192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
                                                    MD5:3BF4406DE02AA148F460E5D709F4F67D
                                                    SHA1:89B28107C39BB216DA00507FFD8ADB7838D883F6
                                                    SHA-256:349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
                                                    SHA-512:5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-handle-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11720
                                                    Entropy (8bit):6.626458901834476
                                                    Encrypted:false
                                                    SSDEEP:192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
                                                    MD5:BBAFA10627AF6DFAE5ED6E4AEAE57B2A
                                                    SHA1:3094832B393416F212DB9107ADD80A6E93A37947
                                                    SHA-256:C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
                                                    SHA-512:D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-heap-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12232
                                                    Entropy (8bit):6.577869728469469
                                                    Encrypted:false
                                                    SSDEEP:192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
                                                    MD5:3A4B6B36470BAD66621542F6D0D153AB
                                                    SHA1:5005454BA8E13BAC64189C7A8416ECC1E3834DC6
                                                    SHA-256:2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
                                                    SHA-512:84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-interlocked-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11712
                                                    Entropy (8bit):6.6496318655699795
                                                    Encrypted:false
                                                    SSDEEP:192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
                                                    MD5:A038716D7BBD490378B26642C0C18E94
                                                    SHA1:29CD67219B65339B637A1716A78221915CEB4370
                                                    SHA-256:B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
                                                    SHA-512:43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-libraryloader-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12736
                                                    Entropy (8bit):6.587452239016064
                                                    Encrypted:false
                                                    SSDEEP:192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
                                                    MD5:D75144FCB3897425A855A270331E38C9
                                                    SHA1:132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
                                                    SHA-256:08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
                                                    SHA-512:295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-localization-l1-2-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):14280
                                                    Entropy (8bit):6.658205945107734
                                                    Encrypted:false
                                                    SSDEEP:384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
                                                    MD5:8ACB83D102DABD9A5017A94239A2B0C6
                                                    SHA1:9B43A40A7B498E02F96107E1524FE2F4112D36AE
                                                    SHA-256:059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
                                                    SHA-512:B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-memory-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12224
                                                    Entropy (8bit):6.621310788423453
                                                    Encrypted:false
                                                    SSDEEP:96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
                                                    MD5:808F1CB8F155E871A33D85510A360E9E
                                                    SHA1:C6251ABFF887789F1F4FC6B9D85705788379D149
                                                    SHA-256:DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
                                                    SHA-512:441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-namedpipe-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11720
                                                    Entropy (8bit):6.7263193693903345
                                                    Encrypted:false
                                                    SSDEEP:192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
                                                    MD5:CFF476BB11CC50C41D8D3BF5183D07EC
                                                    SHA1:71E0036364FD49E3E535093E665F15E05A3BDE8F
                                                    SHA-256:B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
                                                    SHA-512:7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processenvironment-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12744
                                                    Entropy (8bit):6.601327134572443
                                                    Encrypted:false
                                                    SSDEEP:192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
                                                    MD5:F43286B695326FC0C20704F0EEBFDEA6
                                                    SHA1:3E0189D2A1968D7F54E721B1C8949487EF11B871
                                                    SHA-256:AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
                                                    SHA-512:6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):14272
                                                    Entropy (8bit):6.519411559704781
                                                    Encrypted:false
                                                    SSDEEP:192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
                                                    MD5:E173F3AB46096482C4361378F6DCB261
                                                    SHA1:7922932D87D3E32CE708F071C02FB86D33562530
                                                    SHA-256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
                                                    SHA-512:3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-processthreads-l1-1-1.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12232
                                                    Entropy (8bit):6.659079053710614
                                                    Encrypted:false
                                                    SSDEEP:192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
                                                    MD5:9C9B50B204FCB84265810EF1F3C5D70A
                                                    SHA1:0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
                                                    SHA-256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
                                                    SHA-512:EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-profile-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11200
                                                    Entropy (8bit):6.7627840671368835
                                                    Encrypted:false
                                                    SSDEEP:192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
                                                    MD5:0233F97324AAAA048F705D999244BC71
                                                    SHA1:5427D57D0354A103D4BB8B655C31E3189192FC6A
                                                    SHA-256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
                                                    SHA-512:8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12224
                                                    Entropy (8bit):6.590253878523919
                                                    Encrypted:false
                                                    SSDEEP:192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
                                                    MD5:E1BA66696901CF9B456559861F92786E
                                                    SHA1:D28266C7EDE971DC875360EB1F5EA8571693603E
                                                    SHA-256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
                                                    SHA-512:08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-string-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11720
                                                    Entropy (8bit):6.672720452347989
                                                    Encrypted:false
                                                    SSDEEP:192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
                                                    MD5:7A15B909B6B11A3BE6458604B2FF6F5E
                                                    SHA1:0FEB824D22B6BEEB97BCE58225688CB84AC809C7
                                                    SHA-256:9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
                                                    SHA-512:D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):13760
                                                    Entropy (8bit):6.575688560984027
                                                    Encrypted:false
                                                    SSDEEP:192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
                                                    MD5:6C3FCD71A6A1A39EAB3E5C2FD72172CD
                                                    SHA1:15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
                                                    SHA-256:A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
                                                    SHA-512:EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-synch-l1-2-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12232
                                                    Entropy (8bit):6.70261983917014
                                                    Encrypted:false
                                                    SSDEEP:192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
                                                    MD5:D175430EFF058838CEE2E334951F6C9C
                                                    SHA1:7F17FBDCEF12042D215828C1D6675E483A4C62B1
                                                    SHA-256:1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
                                                    SHA-512:6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-sysinfo-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12744
                                                    Entropy (8bit):6.599515320379107
                                                    Encrypted:false
                                                    SSDEEP:192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
                                                    MD5:9D43B5E3C7C529425EDF1183511C29E4
                                                    SHA1:07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
                                                    SHA-256:19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
                                                    SHA-512:C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-timezone-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12232
                                                    Entropy (8bit):6.690164913578267
                                                    Encrypted:false
                                                    SSDEEP:192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
                                                    MD5:43E1AE2E432EB99AA4427BB68F8826BB
                                                    SHA1:EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
                                                    SHA-256:3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
                                                    SHA-512:40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-core-util-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):11720
                                                    Entropy (8bit):6.615761482304143
                                                    Encrypted:false
                                                    SSDEEP:192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
                                                    MD5:735636096B86B761DA49EF26A1C7F779
                                                    SHA1:E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
                                                    SHA-256:5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
                                                    SHA-512:3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-conio-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12744
                                                    Entropy (8bit):6.627282858694643
                                                    Encrypted:false
                                                    SSDEEP:192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
                                                    MD5:031DC390780AC08F498E82A5604EF1EB
                                                    SHA1:CF23D59674286D3DC7A3B10CD8689490F583F15F
                                                    SHA-256:B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
                                                    SHA-512:1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-convert-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):15816
                                                    Entropy (8bit):6.435326465651674
                                                    Encrypted:false
                                                    SSDEEP:192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
                                                    MD5:285DCD72D73559678CFD3ED39F81DDAD
                                                    SHA1:DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
                                                    SHA-256:6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
                                                    SHA-512:84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-environment-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):12232
                                                    Entropy (8bit):6.5874576656353145
                                                    Encrypted:false
                                                    SSDEEP:192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
                                                    MD5:5CCE7A5ED4C2EBAF9243B324F6618C0E
                                                    SHA1:FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
                                                    SHA-256:AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
                                                    SHA-512:FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\api-ms-win-crt-filesystem-l1-1-0.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):13768
                                                    Entropy (8bit):6.645869978118917
                                                    Encrypted:false
                                                    SSDEEP:192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
                                                    MD5:41FBBB054AF69F0141E8FC7480D7F122
                                                    SHA1:3613A572B462845D6478A92A94769885DA0843AF
                                                    SHA-256:974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
                                                    SHA-512:97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_date_time.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):61176
                                                    Entropy (8bit):5.850944458899023
                                                    Encrypted:false
                                                    SSDEEP:1536:8dAqjxlblBAeX9cMPqnLQmnSPFCCBXuk9:8d1l59cJbSNZBXuO
                                                    MD5:3B02A4FCAAC283D3C5E082B62F88BE25
                                                    SHA1:C230237FA2BEF46A4C9649871EE46BBA89958C4E
                                                    SHA-256:D02FB06775ED21CE1124C5A9BA42D7E00872C4CAF3933F0852FFD98591EE9790
                                                    SHA-512:9FE3ACDC6CDC51F56AB205A669F3865FB18DA79750A62E896615AF98F4D37B4A5DADB898126B421133CBD86805A1A84D1C92A429F88AA2152D07939BEBEB93B0
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.X.F...F...F...>O..F.......F.......F.......F.......F.......F...F...F..-/...F..-/...F..-/#..F...FK..F..-/...F..Rich.F..........PE..d.....-a.........." .....X...|.......Y.................................................... .....................................................x.......h.......................0...P...T.......................(....................p..X............................text....V.......X.................. ..`.rdata...X...p...Z...\..............@..@.data...............................@....pdata..............................@..@.rsrc...h...........................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_filesystem.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):127224
                                                    Entropy (8bit):6.217127607919178
                                                    Encrypted:false
                                                    SSDEEP:1536:KOMFt1bvZ+4WYoIW9YAlqlEO/NiuE0PJmISN10ZpzdUAsSAl9/mEzuEVvHV7Gvru:fMFZ+4azlqlEO/0d0PkIxPYGX6
                                                    MD5:ABDA3CF0D286D6CC5EC2CB1B49DBC180
                                                    SHA1:85CA9C24AD7CF07830E86607723770645D724C28
                                                    SHA-256:5549E8D3C90AFC8A90558529FE0127CE8A36805D853ED2BBD2A832E497D07405
                                                    SHA-512:AF813D4529C7971C6427E84C21275F2D703495E8BCDE72112ED400FCF2BFD64D1E3754E7A8D95A4D1953472C3C9821EF0444CD844F02AE31FA2C5FA8D93E66CF
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'y.fI*.fI*.fI*...*.fI*..M+.fI*..J+.fI*..L+.fI*..H+.fI*..H+.fI*..H+.fI*.fH*.fI*..L+.fI*..I+.fI*...*.fI*.f.*.fI*..K+.fI*Rich.fI*................PE..d.....-a.........." ......................................................... ............ ..........................................x..|B..............p.......@...............D....>..T...................0@..(...0?............... ...............................text...p........................... ..`.rdata....... ......................@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc..D...........................@..B................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_program_options.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):418040
                                                    Entropy (8bit):6.1735291180760505
                                                    Encrypted:false
                                                    SSDEEP:6144:vJXvKtM+eZLmd2Mht6hBj2+1J3Hw2iojntPqbmdv0Pz:vJXvcMRZLmd2Mht6hBj3A2iW8WO
                                                    MD5:1CC74B77B1A0B6F14B19F45412D62227
                                                    SHA1:25C8D5B1DD13C826AC97995E2265E7960877A869
                                                    SHA-256:1314E7F48DCFAA9ED62AD80C19D4EAD856C6D216D6F80B8EFA1A3803087C506A
                                                    SHA-512:CA88D9DB167FEE11DCF88FD365DBAEF9E2704996E622F1523943C5AF54D6AE2546D860DB86B20757C89FA52E4140D474EB0EA4A69042AA4CAAF6125E0D5381D9
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+ ..Es..Es..Es...s..Es..Ar..Es..Fr..Es..@r..Es..Dr..Es..Dr..Es..Ds(.Es..@r..Es..Er..Es..s..Es...s..Es..Gr..EsRich..Es........PE..d.....-a.........." .........:.......................................................4.... .........................................`n...T...........p.......0..d2...D.................T...................0...(...0................ ...............................text...\........................... ..`.rdata..h.... ......................@..@.data....7.......0..................@....pdata..d2...0...4..................@..@.rsrc........p.......8..............@..@.reloc...............>..............@..B................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_regex.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):698104
                                                    Entropy (8bit):6.463466021766765
                                                    Encrypted:false
                                                    SSDEEP:12288:rtCgw2rHcLfk4heNe39mSOWE64h/5+JLkxBdmmVaSV:JCglHsfb9vzE64h/CAxBdmmVaSV
                                                    MD5:087DAF44CD13B79E4D59068B3A1C6250
                                                    SHA1:653FB242A44C7742764C77D8249D00DDDC1C867E
                                                    SHA-256:7AAFC98B0189C4DB66E03EC69B0DA58E59F5728FA9C37F7A61D1531E4D146FD6
                                                    SHA-512:3BB7494191EDDA18416B425762EA35B1C614CA420E6D0A8BBA5B9749C453F2552435FC97CF4532E088BBEC2B57A7DC9F782F7C7CEC67F96A33511C367F6A5052
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>.B.P.B.P.B.P.K...N.P...T.J.P...S.@.P...U.Z.P...Q.F.P...Q.G.P.B.Q...P..U.P.P..P.C.P...C.P.B...C.P..R.C.P.RichB.P.........................PE..d.....-a.........." ................l................................................s.... ..........................................7..T...4...........X....`...D...................Q..T...................@S..(...@R..................H............................text............................... ..`.rdata...V.......X..................@..@.data...`(...0..."..................@....pdata...D...`...F...6..............@..@.rsrc...X............|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_system.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):31480
                                                    Entropy (8bit):5.969706735107452
                                                    Encrypted:false
                                                    SSDEEP:384:rTnmLAtoAmXkI4WW9jLU7gJX5ZGz/5UtxcNPMUyZJKSm/dAgZsHL4DhAm:noxXzI5Z05uqlyEiRUhR
                                                    MD5:CC2C7E9435E8F818F3114AEFCC84E053
                                                    SHA1:F106C5EEAA3545CB85BA1217F40E4AE8F047E69E
                                                    SHA-256:59415F12FF688B58C9180A545F4836A4C2DDF472C232B3BE9FAB7965F9980924
                                                    SHA-512:316D0F0374DA2818CC1A83A6F8BE8E70CCCC2D9F37DB54DF9322FF26FF436EB18532CEB549F286E569E1A6B82BA1345FFE4A7ADC678AE450FC5C3C637F24259D
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{...{...{...r.e.....)...h...)...s...)...y...)....... ...x...{...E......y......z......z...{.a.z......z...Rich{...........PE..d.....-a.........." .....,...4......@0................................................... ..........................................T......tU..x.......`....p.......^..............0F..T....................G..(....F...............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...h....`.......N..............@....pdata.......p.......R..............@..@.rsrc...`............V..............@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\boost_threads.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):103672
                                                    Entropy (8bit):5.851546804507911
                                                    Encrypted:false
                                                    SSDEEP:1536:DkEZwX0tTbIIJdLJABqKSimO9K64vaO4WpgXyhchiUKcvKXMnVOlVS:QErbXvAxO41yhcBvKXwaVS
                                                    MD5:129051E3B7B8D3CC55559BEDBED09486
                                                    SHA1:E257D69C91594C623A8649AC3F76DC4B0C4D8EDF
                                                    SHA-256:73BFA0700A1C1631483D1ADC79A5225066A28A5CA94D70267DE6B0573BF11BDF
                                                    SHA-512:6DCF486B58A0C8E16CB0A2A0B7C53812275DF7E55CEBE94B645517D2A061A67CA3B9CFDDA4F94E89BE57D3B629540C4A45DD153EF84DB90E46D06257A936831A
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X..............&........................................&.............&......&......&.J.......".....&......Rich............................PE..d.....-a.........." ................4...............................................:..... ..........................................J.......[..........`............x..............`...T.......................(....................................................text............................... ..`.rdata.............................@..@.data........p.......N..............@....pdata...............\..............@..@.rsrc...`............n..............@..@.reloc...............t..............@..B........................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):57488
                                                    Entropy (8bit):6.382541157520703
                                                    Encrypted:false
                                                    SSDEEP:768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
                                                    MD5:71F796B486C7FAF25B9B16233A7CE0CD
                                                    SHA1:21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
                                                    SHA-256:B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
                                                    SHA-512:A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):4664568
                                                    Entropy (8bit):6.259383987199329
                                                    Encrypted:false
                                                    SSDEEP:49152:AroFmAk9nrwChDI061WcO0ABWmIex2MvOGL//VCsHqwApmqamnBObTETCAtdB8n:0tI0OWiVmIek+QpmqtB+9
                                                    MD5:A6A89F55416DB79D9E13B82685A04D60
                                                    SHA1:EDE6DE1377BBE28E1F0D0DEF095367F1E788FE3B
                                                    SHA-256:22D7C730C0092CDE5E339276F45882ACF4E172269153C6A328D83314DBACEF4B
                                                    SHA-512:D2A734AE3ACC3033C050634839E32F90AE29862D77EC28B87945D62D44562ED56AC2A4266BC70F0F42CACCC0A7D93B07E2B42D7FFCEFE2F599A6A9DC2F26C583
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........$n..J=..J=..J=...=..J=..N<..J=..I<..J=..O<..J=..K<..J=..N<..J=..L<..J=..K<..J=..K<..J=..K=i.J=..N<..J=..O<U.J=..J<..J=..=..J=...=..J=..H<..J=Rich..J=................PE..d.....-a.........." ......+..........f(.......................................I.......H... ..........................................7>.8.....A......@I.......G......G......PI..F....1.T...................0.1.(...0.1...............+..............................text.....+.......+................. ..`.rdata.......+.......+.............@..@.data....'...`B......DB.............@....pdata.......G.......E.............@..@.rsrc........@I.......F.............@..@.reloc...F...PI..H....F.............@..B........................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):215288
                                                    Entropy (8bit):6.050529290720027
                                                    Encrypted:false
                                                    SSDEEP:3072:emvBIfdYtwUTAgsHW0Akz0dMtTWYUQ4TyjEXv8pQxI88hw:ekBIATA1z7tTzovXv8Kxzj
                                                    MD5:BF5EE5008353BB5C52DCF8821082CE6B
                                                    SHA1:F85B517F96FE87D953925D05238345A03594C8F8
                                                    SHA-256:9273A49CAC32ACA5358A77D41DE00FEB589ED3285B2B2E07E9CE9CEBF80BAA31
                                                    SHA-512:B5862D1679AB4F44B228C3E52F5CB98616BF089BAD5EC3BBB63ABDCABDDB55C71C36628E2945C7460AA33F836D85A1A320BF2C704072B307A3B719CD3C6A8549
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[..5...5...5......5...1...5...6...5...0...5...4...5...4...5.#.4...5...4.-.5.#.0...5.#.5...5.#....5.......5.#.7...5.Rich..5.........PE..d.....-a.........." .........j...............................................p............ ..............................................!...........P..h....0.......,.......`..........T...........................@................................................text............................... ..`.rdata..............................@..@.data....$..........................@....pdata.......0... ..................@..@.rsrc...h....P......."..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ghiuoqfj.rar

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:RAR archive data, v5
                                                    Category:dropped
                                                    Size (bytes):407742
                                                    Entropy (8bit):7.999522625254532
                                                    Encrypted:true
                                                    SSDEEP:6144:crhzo+bKrOSYMhMD6lZifI4KneLxVscdZJvKWraLF68WBDvJ4dlHDXfcI3DXTqkl:cVcLrKIMmYI4gyxdF1vJaj3jGO
                                                    MD5:8D700CC202147BDD7BCD468021BB096E
                                                    SHA1:AC1DB78BCD4493F15CA9F88111B54D1B5546FD4A
                                                    SHA-256:AC8A04737DF1A5A57528BA3BD927DCD8D01CA65F9A58FCE20054FFA7DCB2A831
                                                    SHA-512:64FDFB457314DC4B2FDF5D40D5B6AD0B19C589EE123EA7DB8284173EA0C02314A07D476BFF77A8EBD62E727F850E068EF5A7F74601941A83D8B6D6F5B03563A0
                                                    Malicious:false
                                                    Preview:Rar!.......'!.....!.o/.....X..{`J.........x..r.+..n.....s.s......z...9.c..&?..4F.~...8,.d.m}>Z.a.|0..!J...:..m....jY.+.......v(q6c.(.b...t..X.. .~a.K.<.!O&.......y.zzb.e...i.x.$.....a......9..Q.../........v_=..{(.>N...J.j...FL,...G5..W.k.ve..P.U....KO.,n.~/_q....Q.,d.x42Y_e...-..X..B..._......jQ8.c.7.N.t.....Xh.....&.g...:y.7..@mu}g{!.j.n.!.}qPz.G.~g..#&}.1...{.h.`Q.2S...'.4.t9.`*.....U.}1&>.?..A.Am].GX3o[........T@...J?..%=.-.].A......`zqtEI....~8fi.4..*A..q..!.~'...p..B@T..}E..)...$.i...4..:..$..6.T.S^..m@..p..1....4......I..I...4W<j....,...n..w..Z....n....(..c......H.]....V.b=.W.8...T...%@<..%.F.4......q.~....QHG.;.........{.T.R.f.z.N.".g..$.{...bUXt.x...6..> .>.Q..Vc..y..HJ.............]v}..L.....6....l:2..#..).F].......y)bn...UZ...r.t.Z.V4..K.......,^.f....sMj..N.....B_.ZN...^..$.i '..(.h...j.r....XK.^.*.W...j.M..N...0U3...]?Eb~R#.[....J.=.GH.e..#.+I....q.......w..&{d..U.K,....2.p.B.S......y..o...;,.k4....Y...._~.....@.a..k.&

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\msvcp140.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):566704
                                                    Entropy (8bit):6.494428734965787
                                                    Encrypted:false
                                                    SSDEEP:12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
                                                    MD5:6DA7F4530EDB350CF9D967D969CCECF8
                                                    SHA1:3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
                                                    SHA-256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
                                                    SHA-512:1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):22
                                                    Entropy (8bit):3.879664004902594
                                                    Encrypted:false
                                                    SSDEEP:3:mKDDlR+7H6U:hOD6U
                                                    MD5:D9324699E54DC12B3B207C7433E1711C
                                                    SHA1:864EB0A68C2979DCFF624118C9C0618FF76FA76C
                                                    SHA-256:EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
                                                    SHA-512:E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
                                                    Malicious:false
                                                    Preview:@echo off..Start "" %1

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\classes.jsa

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):12124160
                                                    Entropy (8bit):4.1175508751036585
                                                    Encrypted:false
                                                    SSDEEP:49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
                                                    MD5:8A13CBE402E0BBF3DA56315F0EBA7F8E
                                                    SHA1:EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
                                                    SHA-256:7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
                                                    SHA-512:46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
                                                    Malicious:false
                                                    Preview:.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\classes_nocoops.jsa

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):12124160
                                                    Entropy (8bit):4.117842215789484
                                                    Encrypted:false
                                                    SSDEEP:49152:lIsY5NLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8v:lYNDUK7k59
                                                    MD5:8DD2CDF8B1702DEE25F4BC2DCE10DA8F
                                                    SHA1:7AE8D142C41159D65C7AB9598C90EC1DF33138D1
                                                    SHA-256:B19E92D742D8989D275BB34FB7828211969997D38FF9250D9561F432D5C5F62C
                                                    SHA-512:6CEBD788559543623A3F54154F6C84E31A9716CFFA19D199087F0704CC9016F54CF0B3CFF6D8DB65428138EEB12553B23EBA7EDAF5B64A050A077DD2951286B0
                                                    Malicious:false
                                                    Preview:....j..L.........*.\.....................................+..............................j..-.....................................!>.............................|<:.......................A.......@...... t...............................".....................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.datatransfer.jmod

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Java jmod module version 1.0
                                                    Category:dropped
                                                    Size (bytes):51389
                                                    Entropy (8bit):7.916683616123071
                                                    Encrypted:false
                                                    SSDEEP:768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
                                                    MD5:8F4C0388762CD566EAE3261FF8E55D14
                                                    SHA1:B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
                                                    SHA-256:AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
                                                    SHA-512:1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
                                                    Malicious:false
                                                    Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^*#.j...R.A..qV.1o...p.....|._.-N$.!.;X....|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be.*.eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.*t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N....*..r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.desktop.jmod

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Java jmod module version 1.0
                                                    Category:dropped
                                                    Size (bytes):12133334
                                                    Entropy (8bit):7.944474086295981
                                                    Encrypted:false
                                                    SSDEEP:196608:h6fa1BzmQR9sZTGVq8B4ISiOCC0SabOyigGRA7OtuPZIWeXB:6a1gk+8B4IS8S2OyiJRA7OtYZaB
                                                    MD5:E3705B15388EC3BDFE799AD5DB80B172
                                                    SHA1:0B9B77F028727C73265393A68F37FC69C30205BD
                                                    SHA-256:BE59AC0E673827B731CF5616B41DA11581A5863285FEA1A0696AA4F93796BCC3
                                                    SHA-512:CA44B3E7658232FCC19C9AD223455F326D34B17384E566B8CAF0F7409D71B2B86F4089BF4A35128EC6CFFE080DF84C69C72C22B230FB0F2F8CB345442318F737
                                                    Malicious:false
                                                    Preview:JM..PK.........n/Q................classes/module-info.class.X...e../.l.!..!.#..M..."..g..#.B.........0;{.AAD.EE..QQQ.aG....{.]....7......~.{....k...{....<HD...4.......x%?G.4_St.Z...\..].+c..t.t........iC./...gZ..].8C..D'M...\3.+~5......z.<.f1..2.v./.As.Lv.....`2.M%...d.h..S`....YC.....D.u0-l.V#.5.,.e..)[..[.v..*............d.I...A........A+&."..8g.)"..E..1!.Z.]....Ak..5.......<'..L8bC..V4.U2.~$...i....)."I...O...d:......@..S...w0m...-....2..x....z.....O....k.8.}....P.....=..I/...<../.d..k....43VL.i...........C.S|`..!b.8....3.Ey..S..e..+.../T..j...g..B.@q9.."..>.LU..2-i....-.!....Z....g.BGl.j..R...Z.D.YJ.Kd...9 l.FN4.Rk.22..b..Rn...u..x.,...j.I.aZ.....X[{L.e..Z#..`.Z...*8..[.p..0.(...j..W..-M...V..H7.c.KN...5e.."...t[um..R...UF.c..1.....z|z.EeO..j..k.V..\x.8.....et;.9.^.Pa..+......U....Iu.q.t....HY.g...q.......omK...FKr1.F..F?.i.d../.]....68..L.........W..s.CU.|y.....zE..Q\...82..W.i[.#Q..xm......P..u.<.#...yC...,........~B..|sF.

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.instrument.jmod

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Java jmod module version 1.0
                                                    Category:dropped
                                                    Size (bytes):41127
                                                    Entropy (8bit):7.961466748192397
                                                    Encrypted:false
                                                    SSDEEP:768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
                                                    MD5:D039093C051B1D555C8F9B245B3D7FA0
                                                    SHA1:C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
                                                    SHA-256:4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
                                                    SHA-512:334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
                                                    Malicious:false
                                                    Preview:JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...*A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z|*.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.logging.jmod

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Java jmod module version 1.0
                                                    Category:dropped
                                                    Size (bytes):113725
                                                    Entropy (8bit):7.928841651831531
                                                    Encrypted:false
                                                    SSDEEP:3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
                                                    MD5:3A03EF8F05A2D0472AE865D9457DAB32
                                                    SHA1:7204170A08115A16A50D5A06C3DE7B0ADB6113B1
                                                    SHA-256:584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
                                                    SHA-512:1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
                                                    Malicious:false
                                                    Preview:JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm......*..Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h.*.^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz|..^.........8q..{...}.*G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j*..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\una_front\java.management.jmod

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Java jmod module version 1.0
                                                    Category:dropped
                                                    Size (bytes):896846
                                                    Entropy (8bit):7.923431656723031
                                                    Encrypted:false
                                                    SSDEEP:12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
                                                    MD5:C6FBB7D49CAA027010C2A817D80CA77C
                                                    SHA1:4191E275E1154271ABF1E54E85A4FF94F59E7223
                                                    SHA-256:1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
                                                    SHA-512:FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
                                                    Malicious:false
                                                    Preview:JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..|..]{.........S|...(cu/..i.d.z...[....'.M|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\utest.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):639224
                                                    Entropy (8bit):6.219852228773659
                                                    Encrypted:false
                                                    SSDEEP:12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
                                                    MD5:01DACEA3CBE5F2557D0816FC64FAE363
                                                    SHA1:566064A9CB1E33DB10681189A45B105CDD504FD4
                                                    SHA-256:B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
                                                    SHA-512:C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):98224
                                                    Entropy (8bit):6.452201564717313
                                                    Encrypted:false
                                                    SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                    MD5:F34EB034AA4A9735218686590CBA2E8B
                                                    SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                    SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                    SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\vcruntime140_1.dll

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):37256
                                                    Entropy (8bit):6.297533243519742
                                                    Encrypted:false
                                                    SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
                                                    MD5:135359D350F72AD4BF716B764D39E749
                                                    SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
                                                    SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
                                                    SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

                                                    C:\Windows\Installer\631d79.msi

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {52452393-09E5-4A48-806B-98930A631B95}, Number of Words: 10, Subject: Cave App, Author: Weqos Apps Industries, Name of Creating Application: Cave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Cave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 26 14:42:57 2024, Last Saved Time/Date: Thu Dec 26 14:42:57 2024, Last Printed: Thu Dec 26 14:42:57 2024, Number of Pages: 450
                                                    Category:dropped
                                                    Size (bytes):60154880
                                                    Entropy (8bit):7.204239408572999
                                                    Encrypted:false
                                                    SSDEEP:786432:QGZjjVmrjV7eIAte9OTZLoZ4sdUuzt/NCaY2ksC:QGBVmrjV7eIv9OTZcRjVCa1t
                                                    MD5:1C3D44AB733B1EB6ABDFF0BC9F177439
                                                    SHA1:70F6337EF36FE2ECBC80FC12D2873F7AECB2FB17
                                                    SHA-256:E308C6A223D373B77C7189616DB80F171E83AC026ECABF5D7F0B3977EF817801
                                                    SHA-512:6E97115A88DCC0E876DF93DC02FF3054E1031094B01AEEF0582E1127273FFD098EE132FF41BCA4ECAC70D7C6340C73DF714B04CCFA32A6B75FCCFAAA0A741B7F
                                                    Malicious:false
                                                    Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...N...K...L...e...O...""..P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                    C:\Windows\Installer\631d7c.msi

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {52452393-09E5-4A48-806B-98930A631B95}, Number of Words: 10, Subject: Cave App, Author: Weqos Apps Industries, Name of Creating Application: Cave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Cave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 26 14:42:57 2024, Last Saved Time/Date: Thu Dec 26 14:42:57 2024, Last Printed: Thu Dec 26 14:42:57 2024, Number of Pages: 450
                                                    Category:dropped
                                                    Size (bytes):60154880
                                                    Entropy (8bit):7.204239408572999
                                                    Encrypted:false
                                                    SSDEEP:786432:QGZjjVmrjV7eIAte9OTZLoZ4sdUuzt/NCaY2ksC:QGBVmrjV7eIv9OTZcRjVCa1t
                                                    MD5:1C3D44AB733B1EB6ABDFF0BC9F177439
                                                    SHA1:70F6337EF36FE2ECBC80FC12D2873F7AECB2FB17
                                                    SHA-256:E308C6A223D373B77C7189616DB80F171E83AC026ECABF5D7F0B3977EF817801
                                                    SHA-512:6E97115A88DCC0E876DF93DC02FF3054E1031094B01AEEF0582E1127273FFD098EE132FF41BCA4ECAC70D7C6340C73DF714B04CCFA32A6B75FCCFAAA0A741B7F
                                                    Malicious:false
                                                    Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...N...K...L...e...O...""..P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                    C:\Windows\Installer\MSI26B0.tmp

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1021792
                                                    Entropy (8bit):6.608727172078022
                                                    Encrypted:false
                                                    SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                    MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                    SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                    SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                    SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                    C:\Windows\Installer\MSI274E.tmp

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1021792
                                                    Entropy (8bit):6.608727172078022
                                                    Encrypted:false
                                                    SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                    MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                    SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                    SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                    SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                    C:\Windows\Installer\MSI278D.tmp

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1021792
                                                    Entropy (8bit):6.608727172078022
                                                    Encrypted:false
                                                    SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                    MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                    SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                    SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                    SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                    C:\Windows\Installer\MSI27CD.tmp

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1021792
                                                    Entropy (8bit):6.608727172078022
                                                    Encrypted:false
                                                    SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                    MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                    SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                    SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                    SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                    C:\Windows\Installer\MSI281C.tmp

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1201504
                                                    Entropy (8bit):6.4557937684843365
                                                    Encrypted:false
                                                    SSDEEP:24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
                                                    MD5:E83D774F643972B8ECCDB3A34DA135C5
                                                    SHA1:A58ECCFB12D723C3460563C5191D604DEF235D15
                                                    SHA-256:D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
                                                    SHA-512:CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.|CF..@G.|DF..@G.|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

                                                    C:\Windows\Installer\MSI284C.tmp

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1021792
                                                    Entropy (8bit):6.608727172078022
                                                    Encrypted:false
                                                    SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                    MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                    SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                    SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                    SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                    C:\Windows\Installer\MSI287B.tmp

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1021792
                                                    Entropy (8bit):6.608727172078022
                                                    Encrypted:false
                                                    SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                    MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                    SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                    SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                    SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                    C:\Windows\Installer\MSI3A4F.tmp

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):380520
                                                    Entropy (8bit):6.512348002260683
                                                    Encrypted:false
                                                    SSDEEP:6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
                                                    MD5:FFDAACB43C074A8CB9A608C612D7540B
                                                    SHA1:8F054A7F77853DE365A7763D93933660E6E1A890
                                                    SHA-256:7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
                                                    SHA-512:A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

                                                    C:\Windows\Installer\MSI4637.tmp

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):216168
                                                    Entropy (8bit):4.955695967750057
                                                    Encrypted:false
                                                    SSDEEP:1536:i5Tnk9WTT1Z0Ceau0a/r3NLZZOjjDcC7uFFy9Z8YJNs9Z7E9yk9E:itk9M1Z0vZXJZYDFufyXbJNCc4
                                                    MD5:14D8AE1F26D91E53500954038BFA72AA
                                                    SHA1:C05A5B1FD70905F3117CEE129C67463570D5A547
                                                    SHA-256:D21B570E9AEB2B9A60D0121CE70103F53AB0F2495F62F589061C72C178897C00
                                                    SHA-512:F192A50BD835985270040053DD336042FFDA3705EB371451A22134E9935EB0E2DEA44F72C0795367F3387FD78AF234E46603B15B15A9C49EC54BC0E9ED669AF6
                                                    Malicious:false
                                                    Preview:...@IXOS.@.....@(n.Y.@.....@.....@.....@.....@.....@......&.{800C31D3-CBAB-4CD6-A61E-E690018AFCBC}..Cave App..b8ygJBG5cb.msi.@.....@.....@.....@......icon_24.exe..&.{52452393-09E5-4A48-806B-98930A631B95}.....@.....@.....@.....@.......@.....@.....@.......@......Cave App......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@4....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F}>.C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}3.21:\Software\Weqos Apps Industries\Cave App\Version.@.......@.....@.....@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}I.C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll.@.......@.....@.....@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}P.C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll.@.......@.....@.....@......&.{D

                                                    C:\Windows\Installer\MSI4657.tmp

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):787808
                                                    Entropy (8bit):6.693392695195763
                                                    Encrypted:false
                                                    SSDEEP:24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
                                                    MD5:8CF47242B5DF6A7F6D2D7AF9CC3A7921
                                                    SHA1:B51595A8A113CF889B0D1DD4B04DF16B3E18F318
                                                    SHA-256:CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
                                                    SHA-512:748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

                                                    C:\Windows\Installer\SourceHash{800C31D3-CBAB-4CD6-A61E-E690018AFCBC}

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):1.1637113393804848
                                                    Encrypted:false
                                                    SSDEEP:12:JSbX72FjDAGiLIlHVRpZh/7777777777777777777777777vDHFjrrQ+iit/l0i5:JtQI5tFrRjiF
                                                    MD5:B02FE494A81C84B7AD01F9576D81BBA6
                                                    SHA1:56F2D8C97A9FDC56F5C59FB22C5B88FBCB75D2E9
                                                    SHA-256:41E45AAFC6FBFFADFF2B366CD0FE594477833D129D8FD81BB1C1EF0DBCBDB098
                                                    SHA-512:6C5D400E5DFC06E36B49167D07FB71E13E17488331673271CF0B795153024ECE394F907B428D528D120CB7583919CF05E22A2E73C929FE661F7B7E8FF0E218BF
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Installer\inprogressinstallinfo.ipi

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):1.573240805911734
                                                    Encrypted:false
                                                    SSDEEP:48:P38PhuuRc06WXJ0FT5dtMdJcwMoAECiCyISCJcZoWXeJcwSCJcoT2:P2hu13FThMQDECnStX9wSD
                                                    MD5:2701912BC59EB8E223F48D329929CEFE
                                                    SHA1:386711CD96E6699EE1473F5BE90832AB8273CF73
                                                    SHA-256:9B3C72C62FAAC6EE5D2C5EB29A3580D8565D1AB63AB25B6270B893863C774802
                                                    SHA-512:C7039D97D0F992125E44B2302974F650B0ED362C10AEE8F01133B1EDE0076721130FF72F8CBCDFA39B94066BF2F4BBC41154833ABDF4A3EF2C1AD6F56AD3FD90
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):432221
                                                    Entropy (8bit):5.375184892135741
                                                    Encrypted:false
                                                    SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaud:zTtbmkExhMJCIpErk
                                                    MD5:D0964B74A47C38BDA037BC17A1B97C50
                                                    SHA1:ECE6241AA3554B13B809E3B07B0CAA4D7C5E0A0E
                                                    SHA-256:13721957427B4E633D5B26C6BC1B8610A1443D1B497BF4A2A4935B14580E82B6
                                                    SHA-512:EF615BF7F4DA344C867B417A0E43C3AA4639ADCE7741520B03A8ED307DAE5C5CD423E4116BA3CCF96DE54EC20E0671C59E030D967905526936ABFEEA68949018
                                                    Malicious:false
                                                    Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                    C:\Windows\Temp\~DF110A411CB511516D.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):32768
                                                    Entropy (8bit):1.2602427383617414
                                                    Encrypted:false
                                                    SSDEEP:48:7Vmu0O+CFXJpT5EDtMdJcwMoAECiCyISCJcZoWXeJcwSCJcoT2:Bm2RTuBMQDECnStX9wSD
                                                    MD5:43D4D6943718B49AEF844717DB61CDF7
                                                    SHA1:0AC84DE39AC397E587AE9DE64C3E669BD5B8F600
                                                    SHA-256:640C5375EFF91AEE8D4589C5772ED4E39A686041DE916F4FF0EB5E7586A58A4B
                                                    SHA-512:9678E5B63F2330681E6A939C959755977022D231109D3296F6313E0FCD22DEB176F56025513097248F07719CA21CD4A068497C051B1E4BDFB865CCC245871FCC
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DF2397B4A7510913D4.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):32768
                                                    Entropy (8bit):1.2602427383617414
                                                    Encrypted:false
                                                    SSDEEP:48:7Vmu0O+CFXJpT5EDtMdJcwMoAECiCyISCJcZoWXeJcwSCJcoT2:Bm2RTuBMQDECnStX9wSD
                                                    MD5:43D4D6943718B49AEF844717DB61CDF7
                                                    SHA1:0AC84DE39AC397E587AE9DE64C3E669BD5B8F600
                                                    SHA-256:640C5375EFF91AEE8D4589C5772ED4E39A686041DE916F4FF0EB5E7586A58A4B
                                                    SHA-512:9678E5B63F2330681E6A939C959755977022D231109D3296F6313E0FCD22DEB176F56025513097248F07719CA21CD4A068497C051B1E4BDFB865CCC245871FCC
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DF2B6F518E0AA9D1FE.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):512
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                    Malicious:false
                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DF2FCC9FE49A8B1C57.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):512
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                    Malicious:false
                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DF492C5104DCD89AAF.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):1.573240805911734
                                                    Encrypted:false
                                                    SSDEEP:48:P38PhuuRc06WXJ0FT5dtMdJcwMoAECiCyISCJcZoWXeJcwSCJcoT2:P2hu13FThMQDECnStX9wSD
                                                    MD5:2701912BC59EB8E223F48D329929CEFE
                                                    SHA1:386711CD96E6699EE1473F5BE90832AB8273CF73
                                                    SHA-256:9B3C72C62FAAC6EE5D2C5EB29A3580D8565D1AB63AB25B6270B893863C774802
                                                    SHA-512:C7039D97D0F992125E44B2302974F650B0ED362C10AEE8F01133B1EDE0076721130FF72F8CBCDFA39B94066BF2F4BBC41154833ABDF4A3EF2C1AD6F56AD3FD90
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DF4DEF3FB47E7FB8ED.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):512
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                    Malicious:false
                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DF7FC83C56D70DCABB.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):32768
                                                    Entropy (8bit):1.2602427383617414
                                                    Encrypted:false
                                                    SSDEEP:48:7Vmu0O+CFXJpT5EDtMdJcwMoAECiCyISCJcZoWXeJcwSCJcoT2:Bm2RTuBMQDECnStX9wSD
                                                    MD5:43D4D6943718B49AEF844717DB61CDF7
                                                    SHA1:0AC84DE39AC397E587AE9DE64C3E669BD5B8F600
                                                    SHA-256:640C5375EFF91AEE8D4589C5772ED4E39A686041DE916F4FF0EB5E7586A58A4B
                                                    SHA-512:9678E5B63F2330681E6A939C959755977022D231109D3296F6313E0FCD22DEB176F56025513097248F07719CA21CD4A068497C051B1E4BDFB865CCC245871FCC
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DF881AE0D5969FC155.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):1.573240805911734
                                                    Encrypted:false
                                                    SSDEEP:48:P38PhuuRc06WXJ0FT5dtMdJcwMoAECiCyISCJcZoWXeJcwSCJcoT2:P2hu13FThMQDECnStX9wSD
                                                    MD5:2701912BC59EB8E223F48D329929CEFE
                                                    SHA1:386711CD96E6699EE1473F5BE90832AB8273CF73
                                                    SHA-256:9B3C72C62FAAC6EE5D2C5EB29A3580D8565D1AB63AB25B6270B893863C774802
                                                    SHA-512:C7039D97D0F992125E44B2302974F650B0ED362C10AEE8F01133B1EDE0076721130FF72F8CBCDFA39B94066BF2F4BBC41154833ABDF4A3EF2C1AD6F56AD3FD90
                                                    Malicious:false
                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DFA89035F804ED295E.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):512
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                    Malicious:false
                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DFCAD54159162B86E6.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):32768
                                                    Entropy (8bit):0.07130044958432893
                                                    Encrypted:false
                                                    SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO0uFrrQ+oK71gVky6lit/:2F0i8n0itFzDHFjrrQ+Vit/
                                                    MD5:8FF290F316304370B2939BD9B04B9C40
                                                    SHA1:404258FD065E3AE0FEF5080DB2C1625513D6DC89
                                                    SHA-256:5A8B8D1BD663732C6E820A32414D3E300D9326B81A0C3406140DCF405710C85F
                                                    SHA-512:DD6775E65F0D984545202CA52CB7A32FC32F7E89ECA79EE7402B00001A41EB6CF7217E2BC7200ED8E9B81B02B25967ADC8FF49706E82BE53285CC47549BA27A7
                                                    Malicious:false
                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DFDA6EA12625B6D36A.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):512
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                    Malicious:false
                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\Temp\~DFEA434C703339BAD4.TMP

                                                    Download File
                                                    Process:C:\Windows\System32\msiexec.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):73728
                                                    Entropy (8bit):0.14037165355739384
                                                    Encrypted:false
                                                    SSDEEP:48:toTeJcwSCJcFJcwMoAECiCyISCJcZoWXAVK:tWwSYDECnStXAV
                                                    MD5:93D33D121C72FA0AAADD41B5BE46082D
                                                    SHA1:919EB9CC35CABE3F2D2954A36CB0386183CA85BA
                                                    SHA-256:01CD988D9E5A577FE09CDA4A3A467C3227A29EC5AAAEE9192BE40B5C128365B3
                                                    SHA-512:D4EFEA6FE3592B82B1ECD476D847E48C0C2D43D946C98B0FBE3B1106717BD6594877A348E5D2173218579B48C5D1EE777BF63AE6374CA476A9C8E35C934EF68C
                                                    Malicious:false
                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    \Device\ConDrv

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):638
                                                    Entropy (8bit):4.751962275036146
                                                    Encrypted:false
                                                    SSDEEP:12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
                                                    MD5:15CA959638E74EEC47E0830B90D0696E
                                                    SHA1:E836936738DCB6C551B6B76054F834CFB8CC53E5
                                                    SHA-256:57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
                                                    SHA-512:101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
                                                    Malicious:false
                                                    Preview:[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

                                                    Static File Info

                                                    General

                                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {52452393-09E5-4A48-806B-98930A631B95}, Number of Words: 10, Subject: Cave App, Author: Weqos Apps Industries, Name of Creating Application: Cave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Cave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 26 14:42:57 2024, Last Saved Time/Date: Thu Dec 26 14:42:57 2024, Last Printed: Thu Dec 26 14:42:57 2024, Number of Pages: 450
                                                    Entropy (8bit):7.204239408572999
                                                    TrID:
                                                    • Windows SDK Setup Transform Script (63028/2) 88.73%
                                                    • Generic OLE2 / Multistream Compound File (8008/1) 11.27%
                                                    File name:b8ygJBG5cb.msi
                                                    File size:60'154'880 bytes
                                                    MD5:1c3d44ab733b1eb6abdff0bc9f177439
                                                    SHA1:70f6337ef36fe2ecbc80fc12d2873f7aecb2fb17
                                                    SHA256:e308c6a223d373b77c7189616db80f171e83ac026ecabf5d7f0b3977ef817801
                                                    SHA512:6e97115a88dcc0e876df93dc02ff3054e1031094b01aeef0582e1127273ffd098ee132ff41bca4ecac70d7c6340c73df714b04ccfa32a6b75fccfaaa0a741b7f
                                                    SSDEEP:786432:QGZjjVmrjV7eIAte9OTZLoZ4sdUuzt/NCaY2ksC:QGBVmrjV7eIv9OTZcRjVCa1t
                                                    TLSH:A7D76C01B3FA4148F2F75E717EBA85A594BABD521B30C0EF1244A60E1B71BC25BB1763
                                                    File Content Preview:........................>............................................2..................................................................x......................................................................................................................

                                                    File Icon

                                                    Icon Hash:2d2e3797b32b2b99

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-12-26T19:49:13.708294+01002829202ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA1192.168.2.449730172.67.194.29443TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 26, 2024 19:49:12.341029882 CET49730443192.168.2.4172.67.194.29
                                                    Dec 26, 2024 19:49:12.341140032 CET44349730172.67.194.29192.168.2.4
                                                    Dec 26, 2024 19:49:12.341252089 CET49730443192.168.2.4172.67.194.29
                                                    Dec 26, 2024 19:49:12.345047951 CET49730443192.168.2.4172.67.194.29
                                                    Dec 26, 2024 19:49:12.345083952 CET44349730172.67.194.29192.168.2.4
                                                    Dec 26, 2024 19:49:13.663065910 CET44349730172.67.194.29192.168.2.4
                                                    Dec 26, 2024 19:49:13.663149118 CET49730443192.168.2.4172.67.194.29
                                                    Dec 26, 2024 19:49:13.703927040 CET49730443192.168.2.4172.67.194.29
                                                    Dec 26, 2024 19:49:13.703991890 CET44349730172.67.194.29192.168.2.4
                                                    Dec 26, 2024 19:49:13.704390049 CET44349730172.67.194.29192.168.2.4
                                                    Dec 26, 2024 19:49:13.704499006 CET49730443192.168.2.4172.67.194.29
                                                    Dec 26, 2024 19:49:13.708081007 CET49730443192.168.2.4172.67.194.29
                                                    Dec 26, 2024 19:49:13.708128929 CET49730443192.168.2.4172.67.194.29
                                                    Dec 26, 2024 19:49:13.708179951 CET44349730172.67.194.29192.168.2.4
                                                    Dec 26, 2024 19:49:14.439990997 CET44349730172.67.194.29192.168.2.4
                                                    Dec 26, 2024 19:49:14.440067053 CET44349730172.67.194.29192.168.2.4
                                                    Dec 26, 2024 19:49:14.440094948 CET49730443192.168.2.4172.67.194.29
                                                    Dec 26, 2024 19:49:14.440179110 CET49730443192.168.2.4172.67.194.29
                                                    Dec 26, 2024 19:49:14.440682888 CET49730443192.168.2.4172.67.194.29
                                                    Dec 26, 2024 19:49:14.440728903 CET44349730172.67.194.29192.168.2.4
                                                    Dec 26, 2024 19:49:14.440756083 CET49730443192.168.2.4172.67.194.29
                                                    Dec 26, 2024 19:49:14.440800905 CET49730443192.168.2.4172.67.194.29

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 26, 2024 19:49:12.027259111 CET5826553192.168.2.41.1.1.1
                                                    Dec 26, 2024 19:49:12.336456060 CET53582651.1.1.1192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Dec 26, 2024 19:49:12.027259111 CET192.168.2.41.1.1.10xedb4Standard query (0)yhmqpa.comA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Dec 26, 2024 19:49:12.336456060 CET1.1.1.1192.168.2.40xedb4No error (0)yhmqpa.com172.67.194.29A (IP address)IN (0x0001)false
                                                    Dec 26, 2024 19:49:12.336456060 CET1.1.1.1192.168.2.40xedb4No error (0)yhmqpa.com104.21.20.197A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • yhmqpa.com

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.449730172.67.194.294437564C:\Windows\SysWOW64\msiexec.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-26 18:49:13 UTC188OUTPOST /updater.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                    User-Agent: AdvancedInstaller
                                                    Host: yhmqpa.com
                                                    Content-Length: 71
                                                    Cache-Control: no-cache
                                                    2024-12-26 18:49:13 UTC71OUTData Raw: 44 61 74 65 3d 32 36 25 32 46 31 32 25 32 46 32 30 32 34 26 54 69 6d 65 3d 31 33 25 33 41 34 39 25 33 41 31 31 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 38 2e 39 2e 39 26 53 6f 72 6f 71 56 69 6e 73 3d 54 72 75 65
                                                    Data Ascii: Date=26%2F12%2F2024&Time=13%3A49%3A11&BuildVersion=8.9.9&SoroqVins=True
                                                    2024-12-26 18:49:14 UTC819INHTTP/1.1 500 Internal Server Error
                                                    Date: Thu, 26 Dec 2024 18:49:14 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Cache-Control: no-store
                                                    cf-cache-status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xr1CemyXqyDaddStiS%2Fhh5nWnMOS%2FDi8c2GZ9LvB0b6oesM4VGESCTpHwPavA8ZzXj8Zr7NEy4x6JMHP299LCh6DskkPCk6BeGDXBEfD9UqnO31KD6gp11wPTvzX"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8f833fe62b008c99-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2126&min_rtt=2078&rtt_var=813&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=919&delivery_rate=1405197&cwnd=247&unsent_bytes=0&cid=696e7b7e3bfacd98&ts=795&x=0"
                                                    2024-12-26 18:49:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:13:49:03
                                                    Start date:26/12/2024
                                                    Path:C:\Windows\System32\msiexec.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\b8ygJBG5cb.msi"
                                                    Imagebase:0x7ff714610000
                                                    File size:69'632 bytes
                                                    MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:1
                                                    Start time:13:49:03
                                                    Start date:26/12/2024
                                                    Path:C:\Windows\System32\msiexec.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\msiexec.exe /V
                                                    Imagebase:0x7ff714610000
                                                    File size:69'632 bytes
                                                    MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:2
                                                    Start time:13:49:05
                                                    Start date:26/12/2024
                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding D1F7B76A2FEB2E4A506948573AE81708
                                                    Imagebase:0x3d0000
                                                    File size:59'904 bytes
                                                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:13:49:14
                                                    Start date:26/12/2024
                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):true
                                                    Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss46ED.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi46EA.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr46EB.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr46EC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                    Imagebase:0xc60000
                                                    File size:433'152 bytes
                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:13:49:14
                                                    Start date:26/12/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:13:49:20
                                                    Start date:26/12/2024
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\suriqk.bat" "C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe""
                                                    Imagebase:0x7ff6d1060000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:13:49:20
                                                    Start date:26/12/2024
                                                    Path:C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\createdump.exe"
                                                    Imagebase:0x7ff632bc0000
                                                    File size:57'488 bytes
                                                    MD5 hash:71F796B486C7FAF25B9B16233A7CE0CD
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 0%, ReversingLabs
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:8
                                                    Start time:13:49:20
                                                    Start date:26/12/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:9
                                                    Start time:13:49:20
                                                    Start date:26/12/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:10
                                                    Start time:13:49:20
                                                    Start date:26/12/2024
                                                    Path:C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe"
                                                    Imagebase:0x140000000
                                                    File size:117'496 bytes
                                                    MD5 hash:F67792E08586EA936EBCAE43AAB0388D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 0%, ReversingLabs
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:11
                                                    Start time:13:49:20
                                                    Start date:26/12/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Executed Functions

                                                      Function 07541B50 Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1775941655.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7540000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $^q$$^q$$^q
                                                      • API String ID: 0-831282457
                                                      • Opcode ID: 0518c259dbbf83f948461237f15a677b828b29e7520abef70346bdcff871b09e
                                                      • Instruction ID: f40b5abeda5374d8c1e4aa3eb8ced96d6880855d4cc4917ae25862912af49732
                                                      • Opcode Fuzzy Hash: 0518c259dbbf83f948461237f15a677b828b29e7520abef70346bdcff871b09e
                                                      • Instruction Fuzzy Hash: E36105B070460E9FCB259F68D8446EA7BF2BF85214F14846BE449CB251EB35CC85CBA1
                                                      Function 07541B34 Relevance: 2.6, Strings: 2, Instructions: 128COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1775941655.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7540000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $^q$$^q
                                                      • API String ID: 0-355816377
                                                      • Opcode ID: e154eb9a2cd6695a7c86a5477f4494893205aa836e138a7d38b07a8c5264e2c1
                                                      • Instruction ID: d3cbb5a1395dc014e47056408e5c8011550d2bff352767bca3b819844184a16b
                                                      • Opcode Fuzzy Hash: e154eb9a2cd6695a7c86a5477f4494893205aa836e138a7d38b07a8c5264e2c1
                                                      • Instruction Fuzzy Hash: AC41C1F5A08B4E9FCB258F28D9446E57BF0BF02228F1885ABD4558F192E734C9C5CB51
                                                      Function 06A28460 Relevance: .3, Instructions: 266COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1774491975.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6a20000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 404e1b3aecdd3debd297d8aafac84ddc72e4919033eb3e62b7ff6898f5a81fff
                                                      • Instruction ID: a831e5de50103b85efa2419d9c2ab0cd04729d072aacf773e42f3f660819a027
                                                      • Opcode Fuzzy Hash: 404e1b3aecdd3debd297d8aafac84ddc72e4919033eb3e62b7ff6898f5a81fff
                                                      • Instruction Fuzzy Hash: AFA1A131E402198FDB54EFA8D944A9DBBF2FF84350F154558E402AF365DB78AD49CB80
                                                      Function 06A23BF8 Relevance: .3, Instructions: 263COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1774491975.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6a20000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 31edf147ed2e5f8dd39618792be036de8c8c34c30d9a1774ad760e2192e5033e
                                                      • Instruction ID: a18e7977ba23a61bb378e47fb12e207c248bbd2e296d0c87c114fd9e28cf262d
                                                      • Opcode Fuzzy Hash: 31edf147ed2e5f8dd39618792be036de8c8c34c30d9a1774ad760e2192e5033e
                                                      • Instruction Fuzzy Hash: 54A1FF70A042958FCB06DF6DC4949AAFFB1FF4A310B25859AD451DB3A6C339EC44CBA0
                                                      Function 06A28BB0 Relevance: .2, Instructions: 193COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1774491975.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6a20000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 26997be1815f28090c9d25b80cbc61becf779f035070abc297ee41e676652f70
                                                      • Instruction ID: 1f9fae41ebe77aad8b65b13148da06c4adb5687aa4e23f9e9d5f8aa6ed2892b7
                                                      • Opcode Fuzzy Hash: 26997be1815f28090c9d25b80cbc61becf779f035070abc297ee41e676652f70
                                                      • Instruction Fuzzy Hash: 4871F130A00259CFDB14EF69C884A9EFBF2FF85314F148569E416DB651DB79AC4ACB80
                                                      Function 06A28D1E Relevance: .2, Instructions: 188COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1774491975.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6a20000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bde63dc0c2807860383ba3de65812ef9f855dd6be6ed6e1ff745f7f42e13dde4
                                                      • Instruction ID: 3d7d11afcda884aafb0e23bd2e868bb061754e0537a3ea080fdea8b57b63e4ee
                                                      • Opcode Fuzzy Hash: bde63dc0c2807860383ba3de65812ef9f855dd6be6ed6e1ff745f7f42e13dde4
                                                      • Instruction Fuzzy Hash: 0E716130E00259DFDB14EFA9D454AADBBF2FF84344F248429E412AB251DF79AD4ACB41
                                                      Function 06A28941 Relevance: .1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1774491975.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6a20000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4e97cd094d13d0c4fe9a24a2e4975aab62eaec53c299a1f62640f352e7a90ad5
                                                      • Instruction ID: 85d095cf194cf4dc29c514636d5b3ee9a3f8d8cbd95ec2fee879be22c75154c1
                                                      • Opcode Fuzzy Hash: 4e97cd094d13d0c4fe9a24a2e4975aab62eaec53c299a1f62640f352e7a90ad5
                                                      • Instruction Fuzzy Hash: 9941BE71A402118FEB15EF68C958AADBBB2EF89710F184468E502EB3A1CF789C05CB50
                                                      Function 06A28B9B Relevance: .1, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1774491975.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6a20000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1c1ed022c83bf5ce3a5b680cc8ba8735f2a32e8abe6b44f070f5001d7a591eb7
                                                      • Instruction ID: 72cfe39f8e440603a065eff590eac303d13f6c7b2d7049e04cd8a3f298161d8a
                                                      • Opcode Fuzzy Hash: 1c1ed022c83bf5ce3a5b680cc8ba8735f2a32e8abe6b44f070f5001d7a591eb7
                                                      • Instruction Fuzzy Hash: C7415E70E00259CFDB14EFA9C9946ADBBF2FF85304F148569D006AB755DB78AC89CB40
                                                      Function 06A23D08 Relevance: .1, Instructions: 109COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1774491975.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6a20000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ac78aa1b63ca9b7ffec4b6d1c3ec174c1ae7206aa0069774f99927e9f5fc006b
                                                      • Instruction ID: 103d20db059664fe9bc02a341a0da39f3f2b530daf9e531f91a93b4bce550b7f
                                                      • Opcode Fuzzy Hash: ac78aa1b63ca9b7ffec4b6d1c3ec174c1ae7206aa0069774f99927e9f5fc006b
                                                      • Instruction Fuzzy Hash: 934169B0A401168FCB05CF59C594AAAFBF2FF49310B118599D415AB364C736FC51CFA0
                                                      Function 02F1D01D Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1771803802.0000000002F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F1D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_2f1d000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 22a2465cfb24279f939cd1b300a4c666e7bba68c1288cbabc68f02c54df3e2f9
                                                      • Instruction ID: c7d7f32679e23d2830d4fabfaef0457c2ee9ca9bde7653f01d1b95f7e24dab86
                                                      • Opcode Fuzzy Hash: 22a2465cfb24279f939cd1b300a4c666e7bba68c1288cbabc68f02c54df3e2f9
                                                      • Instruction Fuzzy Hash: 9F01DB729093409AE7104B2ACDC4767BFE8DF457A4F58C52AEE484B24AC779D881C6B1
                                                      Function 02F1D005 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1771803802.0000000002F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F1D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_2f1d000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5ae98c25dc747b84016fe4dfe3661414bb9e2477957a64e8d632d0216c5c5353
                                                      • Instruction ID: 3472467f860ea0668ab674a3118ab22275c4a201467476a577fe7190c6575bb6
                                                      • Opcode Fuzzy Hash: 5ae98c25dc747b84016fe4dfe3661414bb9e2477957a64e8d632d0216c5c5353
                                                      • Instruction Fuzzy Hash: 4F01526140E3C05FD7128B258894752BFB4DF47624F5DC0DBD9888F2A7C2699849C772
                                                      Function 06A288D5 Relevance: .0, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1774491975.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6a20000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b284404cef2ec5bfee465cbb3091e683bec6cdde7445e2b27207726c4824ff17
                                                      • Instruction ID: cbeb96c07bfee27e4b7a3e72b2c8436d3a59fbe3e2460754634b7f3773973dab
                                                      • Opcode Fuzzy Hash: b284404cef2ec5bfee465cbb3091e683bec6cdde7445e2b27207726c4824ff17
                                                      • Instruction Fuzzy Hash: 2DF03070B8030A9FDB04EBA8C5A5B6E7BB2EF40384F104554E5029F368CB789D4D8BC0

                                                      Non-executed Functions

                                                      Function 07541658 Relevance: 15.3, Strings: 12, Instructions: 347COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1775941655.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7540000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 84Xk$84Xk$tP^q$tP^q$tP^q$tP^q$$^q$$^q$$^q$$^q$Pk$Pk
                                                      • API String ID: 0-925860617
                                                      • Opcode ID: abdcb1224fe6358791233c88ce2ea92c4b4984ccf7f7cc97213e1089367a10fd
                                                      • Instruction ID: fba1da598a6478bc33504df2d17fe2e6ee37baeb142b820ea393c29ead615770
                                                      • Opcode Fuzzy Hash: abdcb1224fe6358791233c88ce2ea92c4b4984ccf7f7cc97213e1089367a10fd
                                                      • Instruction Fuzzy Hash: A1B19EB27087998FD7154B6998106E6BFF6BFC6224B1884ABD444CF392DE31CC85C7A1
                                                      Function 07540898 Relevance: 10.2, Strings: 8, Instructions: 181COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1775941655.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7540000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                      • API String ID: 0-3732357466
                                                      • Opcode ID: 9bdbf20e0f1f290b58e14449a01c687f4dadedffbbc9f5afcc2199b8cbe0ca18
                                                      • Instruction ID: 52052d8bc027d3920b993c44b33e2518fa4031405a8c3061f83c004b13658e38
                                                      • Opcode Fuzzy Hash: 9bdbf20e0f1f290b58e14449a01c687f4dadedffbbc9f5afcc2199b8cbe0ca18
                                                      • Instruction Fuzzy Hash: 2451397270430A8FDB254B2A98046EABBB5BFC6214F3484AFD64DCB281DE31C845C7A1
                                                      Function 0754044C Relevance: 6.3, Strings: 5, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1775941655.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7540000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$$^q
                                                      • API String ID: 0-4240210763
                                                      • Opcode ID: 724926d61cbf3125bb16da79e8f4e2914585833a4a59a95eeb04423d35408bee
                                                      • Instruction ID: 2caf9da2d474e9741d80f5334c1ee00afbb96d0c19d6555f0b853806a572e7c9
                                                      • Opcode Fuzzy Hash: 724926d61cbf3125bb16da79e8f4e2914585833a4a59a95eeb04423d35408bee
                                                      • Instruction Fuzzy Hash: 09212971F443154FC71A267838245E67FE6ABC166472504E7C104CF39ADE158C8647E2
                                                      Function 07540E88 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1775941655.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7540000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4Wk$4Wk$$^q$$^q$$^q
                                                      • API String ID: 0-3095741987
                                                      • Opcode ID: 818d24eecbdf7498eeb67a27cb36075da4b15072ef36d76f475db0f229ea8e4b
                                                      • Instruction ID: 15cb67092e29964112fba5c3a6c56f4ffad7cca4d686c6782efba6f74a93ffd0
                                                      • Opcode Fuzzy Hash: 818d24eecbdf7498eeb67a27cb36075da4b15072ef36d76f475db0f229ea8e4b
                                                      • Instruction Fuzzy Hash: 4D1138B132021AABD624566958106FB76C66BC0654B24447BD609CB3C6DE36CC138261
                                                      Function 0754163C Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1775941655.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7540000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: tP^q$$^q$$^q$$^q
                                                      • API String ID: 0-3061638629
                                                      • Opcode ID: a3bed74badb88586f42745b9ac21cff37b948255e3216a97a4a230bf58fa8816
                                                      • Instruction ID: ba63e2b76fa2d41bee202de68ab06cba3c336cb2464076a7b6a625460b7f5bb1
                                                      • Opcode Fuzzy Hash: a3bed74badb88586f42745b9ac21cff37b948255e3216a97a4a230bf58fa8816
                                                      • Instruction Fuzzy Hash: 8D3145B2605399AFC7254F648804AE67FF9BF52664F1D409BE404CF362CA31CC85CB60

                                                      Execution Graph

                                                      Execution Coverage:3.4%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:1.7%
                                                      Total number of Nodes:701
                                                      Total number of Limit Nodes:1
                                                      execution_graph 2489 7ff632bc2700 2490 7ff632bc2710 2489->2490 2502 7ff632bc2bd8 2490->2502 2492 7ff632bc2ecc 7 API calls 2493 7ff632bc27b5 2492->2493 2494 7ff632bc2734 _RTC_Initialize 2500 7ff632bc2797 2494->2500 2510 7ff632bc2e64 InitializeSListHead 2494->2510 2500->2492 2501 7ff632bc27a5 2500->2501 2503 7ff632bc2be9 2502->2503 2508 7ff632bc2c1b 2502->2508 2504 7ff632bc2c58 2503->2504 2507 7ff632bc2bee __scrt_release_startup_lock 2503->2507 2505 7ff632bc2ecc 7 API calls 2504->2505 2506 7ff632bc2c62 2505->2506 2507->2508 2509 7ff632bc2c0b _initialize_onexit_table 2507->2509 2508->2494 2509->2508 2955 7ff632bc1d39 2956 7ff632bc1d40 2955->2956 2956->2956 2959 7ff632bc18a0 2956->2959 2965 7ff632bc2040 2956->2965 2958 7ff632bc1d76 2960 7ff632bc2660 __GSHandlerCheck_EH 8 API calls 2958->2960 2959->2958 2961 7ff632bc1dd0 2959->2961 2964 7ff632bc20c0 21 API calls 2959->2964 2962 7ff632bc1d87 2960->2962 2963 7ff632bc1450 6 API calls 2961->2963 2963->2958 2964->2959 2966 7ff632bc20a2 2965->2966 2968 7ff632bc2063 BuildCatchObjectHelperInternal 2965->2968 2967 7ff632bc2230 22 API calls 2966->2967 2969 7ff632bc20b5 2967->2969 2968->2959 2969->2959 2973 7ff632bc733c _seh_filter_exe 2514 7ff632bc7411 2515 7ff632bc7495 2514->2515 2516 7ff632bc7429 2514->2516 2516->2515 2521 7ff632bc43d0 2516->2521 2518 7ff632bc7476 2519 7ff632bc43d0 _CreateFrameInfo 10 API calls 2518->2519 2520 7ff632bc748b terminate 2519->2520 2520->2515 2524 7ff632bc43ec 2521->2524 2523 7ff632bc43d9 2523->2518 2525 7ff632bc4404 2524->2525 2526 7ff632bc440b GetLastError 2524->2526 2525->2523 2538 7ff632bc6678 2526->2538 2539 7ff632bc6498 __vcrt_InitializeCriticalSectionEx 5 API calls 2538->2539 2540 7ff632bc669f TlsGetValue 2539->2540 2542 7ff632bc1590 2545 7ff632bc3d50 2542->2545 2544 7ff632bc15b2 2546 7ff632bc3d5f free 2545->2546 2547 7ff632bc3d67 2545->2547 2546->2547 2547->2544 2551 7ff632bc1510 2552 7ff632bc3cc0 __std_exception_copy 2 API calls 2551->2552 2553 7ff632bc1539 2552->2553 2554 7ff632bc7090 2555 7ff632bc70d2 __GSHandlerCheckCommon 2554->2555 2556 7ff632bc70fa 2555->2556 2558 7ff632bc3d78 2555->2558 2560 7ff632bc3da8 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 2558->2560 2559 7ff632bc3e99 2559->2556 2560->2559 2561 7ff632bc3e64 RtlUnwindEx 2560->2561 2561->2560 2562 7ff632bc7290 2563 7ff632bc72b0 2562->2563 2564 7ff632bc72a3 2562->2564 2566 7ff632bc1e80 2564->2566 2567 7ff632bc1e93 2566->2567 2569 7ff632bc1eb7 2566->2569 2568 7ff632bc1ed8 _invalid_parameter_noinfo_noreturn 2567->2568 2567->2569 2569->2563 2573 7ff632bc3090 2574 7ff632bc30c4 2573->2574 2575 7ff632bc30a8 2573->2575 2575->2574 2580 7ff632bc41c0 2575->2580 2579 7ff632bc30e2 2581 7ff632bc43d0 _CreateFrameInfo 10 API calls 2580->2581 2582 7ff632bc30d6 2581->2582 2583 7ff632bc41d4 2582->2583 2584 7ff632bc43d0 _CreateFrameInfo 10 API calls 2583->2584 2585 7ff632bc41dd 2584->2585 2585->2579 2974 7ff632bc27d0 2978 7ff632bc3074 SetUnhandledExceptionFilter 2974->2978 2979 7ff632bc1550 2980 7ff632bc3d50 __std_exception_destroy free 2979->2980 2981 7ff632bc1567 2980->2981 2982 7ff632bc48c7 abort 2986 7ff632bc1ce0 2987 7ff632bc2688 5 API calls 2986->2987 2988 7ff632bc1cea gethostname 2987->2988 2989 7ff632bc1da9 WSAGetLastError 2988->2989 2990 7ff632bc1d08 2988->2990 2991 7ff632bc1450 6 API calls 2989->2991 2993 7ff632bc2040 22 API calls 2990->2993 2992 7ff632bc1d76 2991->2992 2994 7ff632bc2660 __GSHandlerCheck_EH 8 API calls 2992->2994 2996 7ff632bc18a0 2993->2996 2995 7ff632bc1d87 2994->2995 2996->2992 2997 7ff632bc1dd0 2996->2997 2999 7ff632bc20c0 21 API calls 2996->2999 2998 7ff632bc1450 6 API calls 2997->2998 2998->2992 2999->2996 3000 7ff632bc5860 3001 7ff632bc43d0 _CreateFrameInfo 10 API calls 3000->3001 3002 7ff632bc58ad 3001->3002 3003 7ff632bc43d0 _CreateFrameInfo 10 API calls 3002->3003 3004 7ff632bc58bb __except_validate_context_record 3003->3004 3005 7ff632bc43d0 _CreateFrameInfo 10 API calls 3004->3005 3006 7ff632bc5914 3005->3006 3007 7ff632bc43d0 _CreateFrameInfo 10 API calls 3006->3007 3008 7ff632bc591d 3007->3008 3009 7ff632bc43d0 _CreateFrameInfo 10 API calls 3008->3009 3010 7ff632bc5926 3009->3010 3029 7ff632bc3b18 3010->3029 3013 7ff632bc43d0 _CreateFrameInfo 10 API calls 3014 7ff632bc5959 3013->3014 3015 7ff632bc5aa9 abort 3014->3015 3016 7ff632bc5991 3014->3016 3017 7ff632bc3b54 11 API calls 3016->3017 3021 7ff632bc5a31 3017->3021 3018 7ff632bc5a5a __GSHandlerCheck_EH 3019 7ff632bc43d0 _CreateFrameInfo 10 API calls 3018->3019 3020 7ff632bc5a6d 3019->3020 3022 7ff632bc43d0 _CreateFrameInfo 10 API calls 3020->3022 3021->3018 3023 7ff632bc4104 10 API calls 3021->3023 3024 7ff632bc5a76 3022->3024 3023->3018 3025 7ff632bc43d0 _CreateFrameInfo 10 API calls 3024->3025 3026 7ff632bc5a7f 3025->3026 3027 7ff632bc43d0 _CreateFrameInfo 10 API calls 3026->3027 3028 7ff632bc5a8e 3027->3028 3030 7ff632bc43d0 _CreateFrameInfo 10 API calls 3029->3030 3031 7ff632bc3b29 3030->3031 3032 7ff632bc3b34 3031->3032 3033 7ff632bc43d0 _CreateFrameInfo 10 API calls 3031->3033 3034 7ff632bc43d0 _CreateFrameInfo 10 API calls 3032->3034 3033->3032 3035 7ff632bc3b45 3034->3035 3035->3013 3035->3014 3036 7ff632bc7260 3037 7ff632bc7280 3036->3037 3038 7ff632bc7273 3036->3038 3039 7ff632bc1e80 _invalid_parameter_noinfo_noreturn 3038->3039 3039->3037 3040 7ff632bc195f 3041 7ff632bc196d 3040->3041 3041->3041 3042 7ff632bc1a23 3041->3042 3043 7ff632bc1ee0 22 API calls 3041->3043 3044 7ff632bc2230 22 API calls 3042->3044 3045 7ff632bc1a67 BuildCatchObjectHelperInternal 3042->3045 3043->3042 3044->3045 3046 7ff632bc18a0 3045->3046 3047 7ff632bc1da2 _invalid_parameter_noinfo_noreturn 3045->3047 3051 7ff632bc1dd0 3046->3051 3054 7ff632bc20c0 21 API calls 3046->3054 3055 7ff632bc1d76 3046->3055 3048 7ff632bc1da9 WSAGetLastError 3047->3048 3049 7ff632bc1450 6 API calls 3048->3049 3049->3055 3050 7ff632bc2660 __GSHandlerCheck_EH 8 API calls 3052 7ff632bc1d87 3050->3052 3053 7ff632bc1450 6 API calls 3051->3053 3053->3055 3054->3046 3055->3050 2589 7ff632bc4024 2596 7ff632bc642c 2589->2596 2592 7ff632bc4031 2608 7ff632bc6714 2596->2608 2599 7ff632bc402d 2599->2592 2601 7ff632bc44ac 2599->2601 2600 7ff632bc6460 __vcrt_uninitialize_locks DeleteCriticalSection 2600->2599 2613 7ff632bc65e8 2601->2613 2609 7ff632bc6498 __vcrt_InitializeCriticalSectionEx 5 API calls 2608->2609 2610 7ff632bc674a 2609->2610 2611 7ff632bc675f InitializeCriticalSectionAndSpinCount 2610->2611 2612 7ff632bc6444 2610->2612 2611->2612 2612->2599 2612->2600 2614 7ff632bc6498 __vcrt_InitializeCriticalSectionEx 5 API calls 2613->2614 2616 7ff632bc660d TlsAlloc 2614->2616 3056 7ff632bc7559 3059 7ff632bc4158 3056->3059 3060 7ff632bc4170 3059->3060 3061 7ff632bc4182 3059->3061 3060->3061 3063 7ff632bc4178 3060->3063 3062 7ff632bc43d0 _CreateFrameInfo 10 API calls 3061->3062 3064 7ff632bc4187 3062->3064 3065 7ff632bc43d0 _CreateFrameInfo 10 API calls 3063->3065 3066 7ff632bc4180 3063->3066 3064->3066 3067 7ff632bc43d0 _CreateFrameInfo 10 API calls 3064->3067 3068 7ff632bc41a7 3065->3068 3067->3066 3069 7ff632bc43d0 _CreateFrameInfo 10 API calls 3068->3069 3070 7ff632bc41b4 terminate 3069->3070 2617 7ff632bc1b18 _time64 2618 7ff632bc1b34 2617->2618 2618->2618 2619 7ff632bc1bf1 2618->2619 2633 7ff632bc1ee0 2618->2633 2621 7ff632bc1c34 BuildCatchObjectHelperInternal 2619->2621 2647 7ff632bc2230 2619->2647 2623 7ff632bc1da2 _invalid_parameter_noinfo_noreturn 2621->2623 2625 7ff632bc18a0 2621->2625 2624 7ff632bc1da9 WSAGetLastError 2623->2624 2626 7ff632bc1450 6 API calls 2624->2626 2628 7ff632bc1d76 2625->2628 2629 7ff632bc1dd0 2625->2629 2632 7ff632bc20c0 21 API calls 2625->2632 2626->2628 2627 7ff632bc2660 __GSHandlerCheck_EH 8 API calls 2630 7ff632bc1d87 2627->2630 2628->2627 2631 7ff632bc1450 6 API calls 2629->2631 2631->2628 2632->2625 2635 7ff632bc1f25 2633->2635 2646 7ff632bc1f04 BuildCatchObjectHelperInternal 2633->2646 2634 7ff632bc2031 2636 7ff632bc17e0 21 API calls 2634->2636 2635->2634 2637 7ff632bc1f74 2635->2637 2640 7ff632bc1fa9 2635->2640 2638 7ff632bc2036 2636->2638 2637->2638 2639 7ff632bc2690 5 API calls 2637->2639 2641 7ff632bc1720 Concurrency::cancel_current_task 4 API calls 2638->2641 2645 7ff632bc1f92 BuildCatchObjectHelperInternal 2639->2645 2643 7ff632bc2690 5 API calls 2640->2643 2640->2645 2644 7ff632bc203c 2641->2644 2642 7ff632bc202a _invalid_parameter_noinfo_noreturn 2642->2634 2643->2645 2645->2642 2645->2646 2646->2619 2648 7ff632bc225e 2647->2648 2649 7ff632bc23ab 2647->2649 2650 7ff632bc22be 2648->2650 2653 7ff632bc22b1 2648->2653 2654 7ff632bc22e6 2648->2654 2651 7ff632bc17e0 21 API calls 2649->2651 2655 7ff632bc2690 5 API calls 2650->2655 2652 7ff632bc23b0 2651->2652 2656 7ff632bc1720 Concurrency::cancel_current_task 4 API calls 2652->2656 2653->2650 2653->2652 2657 7ff632bc2690 5 API calls 2654->2657 2660 7ff632bc22cf BuildCatchObjectHelperInternal 2654->2660 2655->2660 2658 7ff632bc23b6 2656->2658 2657->2660 2659 7ff632bc2364 _invalid_parameter_noinfo_noreturn 2661 7ff632bc2357 BuildCatchObjectHelperInternal 2659->2661 2660->2659 2660->2661 2661->2621 3071 7ff632bc74d6 3072 7ff632bc3b54 11 API calls 3071->3072 3076 7ff632bc74e9 3072->3076 3073 7ff632bc751a __GSHandlerCheck_EH 3074 7ff632bc43d0 _CreateFrameInfo 10 API calls 3073->3074 3075 7ff632bc752e 3074->3075 3077 7ff632bc43d0 _CreateFrameInfo 10 API calls 3075->3077 3076->3073 3078 7ff632bc4104 10 API calls 3076->3078 3079 7ff632bc753b 3077->3079 3078->3073 3080 7ff632bc43d0 _CreateFrameInfo 10 API calls 3079->3080 3081 7ff632bc7548 3080->3081 2662 7ff632bc191a 2663 7ff632bc18a0 2662->2663 2664 7ff632bc194d 2662->2664 2667 7ff632bc1dd0 2663->2667 2670 7ff632bc20c0 21 API calls 2663->2670 2671 7ff632bc1d76 2663->2671 2665 7ff632bc20c0 21 API calls 2664->2665 2665->2663 2666 7ff632bc2660 __GSHandlerCheck_EH 8 API calls 2668 7ff632bc1d87 2666->2668 2669 7ff632bc1450 6 API calls 2667->2669 2669->2671 2670->2663 2671->2666 2672 7ff632bc291a 2673 7ff632bc3020 __scrt_is_managed_app GetModuleHandleW 2672->2673 2674 7ff632bc2921 2673->2674 2675 7ff632bc2960 _exit 2674->2675 2676 7ff632bc2925 2674->2676 2680 7ff632bc43b0 2681 7ff632bc43b9 2680->2681 2682 7ff632bc43ca 2680->2682 2681->2682 2683 7ff632bc43c5 free 2681->2683 2683->2682 2684 7ff632bc7130 2685 7ff632bc7168 __GSHandlerCheckCommon 2684->2685 2686 7ff632bc7194 2685->2686 2688 7ff632bc3c00 2685->2688 2689 7ff632bc43d0 _CreateFrameInfo 10 API calls 2688->2689 2690 7ff632bc3c42 2689->2690 2691 7ff632bc43d0 _CreateFrameInfo 10 API calls 2690->2691 2692 7ff632bc3c4f 2691->2692 2693 7ff632bc43d0 _CreateFrameInfo 10 API calls 2692->2693 2694 7ff632bc3c58 __GSHandlerCheck_EH 2693->2694 2697 7ff632bc5414 2694->2697 2698 7ff632bc5443 __except_validate_context_record 2697->2698 2699 7ff632bc43d0 _CreateFrameInfo 10 API calls 2698->2699 2700 7ff632bc5448 2699->2700 2701 7ff632bc5498 2700->2701 2706 7ff632bc55b2 __GSHandlerCheck_EH 2700->2706 2712 7ff632bc3ca9 2700->2712 2703 7ff632bc559f 2701->2703 2710 7ff632bc54f3 __GSHandlerCheck_EH 2701->2710 2701->2712 2702 7ff632bc55f7 2702->2712 2744 7ff632bc49a4 2702->2744 2737 7ff632bc3678 2703->2737 2706->2702 2706->2712 2741 7ff632bc3bbc 2706->2741 2707 7ff632bc56a2 abort 2709 7ff632bc5543 2713 7ff632bc5cf0 2709->2713 2710->2707 2710->2709 2712->2686 2797 7ff632bc3ba8 2713->2797 2715 7ff632bc5d40 __GSHandlerCheck_EH 2716 7ff632bc5d72 2715->2716 2717 7ff632bc5d5b 2715->2717 2719 7ff632bc43d0 _CreateFrameInfo 10 API calls 2716->2719 2718 7ff632bc43d0 _CreateFrameInfo 10 API calls 2717->2718 2720 7ff632bc5d60 2718->2720 2721 7ff632bc5d77 2719->2721 2722 7ff632bc5fd0 abort 2720->2722 2723 7ff632bc5d6a 2720->2723 2721->2723 2725 7ff632bc43d0 _CreateFrameInfo 10 API calls 2721->2725 2724 7ff632bc43d0 _CreateFrameInfo 10 API calls 2723->2724 2735 7ff632bc5d96 __GSHandlerCheck_EH 2724->2735 2726 7ff632bc5d82 2725->2726 2727 7ff632bc43d0 _CreateFrameInfo 10 API calls 2726->2727 2727->2723 2728 7ff632bc5f92 2729 7ff632bc43d0 _CreateFrameInfo 10 API calls 2728->2729 2730 7ff632bc5f97 2729->2730 2731 7ff632bc5fa2 2730->2731 2733 7ff632bc43d0 _CreateFrameInfo 10 API calls 2730->2733 2732 7ff632bc2660 __GSHandlerCheck_EH 8 API calls 2731->2732 2734 7ff632bc5fb5 2732->2734 2733->2731 2734->2712 2735->2728 2800 7ff632bc3bd0 2735->2800 2738 7ff632bc368a 2737->2738 2739 7ff632bc5cf0 __GSHandlerCheck_EH 19 API calls 2738->2739 2740 7ff632bc36a5 2739->2740 2740->2712 2742 7ff632bc43d0 _CreateFrameInfo 10 API calls 2741->2742 2743 7ff632bc3bc5 2742->2743 2743->2702 2745 7ff632bc4a01 __GSHandlerCheck_EH 2744->2745 2746 7ff632bc4a20 2745->2746 2747 7ff632bc4a09 2745->2747 2748 7ff632bc43d0 _CreateFrameInfo 10 API calls 2746->2748 2749 7ff632bc43d0 _CreateFrameInfo 10 API calls 2747->2749 2750 7ff632bc4a25 2748->2750 2753 7ff632bc4a0e 2749->2753 2752 7ff632bc43d0 _CreateFrameInfo 10 API calls 2750->2752 2750->2753 2751 7ff632bc4e99 abort 2754 7ff632bc4a30 2752->2754 2753->2751 2757 7ff632bc4b54 __GSHandlerCheck_EH 2753->2757 2758 7ff632bc43d0 _CreateFrameInfo 10 API calls 2753->2758 2755 7ff632bc43d0 _CreateFrameInfo 10 API calls 2754->2755 2755->2753 2756 7ff632bc4def 2756->2751 2759 7ff632bc4ded 2756->2759 2839 7ff632bc4ea0 2756->2839 2757->2756 2791 7ff632bc4b90 __GSHandlerCheck_EH 2757->2791 2760 7ff632bc4ac0 2758->2760 2761 7ff632bc43d0 _CreateFrameInfo 10 API calls 2759->2761 2763 7ff632bc4e37 2760->2763 2766 7ff632bc43d0 _CreateFrameInfo 10 API calls 2760->2766 2765 7ff632bc4e30 2761->2765 2762 7ff632bc4dd4 __GSHandlerCheck_EH 2762->2759 2771 7ff632bc4e81 2762->2771 2767 7ff632bc2660 __GSHandlerCheck_EH 8 API calls 2763->2767 2765->2751 2765->2763 2768 7ff632bc4ad0 2766->2768 2769 7ff632bc4e43 2767->2769 2770 7ff632bc43d0 _CreateFrameInfo 10 API calls 2768->2770 2769->2712 2772 7ff632bc4ad9 2770->2772 2773 7ff632bc43d0 _CreateFrameInfo 10 API calls 2771->2773 2803 7ff632bc3be8 2772->2803 2775 7ff632bc4e86 2773->2775 2777 7ff632bc43d0 _CreateFrameInfo 10 API calls 2775->2777 2778 7ff632bc4e8f terminate 2777->2778 2778->2751 2779 7ff632bc43d0 _CreateFrameInfo 10 API calls 2780 7ff632bc4b16 2779->2780 2780->2757 2781 7ff632bc43d0 _CreateFrameInfo 10 API calls 2780->2781 2782 7ff632bc4b22 2781->2782 2783 7ff632bc43d0 _CreateFrameInfo 10 API calls 2782->2783 2784 7ff632bc4b2b 2783->2784 2806 7ff632bc5fd8 2784->2806 2785 7ff632bc3bbc 10 API calls BuildCatchObjectHelperInternal 2785->2791 2789 7ff632bc4b3f 2813 7ff632bc60c8 2789->2813 2791->2762 2791->2785 2817 7ff632bc52d0 2791->2817 2831 7ff632bc48d0 2791->2831 2792 7ff632bc4e7b terminate 2792->2771 2794 7ff632bc4b47 std::bad_alloc::bad_alloc __GSHandlerCheck_EH 2794->2792 2795 7ff632bc3f84 Concurrency::cancel_current_task 2 API calls 2794->2795 2796 7ff632bc4e7a 2795->2796 2796->2792 2798 7ff632bc43d0 _CreateFrameInfo 10 API calls 2797->2798 2799 7ff632bc3bb1 2798->2799 2799->2715 2801 7ff632bc43d0 _CreateFrameInfo 10 API calls 2800->2801 2802 7ff632bc3bde 2801->2802 2802->2735 2804 7ff632bc43d0 _CreateFrameInfo 10 API calls 2803->2804 2805 7ff632bc3bf6 2804->2805 2805->2751 2805->2779 2807 7ff632bc60bf abort 2806->2807 2810 7ff632bc6003 2806->2810 2808 7ff632bc4b3b 2808->2757 2808->2789 2809 7ff632bc3bbc 10 API calls BuildCatchObjectHelperInternal 2809->2810 2810->2808 2810->2809 2811 7ff632bc3ba8 Is_bad_exception_allowed 10 API calls 2810->2811 2855 7ff632bc5190 2810->2855 2811->2810 2814 7ff632bc60e5 Is_bad_exception_allowed 2813->2814 2816 7ff632bc6135 2813->2816 2815 7ff632bc3ba8 10 API calls Is_bad_exception_allowed 2814->2815 2814->2816 2815->2814 2816->2794 2818 7ff632bc52fd 2817->2818 2828 7ff632bc538d 2817->2828 2819 7ff632bc3ba8 Is_bad_exception_allowed 10 API calls 2818->2819 2820 7ff632bc5306 2819->2820 2821 7ff632bc3ba8 Is_bad_exception_allowed 10 API calls 2820->2821 2822 7ff632bc531f 2820->2822 2820->2828 2821->2822 2823 7ff632bc534c 2822->2823 2824 7ff632bc3ba8 Is_bad_exception_allowed 10 API calls 2822->2824 2822->2828 2825 7ff632bc3bbc BuildCatchObjectHelperInternal 10 API calls 2823->2825 2824->2823 2826 7ff632bc5360 2825->2826 2827 7ff632bc3ba8 Is_bad_exception_allowed 10 API calls 2826->2827 2826->2828 2829 7ff632bc5379 2826->2829 2827->2829 2828->2791 2830 7ff632bc3bbc BuildCatchObjectHelperInternal 10 API calls 2829->2830 2830->2828 2832 7ff632bc490d __GSHandlerCheck_EH 2831->2832 2833 7ff632bc4933 2832->2833 2869 7ff632bc480c 2832->2869 2835 7ff632bc3ba8 Is_bad_exception_allowed 10 API calls 2833->2835 2836 7ff632bc4945 2835->2836 2878 7ff632bc3838 RtlUnwindEx 2836->2878 2840 7ff632bc4ef4 2839->2840 2841 7ff632bc5169 2839->2841 2843 7ff632bc43d0 _CreateFrameInfo 10 API calls 2840->2843 2842 7ff632bc2660 __GSHandlerCheck_EH 8 API calls 2841->2842 2844 7ff632bc5175 2842->2844 2845 7ff632bc4ef9 2843->2845 2844->2759 2846 7ff632bc4f0e EncodePointer 2845->2846 2847 7ff632bc4f60 __GSHandlerCheck_EH 2845->2847 2848 7ff632bc43d0 _CreateFrameInfo 10 API calls 2846->2848 2847->2841 2849 7ff632bc5189 abort 2847->2849 2854 7ff632bc4f82 __GSHandlerCheck_EH 2847->2854 2850 7ff632bc4f1e 2848->2850 2850->2847 2902 7ff632bc34f8 2850->2902 2852 7ff632bc3ba8 10 API calls Is_bad_exception_allowed 2852->2854 2853 7ff632bc48d0 __GSHandlerCheck_EH 21 API calls 2853->2854 2854->2841 2854->2852 2854->2853 2856 7ff632bc51bd 2855->2856 2865 7ff632bc524c 2855->2865 2857 7ff632bc3ba8 Is_bad_exception_allowed 10 API calls 2856->2857 2858 7ff632bc51c6 2857->2858 2859 7ff632bc3ba8 Is_bad_exception_allowed 10 API calls 2858->2859 2860 7ff632bc51df 2858->2860 2858->2865 2859->2860 2861 7ff632bc520b 2860->2861 2862 7ff632bc3ba8 Is_bad_exception_allowed 10 API calls 2860->2862 2860->2865 2863 7ff632bc3bbc BuildCatchObjectHelperInternal 10 API calls 2861->2863 2862->2861 2864 7ff632bc521f 2863->2864 2864->2865 2866 7ff632bc5238 2864->2866 2867 7ff632bc3ba8 Is_bad_exception_allowed 10 API calls 2864->2867 2865->2810 2868 7ff632bc3bbc BuildCatchObjectHelperInternal 10 API calls 2866->2868 2867->2866 2868->2865 2870 7ff632bc482f 2869->2870 2881 7ff632bc4608 2870->2881 2872 7ff632bc4840 2873 7ff632bc4881 __AdjustPointer 2872->2873 2876 7ff632bc4845 __AdjustPointer 2872->2876 2874 7ff632bc4864 BuildCatchObjectHelperInternal 2873->2874 2875 7ff632bc3bbc BuildCatchObjectHelperInternal 10 API calls 2873->2875 2874->2833 2875->2874 2876->2874 2877 7ff632bc3bbc BuildCatchObjectHelperInternal 10 API calls 2876->2877 2877->2874 2879 7ff632bc2660 __GSHandlerCheck_EH 8 API calls 2878->2879 2880 7ff632bc394e 2879->2880 2880->2791 2882 7ff632bc4635 2881->2882 2884 7ff632bc463e 2881->2884 2883 7ff632bc3ba8 Is_bad_exception_allowed 10 API calls 2882->2883 2883->2884 2885 7ff632bc3ba8 Is_bad_exception_allowed 10 API calls 2884->2885 2886 7ff632bc465d 2884->2886 2893 7ff632bc46c2 __AdjustPointer BuildCatchObjectHelperInternal 2884->2893 2885->2886 2887 7ff632bc46aa 2886->2887 2888 7ff632bc46ca 2886->2888 2886->2893 2890 7ff632bc47e9 abort abort 2887->2890 2887->2893 2889 7ff632bc3bbc BuildCatchObjectHelperInternal 10 API calls 2888->2889 2892 7ff632bc474a 2888->2892 2888->2893 2889->2892 2891 7ff632bc480c 2890->2891 2894 7ff632bc4608 BuildCatchObjectHelperInternal 10 API calls 2891->2894 2892->2893 2895 7ff632bc3bbc BuildCatchObjectHelperInternal 10 API calls 2892->2895 2893->2872 2896 7ff632bc4840 2894->2896 2895->2893 2897 7ff632bc4881 __AdjustPointer 2896->2897 2898 7ff632bc4845 __AdjustPointer 2896->2898 2899 7ff632bc3bbc BuildCatchObjectHelperInternal 10 API calls 2897->2899 2901 7ff632bc4864 BuildCatchObjectHelperInternal 2897->2901 2900 7ff632bc3bbc BuildCatchObjectHelperInternal 10 API calls 2898->2900 2898->2901 2899->2901 2900->2901 2901->2872 2903 7ff632bc43d0 _CreateFrameInfo 10 API calls 2902->2903 2904 7ff632bc3524 2903->2904 2904->2847 3082 7ff632bc2970 3085 7ff632bc2da0 3082->3085 3086 7ff632bc2dc3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 3085->3086 3087 7ff632bc2979 3085->3087 3086->3087 3095 7ff632bc756f 3096 7ff632bc43d0 _CreateFrameInfo 10 API calls 3095->3096 3097 7ff632bc757d 3096->3097 3098 7ff632bc7588 3097->3098 3099 7ff632bc43d0 _CreateFrameInfo 10 API calls 3097->3099 3099->3098 3100 7ff632bc5f75 3108 7ff632bc5e35 __GSHandlerCheck_EH 3100->3108 3101 7ff632bc5f92 3102 7ff632bc43d0 _CreateFrameInfo 10 API calls 3101->3102 3103 7ff632bc5f97 3102->3103 3104 7ff632bc5fa2 3103->3104 3106 7ff632bc43d0 _CreateFrameInfo 10 API calls 3103->3106 3105 7ff632bc2660 __GSHandlerCheck_EH 8 API calls 3104->3105 3107 7ff632bc5fb5 3105->3107 3106->3104 3108->3101 3109 7ff632bc3bd0 __GSHandlerCheck_EH 10 API calls 3108->3109 3109->3108 3110 7ff632bc7372 3111 7ff632bc43d0 _CreateFrameInfo 10 API calls 3110->3111 3112 7ff632bc7389 3111->3112 3113 7ff632bc43d0 _CreateFrameInfo 10 API calls 3112->3113 3114 7ff632bc73a4 3113->3114 3115 7ff632bc43d0 _CreateFrameInfo 10 API calls 3114->3115 3116 7ff632bc73ad 3115->3116 3117 7ff632bc5414 __GSHandlerCheck_EH 31 API calls 3116->3117 3118 7ff632bc73f3 3117->3118 3119 7ff632bc43d0 _CreateFrameInfo 10 API calls 3118->3119 3120 7ff632bc73f8 3119->3120 2905 7ff632bc74a7 2908 7ff632bc5cc0 2905->2908 2913 7ff632bc5c38 2908->2913 2911 7ff632bc43d0 _CreateFrameInfo 10 API calls 2912 7ff632bc5ce0 2911->2912 2914 7ff632bc5ca3 2913->2914 2915 7ff632bc5c5a 2913->2915 2914->2911 2914->2912 2915->2914 2916 7ff632bc43d0 _CreateFrameInfo 10 API calls 2915->2916 2916->2914 2917 7ff632bc59ad 2918 7ff632bc43d0 _CreateFrameInfo 10 API calls 2917->2918 2919 7ff632bc59ba 2918->2919 2920 7ff632bc43d0 _CreateFrameInfo 10 API calls 2919->2920 2923 7ff632bc59c3 __GSHandlerCheck_EH 2920->2923 2921 7ff632bc5a0a RaiseException 2922 7ff632bc5a29 2921->2922 2936 7ff632bc3b54 2922->2936 2923->2921 2925 7ff632bc43d0 _CreateFrameInfo 10 API calls 2926 7ff632bc5a6d 2925->2926 2928 7ff632bc43d0 _CreateFrameInfo 10 API calls 2926->2928 2930 7ff632bc5a76 2928->2930 2931 7ff632bc43d0 _CreateFrameInfo 10 API calls 2930->2931 2932 7ff632bc5a7f 2931->2932 2934 7ff632bc43d0 _CreateFrameInfo 10 API calls 2932->2934 2933 7ff632bc5a5a __GSHandlerCheck_EH 2933->2925 2935 7ff632bc5a8e 2934->2935 2937 7ff632bc43d0 _CreateFrameInfo 10 API calls 2936->2937 2938 7ff632bc3b66 2937->2938 2939 7ff632bc3ba1 abort 2938->2939 2940 7ff632bc43d0 _CreateFrameInfo 10 API calls 2938->2940 2941 7ff632bc3b71 2940->2941 2941->2939 2942 7ff632bc3b8d 2941->2942 2943 7ff632bc43d0 _CreateFrameInfo 10 API calls 2942->2943 2944 7ff632bc3b92 2943->2944 2944->2933 2945 7ff632bc4104 2944->2945 2946 7ff632bc43d0 _CreateFrameInfo 10 API calls 2945->2946 2947 7ff632bc4112 2946->2947 2947->2933 2243 7ff632bc27ec 2266 7ff632bc2b8c 2243->2266 2246 7ff632bc2943 2306 7ff632bc2ecc IsProcessorFeaturePresent 2246->2306 2247 7ff632bc280d 2249 7ff632bc294d 2247->2249 2254 7ff632bc282b __scrt_release_startup_lock 2247->2254 2250 7ff632bc2ecc 7 API calls 2249->2250 2251 7ff632bc2958 2250->2251 2253 7ff632bc2960 _exit 2251->2253 2252 7ff632bc2850 2254->2252 2255 7ff632bc28d6 _get_initial_narrow_environment __p___argv __p___argc 2254->2255 2258 7ff632bc28ce _register_thread_local_exe_atexit_callback 2254->2258 2272 7ff632bc1060 2255->2272 2258->2255 2261 7ff632bc2903 2262 7ff632bc2908 _cexit 2261->2262 2263 7ff632bc290d 2261->2263 2262->2263 2302 7ff632bc2d20 2263->2302 2313 7ff632bc316c 2266->2313 2269 7ff632bc2bbb __scrt_initialize_crt 2271 7ff632bc2805 2269->2271 2315 7ff632bc404c 2269->2315 2271->2246 2271->2247 2273 7ff632bc1386 2272->2273 2296 7ff632bc10b4 2272->2296 2342 7ff632bc1450 __acrt_iob_func 2273->2342 2275 7ff632bc1399 2300 7ff632bc3020 GetModuleHandleW 2275->2300 2276 7ff632bc1289 2276->2273 2277 7ff632bc129f 2276->2277 2347 7ff632bc2688 2277->2347 2279 7ff632bc1125 strcmp 2279->2296 2280 7ff632bc12a9 2281 7ff632bc12b9 GetTempPathA 2280->2281 2282 7ff632bc1325 2280->2282 2285 7ff632bc12e9 strcat_s 2281->2285 2286 7ff632bc12cb GetLastError 2281->2286 2356 7ff632bc23c0 2282->2356 2283 7ff632bc1151 strcmp 2283->2296 2285->2282 2287 7ff632bc1304 2285->2287 2289 7ff632bc1450 6 API calls 2286->2289 2290 7ff632bc1450 6 API calls 2287->2290 2293 7ff632bc12df GetLastError 2289->2293 2297 7ff632bc1312 2290->2297 2291 7ff632bc1344 __acrt_iob_func fflush __acrt_iob_func fflush 2291->2297 2292 7ff632bc117d strcmp 2292->2296 2293->2297 2296->2276 2296->2279 2296->2283 2296->2292 2298 7ff632bc1226 strcmp 2296->2298 2297->2275 2298->2296 2299 7ff632bc1239 atoi 2298->2299 2299->2296 2301 7ff632bc28ff 2300->2301 2301->2251 2301->2261 2304 7ff632bc2d31 __scrt_initialize_crt 2302->2304 2303 7ff632bc2916 2303->2252 2304->2303 2305 7ff632bc404c __scrt_initialize_crt 7 API calls 2304->2305 2305->2303 2307 7ff632bc2ef2 2306->2307 2308 7ff632bc2f11 RtlCaptureContext RtlLookupFunctionEntry 2307->2308 2309 7ff632bc2f76 2308->2309 2310 7ff632bc2f3a RtlVirtualUnwind 2308->2310 2311 7ff632bc2fa8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2309->2311 2310->2309 2312 7ff632bc2ffa 2311->2312 2312->2249 2314 7ff632bc2bae __scrt_dllmain_crt_thread_attach 2313->2314 2314->2269 2314->2271 2316 7ff632bc405e 2315->2316 2317 7ff632bc4054 2315->2317 2316->2271 2321 7ff632bc44f4 2317->2321 2322 7ff632bc4059 2321->2322 2323 7ff632bc4503 2321->2323 2325 7ff632bc6460 2322->2325 2329 7ff632bc6630 2323->2329 2326 7ff632bc648b 2325->2326 2327 7ff632bc648f 2326->2327 2328 7ff632bc646e DeleteCriticalSection 2326->2328 2327->2316 2328->2326 2333 7ff632bc6498 2329->2333 2338 7ff632bc64dc 2333->2338 2340 7ff632bc65b2 TlsFree 2333->2340 2334 7ff632bc650a LoadLibraryExW 2336 7ff632bc6581 2334->2336 2337 7ff632bc652b GetLastError 2334->2337 2335 7ff632bc65a1 GetProcAddress 2335->2340 2336->2335 2339 7ff632bc6598 FreeLibrary 2336->2339 2337->2338 2338->2334 2338->2335 2338->2340 2341 7ff632bc654d LoadLibraryExW 2338->2341 2339->2335 2341->2336 2341->2338 2392 7ff632bc1010 2342->2392 2344 7ff632bc148a __acrt_iob_func 2395 7ff632bc1000 2344->2395 2346 7ff632bc14a2 __stdio_common_vfprintf __acrt_iob_func fflush 2346->2275 2350 7ff632bc2690 2347->2350 2348 7ff632bc26aa malloc 2349 7ff632bc26b4 2348->2349 2348->2350 2349->2280 2350->2348 2351 7ff632bc26ba 2350->2351 2352 7ff632bc26c5 2351->2352 2397 7ff632bc2b30 2351->2397 2401 7ff632bc1720 2352->2401 2355 7ff632bc26cb 2355->2280 2357 7ff632bc2688 5 API calls 2356->2357 2358 7ff632bc23f5 OpenProcess 2357->2358 2359 7ff632bc2458 K32GetModuleBaseNameA 2358->2359 2360 7ff632bc243b GetLastError 2358->2360 2361 7ff632bc2470 GetLastError 2359->2361 2362 7ff632bc2492 2359->2362 2363 7ff632bc1450 6 API calls 2360->2363 2364 7ff632bc1450 6 API calls 2361->2364 2418 7ff632bc1800 2362->2418 2371 7ff632bc2453 2363->2371 2366 7ff632bc2484 CloseHandle 2364->2366 2366->2371 2368 7ff632bc24ae 2370 7ff632bc13c0 6 API calls 2368->2370 2369 7ff632bc25b3 CloseHandle 2369->2371 2373 7ff632bc24cf CreateFileA 2370->2373 2372 7ff632bc25fa 2371->2372 2374 7ff632bc25f3 _invalid_parameter_noinfo_noreturn 2371->2374 2429 7ff632bc2660 2372->2429 2376 7ff632bc250f GetLastError 2373->2376 2377 7ff632bc2543 2373->2377 2374->2372 2379 7ff632bc1450 6 API calls 2376->2379 2380 7ff632bc2550 MiniDumpWriteDump 2377->2380 2383 7ff632bc258a CloseHandle CloseHandle 2377->2383 2381 7ff632bc2538 CloseHandle 2379->2381 2382 7ff632bc2576 GetLastError 2380->2382 2380->2383 2381->2371 2382->2377 2385 7ff632bc258c 2382->2385 2383->2371 2386 7ff632bc1450 6 API calls 2385->2386 2386->2383 2387 7ff632bc13c0 __acrt_iob_func 2388 7ff632bc1010 fprintf __stdio_common_vfprintf 2387->2388 2389 7ff632bc13fa __acrt_iob_func 2388->2389 2488 7ff632bc1000 2389->2488 2391 7ff632bc1412 __stdio_common_vfprintf __acrt_iob_func fflush 2391->2291 2396 7ff632bc1000 2392->2396 2394 7ff632bc1036 __stdio_common_vfprintf 2394->2344 2395->2346 2396->2394 2398 7ff632bc2b3e std::bad_alloc::bad_alloc 2397->2398 2407 7ff632bc3f84 2398->2407 2400 7ff632bc2b4f 2402 7ff632bc172e Concurrency::cancel_current_task 2401->2402 2403 7ff632bc3f84 Concurrency::cancel_current_task 2 API calls 2402->2403 2404 7ff632bc173f 2403->2404 2412 7ff632bc3cc0 2404->2412 2408 7ff632bc3fc0 RtlPcToFileHeader 2407->2408 2409 7ff632bc3fa3 2407->2409 2410 7ff632bc3fd8 2408->2410 2411 7ff632bc3fe7 RaiseException 2408->2411 2409->2408 2410->2411 2411->2400 2413 7ff632bc3ce1 2412->2413 2414 7ff632bc176d 2412->2414 2413->2414 2415 7ff632bc3cf6 malloc 2413->2415 2414->2355 2416 7ff632bc3d23 free 2415->2416 2417 7ff632bc3d07 2415->2417 2416->2414 2417->2416 2419 7ff632bc1850 2418->2419 2420 7ff632bc1863 WSAStartup 2418->2420 2421 7ff632bc1450 6 API calls 2419->2421 2422 7ff632bc185c 2420->2422 2427 7ff632bc187f 2420->2427 2421->2422 2423 7ff632bc2660 __GSHandlerCheck_EH 8 API calls 2422->2423 2424 7ff632bc1d87 2423->2424 2424->2368 2424->2369 2425 7ff632bc1dd0 2426 7ff632bc1450 6 API calls 2425->2426 2426->2422 2427->2422 2427->2425 2438 7ff632bc20c0 2427->2438 2430 7ff632bc2669 2429->2430 2431 7ff632bc1334 2430->2431 2432 7ff632bc29c0 IsProcessorFeaturePresent 2430->2432 2431->2291 2431->2387 2433 7ff632bc29d8 2432->2433 2483 7ff632bc2a94 RtlCaptureContext 2433->2483 2439 7ff632bc20e9 2438->2439 2440 7ff632bc2218 2438->2440 2444 7ff632bc2137 2439->2444 2445 7ff632bc216c 2439->2445 2447 7ff632bc2144 2439->2447 2462 7ff632bc17e0 2440->2462 2442 7ff632bc221d 2446 7ff632bc1720 Concurrency::cancel_current_task 4 API calls 2442->2446 2444->2442 2444->2447 2449 7ff632bc2690 5 API calls 2445->2449 2451 7ff632bc2155 BuildCatchObjectHelperInternal 2445->2451 2450 7ff632bc2223 2446->2450 2453 7ff632bc2690 2447->2453 2448 7ff632bc21e0 _invalid_parameter_noinfo_noreturn 2452 7ff632bc21d3 BuildCatchObjectHelperInternal 2448->2452 2449->2451 2451->2448 2451->2452 2452->2427 2454 7ff632bc26aa malloc 2453->2454 2455 7ff632bc26b4 2454->2455 2456 7ff632bc269b 2454->2456 2455->2451 2456->2454 2457 7ff632bc26ba 2456->2457 2458 7ff632bc26c5 2457->2458 2459 7ff632bc2b30 Concurrency::cancel_current_task 2 API calls 2457->2459 2460 7ff632bc1720 Concurrency::cancel_current_task 4 API calls 2458->2460 2459->2458 2461 7ff632bc26cb 2460->2461 2461->2451 2475 7ff632bc34d4 2462->2475 2480 7ff632bc33f8 2475->2480 2478 7ff632bc3f84 Concurrency::cancel_current_task 2 API calls 2479 7ff632bc34f6 2478->2479 2481 7ff632bc3cc0 __std_exception_copy 2 API calls 2480->2481 2482 7ff632bc342c 2481->2482 2482->2478 2484 7ff632bc2aae RtlLookupFunctionEntry 2483->2484 2485 7ff632bc2ac4 RtlVirtualUnwind 2484->2485 2486 7ff632bc29eb 2484->2486 2485->2484 2485->2486 2487 7ff632bc2984 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2486->2487 2488->2391

                                                      Executed Functions

                                                      Function 00007FF632BC1060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214stringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 7ff632bc1060-7ff632bc10ae 1 7ff632bc10b4-7ff632bc10c6 0->1 2 7ff632bc1386-7ff632bc1394 call 7ff632bc1450 0->2 4 7ff632bc10d0-7ff632bc10d6 1->4 5 7ff632bc1399 2->5 6 7ff632bc127f-7ff632bc1283 4->6 7 7ff632bc10dc-7ff632bc10df 4->7 8 7ff632bc139e-7ff632bc13b7 5->8 6->4 9 7ff632bc1289-7ff632bc1299 6->9 10 7ff632bc10e1-7ff632bc10e5 7->10 11 7ff632bc10ed 7->11 9->2 12 7ff632bc129f-7ff632bc12b7 call 7ff632bc2688 9->12 10->11 13 7ff632bc10e7-7ff632bc10eb 10->13 14 7ff632bc10f0-7ff632bc10fc 11->14 26 7ff632bc12b9-7ff632bc12c9 GetTempPathA 12->26 27 7ff632bc132a-7ff632bc1336 call 7ff632bc23c0 12->27 13->11 18 7ff632bc1104-7ff632bc110b 13->18 15 7ff632bc1110-7ff632bc1113 14->15 16 7ff632bc10fe-7ff632bc1102 14->16 20 7ff632bc1125-7ff632bc1136 strcmp 15->20 21 7ff632bc1115-7ff632bc1119 15->21 16->14 16->18 19 7ff632bc127b 18->19 19->6 24 7ff632bc1267-7ff632bc126e 20->24 25 7ff632bc113c-7ff632bc113f 20->25 21->20 23 7ff632bc111b-7ff632bc111f 21->23 23->20 23->24 28 7ff632bc1276 24->28 29 7ff632bc1151-7ff632bc1162 strcmp 25->29 30 7ff632bc1141-7ff632bc1145 25->30 32 7ff632bc12e9-7ff632bc1302 strcat_s 26->32 33 7ff632bc12cb-7ff632bc12e7 GetLastError call 7ff632bc1450 GetLastError 26->33 42 7ff632bc1338-7ff632bc1344 call 7ff632bc13c0 27->42 43 7ff632bc1346 27->43 28->19 38 7ff632bc1258-7ff632bc1265 29->38 39 7ff632bc1168-7ff632bc116b 29->39 30->29 36 7ff632bc1147-7ff632bc114b 30->36 34 7ff632bc1325 32->34 35 7ff632bc1304-7ff632bc1312 call 7ff632bc1450 32->35 53 7ff632bc1313-7ff632bc1323 call 7ff632bc2680 33->53 34->27 35->53 36->29 36->38 38->19 44 7ff632bc117d-7ff632bc118e strcmp 39->44 45 7ff632bc116d-7ff632bc1171 39->45 50 7ff632bc134b-7ff632bc1384 __acrt_iob_func fflush __acrt_iob_func fflush call 7ff632bc2680 42->50 43->50 51 7ff632bc1194-7ff632bc1197 44->51 52 7ff632bc1247-7ff632bc1256 44->52 45->44 49 7ff632bc1173-7ff632bc1177 45->49 49->44 49->52 50->8 57 7ff632bc11a5-7ff632bc11af 51->57 58 7ff632bc1199-7ff632bc119d 51->58 52->28 53->8 61 7ff632bc11b0-7ff632bc11bb 57->61 58->57 60 7ff632bc119f-7ff632bc11a3 58->60 60->57 63 7ff632bc11c3-7ff632bc11d2 60->63 64 7ff632bc11d7-7ff632bc11da 61->64 65 7ff632bc11bd-7ff632bc11c1 61->65 63->28 66 7ff632bc11ec-7ff632bc11f6 64->66 67 7ff632bc11dc-7ff632bc11e0 64->67 65->61 65->63 69 7ff632bc1200-7ff632bc120b 66->69 67->66 68 7ff632bc11e2-7ff632bc11e6 67->68 68->19 68->66 70 7ff632bc1215-7ff632bc1218 69->70 71 7ff632bc120d-7ff632bc1211 69->71 73 7ff632bc1226-7ff632bc1237 strcmp 70->73 74 7ff632bc121a-7ff632bc121e 70->74 71->69 72 7ff632bc1213 71->72 72->19 73->19 75 7ff632bc1239-7ff632bc1245 atoi 73->75 74->73 76 7ff632bc1220-7ff632bc1224 74->76 75->19 76->19 76->73
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
                                                      • String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
                                                      • API String ID: 2647627392-2367407095
                                                      • Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                      • Instruction ID: 92734eb8480d15eb0a8e559067d6f4bd8d0fd735187fa8dc6deb29a1b2e35434
                                                      • Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                      • Instruction Fuzzy Hash: E1A18261D1C6A255FB618F20A4002B966ACEF47F5CF088131C98FE6799DFBCE484E712
                                                      Function 00007FF632BC27EC Relevance: 13.6, APIs: 9, Instructions: 102COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                      • String ID:
                                                      • API String ID: 2308368977-0
                                                      • Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                      • Instruction ID: b353bfe218b280f303fcb536fbc6fb7bca0eb7fd04f991f2b709997ddf7e2ed4
                                                      • Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                      • Instruction Fuzzy Hash: 5B313E21E0C22342FA14AB24A5513B91259AF87F8CF445035EA8FC73F7DEECB845A253
                                                      Function 00007FF632BC1450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                      • String ID: [createdump]
                                                      • API String ID: 3735572767-2657508301
                                                      • Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                      • Instruction ID: d0a9582dfd90fe8ef777e59aae9c94bdf9c5219c861273d38b658be93d8ebf48
                                                      • Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                      • Instruction Fuzzy Hash: A7016D31E08BA182E6019B50F81916AA368FF86FDDF004539EE8E87769CFBCD855D701

                                                      Non-executed Functions

                                                      Function 00007FF632BC2ECC Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                      • String ID:
                                                      • API String ID: 3140674995-0
                                                      • Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                      • Instruction ID: e53764b3d20b300ea07c22a070cc438da79ae11bf28b127cbc91e0682455691b
                                                      • Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                      • Instruction Fuzzy Hash: 12315272A08B9186EB608F60E8403ED7379FB45B5CF44443ADA8E87B98DF78D548C711
                                                      Function 00007FF632BC3074 Relevance: .0, Instructions: 2COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                      • Instruction ID: e6f52ad795e2469bf1b7290d4e9e91e43a07ffec374014af7eeead548c4ecc2a
                                                      • Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                      • Instruction Fuzzy Hash: 3EA00222D0CD32D0E6458B10F8A42712339FB52B2CF800532D01FC12A09FBDA444E312
                                                      Function 00007FF632BC23C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF632BC242D
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF632BC243B
                                                        • Part of subcall function 00007FF632BC1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF632BC1475
                                                        • Part of subcall function 00007FF632BC1450: fprintf.MSPDB140-MSVCRT ref: 00007FF632BC1485
                                                        • Part of subcall function 00007FF632BC1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF632BC1494
                                                        • Part of subcall function 00007FF632BC1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF632BC14B3
                                                        • Part of subcall function 00007FF632BC1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF632BC14BE
                                                        • Part of subcall function 00007FF632BC1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF632BC14C7
                                                      • K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF632BC2466
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF632BC2470
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF632BC2487
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF632BC25F3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
                                                      • String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
                                                      • API String ID: 3971781330-1292085346
                                                      • Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                      • Instruction ID: c08288b0cac57f5726c406e6efa79f4bc070396cd6868748de6903aba6315c41
                                                      • Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                      • Instruction Fuzzy Hash: 74615231E08A5182E6109B15F46067A7769FB86FACF500134EE9F83BA5CFBDE445E702
                                                      Function 00007FF632BC49A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 177 7ff632bc49a4-7ff632bc4a07 call 7ff632bc4518 180 7ff632bc4a20-7ff632bc4a29 call 7ff632bc43d0 177->180 181 7ff632bc4a09-7ff632bc4a12 call 7ff632bc43d0 177->181 186 7ff632bc4a3f-7ff632bc4a42 180->186 187 7ff632bc4a2b-7ff632bc4a38 call 7ff632bc43d0 * 2 180->187 188 7ff632bc4e99-7ff632bc4e9f abort 181->188 189 7ff632bc4a18-7ff632bc4a1e 181->189 186->188 191 7ff632bc4a48-7ff632bc4a54 186->191 187->186 189->186 193 7ff632bc4a7f 191->193 194 7ff632bc4a56-7ff632bc4a7d 191->194 196 7ff632bc4a81-7ff632bc4a83 193->196 194->196 196->188 198 7ff632bc4a89-7ff632bc4a8f 196->198 199 7ff632bc4a95-7ff632bc4a99 198->199 200 7ff632bc4b59-7ff632bc4b6f call 7ff632bc5724 198->200 199->200 202 7ff632bc4a9f-7ff632bc4aaa 199->202 205 7ff632bc4def-7ff632bc4df3 200->205 206 7ff632bc4b75-7ff632bc4b79 200->206 202->200 203 7ff632bc4ab0-7ff632bc4ab5 202->203 203->200 207 7ff632bc4abb-7ff632bc4ac5 call 7ff632bc43d0 203->207 210 7ff632bc4df5-7ff632bc4dfc 205->210 211 7ff632bc4e2b-7ff632bc4e35 call 7ff632bc43d0 205->211 206->205 208 7ff632bc4b7f-7ff632bc4b8a 206->208 218 7ff632bc4e37-7ff632bc4e56 call 7ff632bc2660 207->218 219 7ff632bc4acb-7ff632bc4af1 call 7ff632bc43d0 * 2 call 7ff632bc3be8 207->219 208->205 212 7ff632bc4b90-7ff632bc4b94 208->212 210->188 214 7ff632bc4e02-7ff632bc4e26 call 7ff632bc4ea0 210->214 211->188 211->218 216 7ff632bc4dd4-7ff632bc4dd8 212->216 217 7ff632bc4b9a-7ff632bc4bd1 call 7ff632bc36d0 212->217 214->211 216->211 222 7ff632bc4dda-7ff632bc4de7 call 7ff632bc3670 216->222 217->216 231 7ff632bc4bd7-7ff632bc4be2 217->231 246 7ff632bc4b11-7ff632bc4b1b call 7ff632bc43d0 219->246 247 7ff632bc4af3-7ff632bc4af7 219->247 233 7ff632bc4e81-7ff632bc4e98 call 7ff632bc43d0 * 2 terminate 222->233 234 7ff632bc4ded 222->234 235 7ff632bc4be6-7ff632bc4bf6 231->235 233->188 234->211 238 7ff632bc4d2f-7ff632bc4dce 235->238 239 7ff632bc4bfc-7ff632bc4c02 235->239 238->216 238->235 239->238 242 7ff632bc4c08-7ff632bc4c31 call 7ff632bc56a8 239->242 242->238 253 7ff632bc4c37-7ff632bc4c7e call 7ff632bc3bbc * 2 242->253 246->200 255 7ff632bc4b1d-7ff632bc4b3d call 7ff632bc43d0 * 2 call 7ff632bc5fd8 246->255 247->246 250 7ff632bc4af9-7ff632bc4b04 247->250 250->246 254 7ff632bc4b06-7ff632bc4b0b 250->254 263 7ff632bc4c80-7ff632bc4ca5 call 7ff632bc3bbc call 7ff632bc52d0 253->263 264 7ff632bc4cba-7ff632bc4cd0 call 7ff632bc5ab0 253->264 254->188 254->246 273 7ff632bc4b3f-7ff632bc4b49 call 7ff632bc60c8 255->273 274 7ff632bc4b54 255->274 279 7ff632bc4cd7-7ff632bc4d26 call 7ff632bc48d0 263->279 280 7ff632bc4ca7-7ff632bc4cb3 263->280 275 7ff632bc4cd2 264->275 276 7ff632bc4d2b 264->276 283 7ff632bc4b4f-7ff632bc4e7a call 7ff632bc4090 call 7ff632bc5838 call 7ff632bc3f84 273->283 284 7ff632bc4e7b-7ff632bc4e80 terminate 273->284 274->200 275->253 276->238 279->276 280->263 282 7ff632bc4cb5 280->282 282->264 283->284 284->233
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                      • String ID: csm$csm$csm
                                                      • API String ID: 695522112-393685449
                                                      • Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                      • Instruction ID: 3ea320cb275b07aff46edfe67501f9ed1a82837fd1816c9202cf9ec0f9ccd5b4
                                                      • Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                      • Instruction Fuzzy Hash: 60E1D272D086A28AE7209F24D4803AD37B8FB46B4CF104135DA9F87795CFB8E685D702
                                                      Function 00007FF632BC13C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                      • String ID: [createdump]
                                                      • API String ID: 3735572767-2657508301
                                                      • Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                      • Instruction ID: 162165d0f6d4dbc2b9f9bd62acd0a891e9307dff7bad7d798d63ad138c12ce42
                                                      • Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                      • Instruction Fuzzy Hash: E3014F31E08B6182E7019B50F8181AAA368EB86FD9F004135DA8E47769CFBCD895D741
                                                      Function 00007FF632BC1800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • WSAStartup.WS2_32 ref: 00007FF632BC186C
                                                        • Part of subcall function 00007FF632BC1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF632BC1475
                                                        • Part of subcall function 00007FF632BC1450: fprintf.MSPDB140-MSVCRT ref: 00007FF632BC1485
                                                        • Part of subcall function 00007FF632BC1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF632BC1494
                                                        • Part of subcall function 00007FF632BC1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF632BC14B3
                                                        • Part of subcall function 00007FF632BC1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF632BC14BE
                                                        • Part of subcall function 00007FF632BC1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF632BC14C7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
                                                      • String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
                                                      • API String ID: 3378602911-3973674938
                                                      • Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                      • Instruction ID: 3a1a1e6feb7e7e3182d2f5539de278d3eebf5427f225e5a792018ce8160db842
                                                      • Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                      • Instruction Fuzzy Hash: 03310362E1CAA186E7598F5598547F92769BB47F8CF440032DE8E53391CEBCE045E701
                                                      Function 00007FF632BC6498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF632BC669F,?,?,?,00007FF632BC441E,?,?,?,00007FF632BC43D9), ref: 00007FF632BC651D
                                                      • GetLastError.KERNEL32(?,00000000,00007FF632BC669F,?,?,?,00007FF632BC441E,?,?,?,00007FF632BC43D9,?,?,?,?,00007FF632BC3524), ref: 00007FF632BC652B
                                                      • LoadLibraryExW.KERNEL32(?,00000000,00007FF632BC669F,?,?,?,00007FF632BC441E,?,?,?,00007FF632BC43D9,?,?,?,?,00007FF632BC3524), ref: 00007FF632BC6555
                                                      • FreeLibrary.KERNEL32(?,00000000,00007FF632BC669F,?,?,?,00007FF632BC441E,?,?,?,00007FF632BC43D9,?,?,?,?,00007FF632BC3524), ref: 00007FF632BC659B
                                                      • GetProcAddress.KERNEL32(?,00000000,00007FF632BC669F,?,?,?,00007FF632BC441E,?,?,?,00007FF632BC43D9,?,?,?,?,00007FF632BC3524), ref: 00007FF632BC65A7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                      • String ID: api-ms-
                                                      • API String ID: 2559590344-2084034818
                                                      • Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                      • Instruction ID: a6df39f2be698e9ab8e23ea689ebfec2a5e191310d5827f94c4342883f435cb8
                                                      • Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                      • Instruction Fuzzy Hash: 8631A821F1966695FE129B11A80097522DCFF8AF6CF294635DE1F87385EFBCE4449301
                                                      Function 00007FF632BC1B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 360 7ff632bc1b18-7ff632bc1b32 _time64 361 7ff632bc1b80-7ff632bc1ba8 360->361 362 7ff632bc1b34-7ff632bc1b37 360->362 361->361 364 7ff632bc1baa-7ff632bc1bd8 361->364 363 7ff632bc1b40-7ff632bc1b68 362->363 363->363 365 7ff632bc1b6a-7ff632bc1b71 363->365 366 7ff632bc1bfa-7ff632bc1c32 364->366 367 7ff632bc1bda-7ff632bc1bf5 call 7ff632bc1ee0 364->367 365->364 369 7ff632bc1c64-7ff632bc1c78 call 7ff632bc2230 366->369 370 7ff632bc1c34-7ff632bc1c43 366->370 367->366 377 7ff632bc1c7d-7ff632bc1c88 369->377 373 7ff632bc1c45 370->373 374 7ff632bc1c48-7ff632bc1c62 call 7ff632bc68c0 370->374 373->374 374->377 379 7ff632bc1cbb-7ff632bc1cde 377->379 380 7ff632bc1c8a-7ff632bc1c98 377->380 383 7ff632bc1d55-7ff632bc1d70 379->383 381 7ff632bc1cb3-7ff632bc1cb6 call 7ff632bc2680 380->381 382 7ff632bc1c9a-7ff632bc1cad 380->382 381->379 382->381 385 7ff632bc1da2-7ff632bc1dce _invalid_parameter_noinfo_noreturn WSAGetLastError call 7ff632bc1450 call 7ff632bc2680 382->385 387 7ff632bc18a0-7ff632bc18a3 383->387 388 7ff632bc1d76 383->388 390 7ff632bc1d78-7ff632bc1da1 call 7ff632bc2660 385->390 391 7ff632bc18a5-7ff632bc18b7 387->391 392 7ff632bc18f3-7ff632bc18fe 387->392 388->390 395 7ff632bc18e2-7ff632bc18ee call 7ff632bc20c0 391->395 396 7ff632bc18b9-7ff632bc18c8 391->396 398 7ff632bc1dd0-7ff632bc1dde call 7ff632bc1450 392->398 399 7ff632bc1904-7ff632bc1915 392->399 395->383 402 7ff632bc18cd-7ff632bc18dd 396->402 403 7ff632bc18ca 396->403 398->390 399->383 402->383 403->402
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID: _time64
                                                      • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                      • API String ID: 1670930206-4114407318
                                                      • Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                      • Instruction ID: a06bbed3cfcd3723e162d1548c751b28c83d5bb1cc9ea9e7f1993e0cd9f5839f
                                                      • Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                      • Instruction Fuzzy Hash: 0D51E672E28B9146EB00CB28E4443AA6798EB46FDCF400131DA9E677A9DF7CD041E741
                                                      Function 00007FF632BC4EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID: EncodePointerabort
                                                      • String ID: MOC$RCC
                                                      • API String ID: 1188231555-2084237596
                                                      • Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                      • Instruction ID: 220a50e3156deb5e82e7e317f05c0846e10bc85f242aaf7787e5d5eda5ba9810
                                                      • Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                      • Instruction Fuzzy Hash: 8391D073E08BA28AE7108B65E8802AD77B4F746B8CF14412AEA8E97754CF78D191D701
                                                      Function 00007FF632BC5414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 459 7ff632bc5414-7ff632bc5461 call 7ff632bc63f4 call 7ff632bc43d0 464 7ff632bc548e-7ff632bc5492 459->464 465 7ff632bc5463-7ff632bc5469 459->465 467 7ff632bc55b2-7ff632bc55c7 call 7ff632bc5724 464->467 468 7ff632bc5498-7ff632bc549b 464->468 465->464 466 7ff632bc546b-7ff632bc546e 465->466 469 7ff632bc5480-7ff632bc5483 466->469 470 7ff632bc5470-7ff632bc5474 466->470 479 7ff632bc55d2-7ff632bc55d8 467->479 480 7ff632bc55c9-7ff632bc55cc 467->480 471 7ff632bc54a1-7ff632bc54d1 468->471 472 7ff632bc5680 468->472 469->464 474 7ff632bc5485-7ff632bc5488 469->474 470->474 475 7ff632bc5476-7ff632bc547e 470->475 471->472 476 7ff632bc54d7-7ff632bc54de 471->476 477 7ff632bc5685-7ff632bc56a1 472->477 474->464 474->472 475->464 475->469 476->472 481 7ff632bc54e4-7ff632bc54e8 476->481 482 7ff632bc5647-7ff632bc567b call 7ff632bc49a4 479->482 483 7ff632bc55da-7ff632bc55de 479->483 480->472 480->479 484 7ff632bc559f-7ff632bc55ad call 7ff632bc3678 481->484 485 7ff632bc54ee-7ff632bc54f1 481->485 482->472 483->482 486 7ff632bc55e0-7ff632bc55e7 483->486 484->472 489 7ff632bc54f3-7ff632bc5508 call 7ff632bc4520 485->489 490 7ff632bc5556-7ff632bc5559 485->490 486->482 491 7ff632bc55e9-7ff632bc55f0 486->491 496 7ff632bc56a2-7ff632bc56a7 abort 489->496 501 7ff632bc550e-7ff632bc5511 489->501 490->484 492 7ff632bc555b-7ff632bc5563 490->492 491->482 495 7ff632bc55f2-7ff632bc5605 call 7ff632bc3bbc 491->495 492->496 497 7ff632bc5569-7ff632bc5593 492->497 495->482 508 7ff632bc5607-7ff632bc5645 495->508 497->496 500 7ff632bc5599-7ff632bc559d 497->500 505 7ff632bc5546-7ff632bc5551 call 7ff632bc5cf0 500->505 502 7ff632bc5513-7ff632bc5538 501->502 503 7ff632bc553a-7ff632bc553d 501->503 502->503 503->496 506 7ff632bc5543 503->506 505->472 506->505 508->477
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID: __except_validate_context_recordabort
                                                      • String ID: csm$csm
                                                      • API String ID: 746414643-3733052814
                                                      • Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                      • Instruction ID: ee8b533da89a99245373faa8b987e6be29434e9cb23a00a06b7360fbf13ec377
                                                      • Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                      • Instruction Fuzzy Hash: AC71C132A086A28AD7209F25D4407B97BA4FB42F9DF048135DA8E97B85CF7CD451DB02
                                                      Function 00007FF632BC195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                      • API String ID: 0-4114407318
                                                      • Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                      • Instruction ID: d83de139b885bffe73a380d12339683c3c0b79c40833e178c019f424c21dce93
                                                      • Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                      • Instruction Fuzzy Hash: B3510972E28B9546D700CB29E4407AA6759EB82FD8F400135EAAE57BE9CF7CD041E741
                                                      Function 00007FF632BC5860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID: CreateFrameInfo__except_validate_context_record
                                                      • String ID: csm
                                                      • API String ID: 2558813199-1018135373
                                                      • Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                      • Instruction ID: 545b44d1396c8864c4b22242ef967572b3126bfb915bb043f1113a65a16ed9d2
                                                      • Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                      • Instruction Fuzzy Hash: 98515132A1875286D620AB16F44026E77B8F78AF9CF145135EB8E87B55CFBCD460DB01
                                                      Function 00007FF632BC17E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 00007FF632BC17EB
                                                      • WSAStartup.WS2_32 ref: 00007FF632BC186C
                                                        • Part of subcall function 00007FF632BC1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF632BC1475
                                                        • Part of subcall function 00007FF632BC1450: fprintf.MSPDB140-MSVCRT ref: 00007FF632BC1485
                                                        • Part of subcall function 00007FF632BC1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF632BC1494
                                                        • Part of subcall function 00007FF632BC1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF632BC14B3
                                                        • Part of subcall function 00007FF632BC1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF632BC14BE
                                                        • Part of subcall function 00007FF632BC1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF632BC14C7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
                                                      • String ID: --name$Pipe syntax in dump name not supported$string too long
                                                      • API String ID: 1412700758-3183687674
                                                      • Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                      • Instruction ID: 6d0bcec6640904632e0c366f3edd0893bb766b1e2c3224f279bc37fda16ea77d
                                                      • Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                      • Instruction Fuzzy Hash: D501F122E1899095F7619F12EC817BA6358BB8AF9CF000032EE4E47761CE7CE482C700
                                                      Function 00007FF632BC1CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastgethostname
                                                      • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                      • API String ID: 3782448640-4114407318
                                                      • Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                      • Instruction ID: c28af258bd759e42f0ce63bbef337707cd4e84f46848d410fec3fae0d7cd606e
                                                      • Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                      • Instruction Fuzzy Hash: D5110A21E1D55245FA45AB21A8503FA22889F87FBCF001135D99F973E6CD7CE482A351
                                                      Function 00007FF632BC4158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID: terminate
                                                      • String ID: MOC$RCC$csm
                                                      • API String ID: 1821763600-2671469338
                                                      • Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                      • Instruction ID: 8c6a21e05f5807d8e44e113428e3a9a7aadbbdaa39cf03b38a5ecacb33cdf08b
                                                      • Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                      • Instruction Fuzzy Hash: 2DF08C36D1826681E3245B51B18106C3A78EF99F4CF099031D75B96392CFFCE6A0A603
                                                      Function 00007FF632BC20C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF632BC18EE), ref: 00007FF632BC21E0
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF632BC221E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                      • String ID: Invalid process id '%d' error %d
                                                      • API String ID: 73155330-4244389950
                                                      • Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                      • Instruction ID: 212efc226ebf7810d57a8b5d72fb523132557fc2545f6841f67251369a17b388
                                                      • Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                      • Instruction Fuzzy Hash: 7E310322F097A195EA109F11D5042A963A9EB06FDCF080631DFDE477E5DEBCE090A311
                                                      Function 00007FF632BC3F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF632BC173F), ref: 00007FF632BC3FC8
                                                      • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF632BC173F), ref: 00007FF632BC400E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1827263966.00007FF632BC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF632BC0000, based on PE: true
                                                      • Associated: 00000007.00000002.1826935667.00007FF632BC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828537201.00007FF632BC8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1828867493.00007FF632BCC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000007.00000002.1829234259.00007FF632BCD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ff632bc0000_createdump.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFileHeaderRaise
                                                      • String ID: csm
                                                      • API String ID: 2573137834-1018135373
                                                      • Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                      • Instruction ID: 7d6895c55f001e4e518ef10cd2fa953c22b4414edc63137234b97fdef0f92ba3
                                                      • Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                      • Instruction Fuzzy Hash: 27116D32A08B5182EB218B15F44026977A4FB89F9CF584230EE8E47B58DF7CC455C700

                                                      Non-executed Functions

                                                      Function 00007FFE0142C0C0 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$HandleModule
                                                      • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                      • API String ID: 667068680-295688737
                                                      • Opcode ID: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                      • Instruction ID: 4df6ef6dd908e9ac89a443b0c3abb15ee60056be3b2d22db3c816af3f1eb7920
                                                      • Opcode Fuzzy Hash: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                      • Instruction Fuzzy Hash: FFA187A8A09F0793FF049B55B8A816423A7FF49B85BA49035C84F4F634EF7CA159C390
                                                      Function 00007FFE1A537508 Relevance: 90.2, APIs: 36, Strings: 15, Instructions: 913COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID: /$[thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
                                                      • API String ID: 2943138195-2884338863
                                                      • Opcode ID: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
                                                      • Instruction ID: 61b4edc47fc50d0b2ac50615fc8390a472214838c67a08255218c020092db5a1
                                                      • Opcode Fuzzy Hash: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
                                                      • Instruction Fuzzy Hash: 8D925162B1CE8286E741CB15E4802BEB7A0FF85764F5011B6FA8E47AA9DF7CD544CB40
                                                      Function 00007FFE0142F9DA Relevance: 34.3, APIs: 16, Strings: 3, Instructions: 1065COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 2003779279-1866435925
                                                      • Opcode ID: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
                                                      • Instruction ID: 557ba268821e123c69060fa1a0f4507362ed80d941e526980e5042449c03dd89
                                                      • Opcode Fuzzy Hash: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
                                                      • Instruction Fuzzy Hash: 12A26A22609B8982EF24CF19E4903A9B760FB89F91F548136DA8D4BB75DF7DD489C700
                                                      Function 00007FFE01422D70 Relevance: 27.7, APIs: 14, Strings: 1, Instructions: 1490COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memchr.VCRUNTIME140 ref: 00007FFE014230AA
                                                      • memchr.VCRUNTIME140 ref: 00007FFE01423470
                                                      • memchr.VCRUNTIME140 ref: 00007FFE014236A5
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0142410D
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01424114
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0142411B
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01424122
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01424129
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01424130
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01424137
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0142413E
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01424145
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0142414C
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014242D3
                                                        • Part of subcall function 00007FFE01401DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE013FC320), ref: 00007FFE01401DFB
                                                        • Part of subcall function 00007FFE01401DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE013FC320), ref: 00007FFE01401E08
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$memchr$memmovememset
                                                      • String ID: 0123456789-
                                                      • API String ID: 3572500260-3850129594
                                                      • Opcode ID: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
                                                      • Instruction ID: 5dceff8b9885f9c8b9cb75c0bd9ae5eaa65d60152c9edb4773cd540e3e34e2ce
                                                      • Opcode Fuzzy Hash: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
                                                      • Instruction Fuzzy Hash: D2E2CB22A09A858AEB008F6AD4543BC37B1FB69B98F958131DA5E0B7F5CF7DD485C301
                                                      Function 0000000140008390 Relevance: 19.7, APIs: 13, Instructions: 152fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00000001400078C0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                        • Part of subcall function 00000001400078C0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                        • Part of subcall function 00000001400078C0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                        • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                        • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                        • Part of subcall function 00000001400078C0: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                        • Part of subcall function 00000001400078C0: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                      • OpenEventA.KERNEL32 ref: 00000001400083D0
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008411
                                                      • OpenEventA.KERNEL32 ref: 0000000140008454
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008495
                                                      • CloseHandle.KERNEL32 ref: 00000001400084B4
                                                        • Part of subcall function 0000000140007A80: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                        • Part of subcall function 0000000140007A80: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                        • Part of subcall function 0000000140007A80: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                        • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                        • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                        • Part of subcall function 0000000140007A80: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                        • Part of subcall function 0000000140007A80: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                      • OpenFileMappingA.KERNEL32 ref: 00000001400084F4
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008535
                                                      • CloseHandle.KERNEL32 ref: 0000000140008554
                                                      • CloseHandle.KERNEL32 ref: 0000000140008561
                                                      • MapViewOfFile.KERNEL32 ref: 0000000140008592
                                                      • CloseHandle.KERNEL32 ref: 00000001400085AB
                                                      • CloseHandle.KERNEL32 ref: 00000001400085B8
                                                      • CloseHandle.KERNEL32 ref: 00000001400085C5
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: U?$char_traits@$D@std@@@std@@$CloseHandle$??6?$basic_ostream@V01@$Open_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@D@std@@@1@_EventFileV?$basic_streambuf@$MappingView
                                                      • String ID:
                                                      • API String ID: 1089015687-0
                                                      • Opcode ID: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                      • Instruction ID: fd742db5588232a2ef73a73be7c7ffe6f8b637fdc8693f60d02eba1a373aa13c
                                                      • Opcode Fuzzy Hash: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                      • Instruction Fuzzy Hash: 93613DB1210A4482FB17DB27F85539963A2BB8EBE4F404215FB9E4B7B6DE3DC1818700
                                                      Function 0000000140007FC0 Relevance: 18.2, APIs: 12, Instructions: 159fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: File$CloseCreateHandleMappingView_invalid_parameter_noinfo_noreturnmemcpymemset$Unmap
                                                      • String ID:
                                                      • API String ID: 2074253140-0
                                                      • Opcode ID: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                      • Instruction ID: c383ff2e5a2ae1bd4c41fba5bb50c967b221784ccd91ddafc61d096c64d59825
                                                      • Opcode Fuzzy Hash: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                      • Instruction Fuzzy Hash: F471AA71305A4185FB22CB56F8907E973A2FB8DBD4F404225ABAD4B7B9DE3DC0818704
                                                      Function 00007FFE0142B698 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 225COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: iswdigit$btowclocaleconv
                                                      • String ID: 0$0
                                                      • API String ID: 240710166-203156872
                                                      • Opcode ID: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                      • Instruction ID: 4fdc607cc9020e3c6bcd55aa2cf4d305a6edeff264e7ee3c7d70554d3ce17969
                                                      • Opcode Fuzzy Hash: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                      • Instruction Fuzzy Hash: E6811672A1854687E7219F25E85037E73A1FFA0B49F884135DB8E4A2B0EF7CE885C701
                                                      Function 00007FFE013FC780 Relevance: 17.0, APIs: 8, Strings: 1, Instructions: 1257COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0123456789-+Ee
                                                      • API String ID: 0-1347306980
                                                      • Opcode ID: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
                                                      • Instruction ID: f68a261bd852d8f837c0e19ed4911de76981db4691d01db98844451a9c533627
                                                      • Opcode Fuzzy Hash: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
                                                      • Instruction Fuzzy Hash: 2FC2CE26A09AC58AEB51AF69D05427C37A1FB01F84F559039DA5E2F7B1CF3DE866C300
                                                      Function 00007FFE0142A27C Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 247COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memchr$isdigit$localeconv
                                                      • String ID: 0$0123456789abcdefABCDEF
                                                      • API String ID: 1981154758-1185640306
                                                      • Opcode ID: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                      • Instruction ID: 294fd90076718d61af4f632cad438c69aeb58fcfc34e97b1e8f6545b4ebef35b
                                                      • Opcode Fuzzy Hash: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                      • Instruction Fuzzy Hash: 94914C22A0C5A647FB258F24E81037E7B91FB55B48F989034DE8E4BA75DA3CE885C741
                                                      Function 00007FFE013FD810 Relevance: 15.3, APIs: 7, Strings: 1, Instructions: 1307COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memchr$_invalid_parameter_noinfo_noreturn$localeconv
                                                      • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                      • API String ID: 2141594249-3606100449
                                                      • Opcode ID: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
                                                      • Instruction ID: db4e984a9c263695f3a8ba49362045eedbc53c1fd2a1040ae74319e0a808f2bd
                                                      • Opcode Fuzzy Hash: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
                                                      • Instruction Fuzzy Hash: 2DD29D22A09AC58AEB51AF6AD19417C3761FB41F84B568039DB5E2F7B1CF3DE856C300
                                                      Function 00007FFE01412208 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1497COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _Find_elem.LIBCPMT ref: 00007FFE01412C08
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014135B9
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014135C0
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014135C7
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01413776
                                                        • Part of subcall function 00007FFE01401DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE013FC320), ref: 00007FFE01401DFB
                                                        • Part of subcall function 00007FFE01401DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE013FC320), ref: 00007FFE01401E08
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
                                                      • String ID: 0123456789-
                                                      • API String ID: 2779821303-3850129594
                                                      • Opcode ID: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
                                                      • Instruction ID: 79c48f54706bb3c3d8fe017bab2531652ffed459b54e8975a928d315b9107b19
                                                      • Opcode Fuzzy Hash: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
                                                      • Instruction Fuzzy Hash: 27E2BD26A19A958AEB508F29D09067D3BB5FF44B94F649036EE4E4B7B4CF7CD881C700
                                                      Function 00007FFE01410C60 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1497COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _Find_elem.LIBCPMT ref: 00007FFE01411660
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01412011
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01412018
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0141201F
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014121CE
                                                        • Part of subcall function 00007FFE01401DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE013FC320), ref: 00007FFE01401DFB
                                                        • Part of subcall function 00007FFE01401DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE013FC320), ref: 00007FFE01401E08
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
                                                      • String ID: 0123456789-
                                                      • API String ID: 2779821303-3850129594
                                                      • Opcode ID: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
                                                      • Instruction ID: 5c694c9f278c5933c7cdab3e7e0cb9f3f1712e437ee6d40e25514ed737c9c78a
                                                      • Opcode Fuzzy Hash: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
                                                      • Instruction Fuzzy Hash: DCE25B26A19A9586EB508F29D0906BD3BA5FB44F84F549036EF4E4BBB5CF3DD881C700
                                                      Function 00007FFE0142BDA0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 239COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: iswdigit$localeconv
                                                      • String ID: 0$0$0123456789abcdefABCDEF
                                                      • API String ID: 2634821343-613610638
                                                      • Opcode ID: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                      • Instruction ID: a36eb8b20c31605d4ec5c381886602c534c567d89fe72b762ea0012c6a386fe2
                                                      • Opcode Fuzzy Hash: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                      • Instruction Fuzzy Hash: C9810662E0855687EB258F24D85067E77A1FB64B44F888131DF8E4B6B4EB3CE885C781
                                                      Function 00007FFE013FA330 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Findmemmove$CloseFileFirst_invalid_parameter_noinfo_noreturnwcscpy_s
                                                      • String ID: .$.
                                                      • API String ID: 479945582-3769392785
                                                      • Opcode ID: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                      • Instruction ID: 8275e18b30337a806bee0acb97c89ac6f28bcb3c1c654e6afb6dbbf6f28341cc
                                                      • Opcode Fuzzy Hash: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                      • Instruction Fuzzy Hash: 3641A222A1868186EB20EF65E8447B97361FB847A4F514235EBAD2B7E4DF7CD485CB00
                                                      Function 00007FFE0140ABB0 Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1289COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0123456789-+Ee
                                                      • API String ID: 0-1347306980
                                                      • Opcode ID: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
                                                      • Instruction ID: 8d055d28b228897768d62d149e83ee2d30a5676b3d6d8254119562ae02dcef01
                                                      • Opcode Fuzzy Hash: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
                                                      • Instruction Fuzzy Hash: C9C26D2AA09A4686EB668F5AD05017D37A1FB54F84B948439DE4E0F7B0CF3DECA5D304
                                                      Function 00007FFE0140BCD0 Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1289COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0123456789-+Ee
                                                      • API String ID: 0-1347306980
                                                      • Opcode ID: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
                                                      • Instruction ID: 8c56d474226868440dbefd95ca10d49721b9bd82947f2d71860e8869346fa0f2
                                                      • Opcode Fuzzy Hash: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
                                                      • Instruction Fuzzy Hash: 68C26C36A09A42C6EB628F9AD19017D3761FB44B84B949179DE4E0B7B0CF3DECA5D700
                                                      Function 00007FFE01416338 Relevance: 9.6, APIs: 6, Instructions: 626COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014165AB
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0141663D
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014166E0
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01416B9C
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01416BEE
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01416C35
                                                        • Part of subcall function 00007FFE0141EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0140923E), ref: 00007FFE0141EC08
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                      • String ID:
                                                      • API String ID: 15630516-0
                                                      • Opcode ID: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
                                                      • Instruction ID: 78d0c767cc6aef04b28ef4b82da5f093593601aaf8168ed9f3edc2fd46092fe2
                                                      • Opcode Fuzzy Hash: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
                                                      • Instruction Fuzzy Hash: FF529162A18B8586EB10CF29D4442BD6761FB84B98F519131EF8D1BBB9EF7CE584C340
                                                      Function 00007FFE01416C84 Relevance: 9.6, APIs: 6, Instructions: 626COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01416EF7
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01416F89
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0141702C
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014174E8
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0141753A
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01417581
                                                        • Part of subcall function 00007FFE0141EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0140923E), ref: 00007FFE0141EC08
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                      • String ID:
                                                      • API String ID: 15630516-0
                                                      • Opcode ID: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
                                                      • Instruction ID: 748e48816144f59f553dfeed9376feca39e37365202c8ee98ff7e6f20934d904
                                                      • Opcode Fuzzy Hash: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
                                                      • Instruction Fuzzy Hash: AE527062A18B8586EB10CF29D4442BD7761FB84B99F519132EB8D0BBB5EF3CE585C340
                                                      Function 0000000140012220 Relevance: 8.9, APIs: 7, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrow$MemoryRecycle@Recycler@allocator@dvacore@@$_invalid_parameter_noinfo_noreturn
                                                      • String ID:
                                                      • API String ID: 1799700165-0
                                                      • Opcode ID: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                      • Instruction ID: 3a6b280c2881091f38a62e61b74d670a019ca3ad59059a788fa850ef2ffa55ac
                                                      • Opcode Fuzzy Hash: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                      • Instruction Fuzzy Hash: D52112B5611A80CAE71DEE37A8523EA1362E79C7C4F149536BF594FAAEDE31C4218340
                                                      Function 00007FFE0140CDF0 Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 1331COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$localeconv
                                                      • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                      • API String ID: 1825414929-3606100449
                                                      • Opcode ID: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
                                                      • Instruction ID: 267eae5ab12513735773ca69f8d10b63c73a63b502ed64d25f08d25bbd7a9c0d
                                                      • Opcode Fuzzy Hash: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
                                                      • Instruction Fuzzy Hash: 4FD23826A09A8686EB568FDAD09017C3361FB54F84B549039DE5E0B7B4CF3DEC9AD310
                                                      Function 00007FFE0140DF10 Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 1331COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$localeconv
                                                      • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                      • API String ID: 1825414929-3606100449
                                                      • Opcode ID: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
                                                      • Instruction ID: a0691aeee1927ac17dff4f9d2aaff7f225d043045f6fb6d4fc975eee95b5f54d
                                                      • Opcode Fuzzy Hash: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
                                                      • Instruction Fuzzy Hash: 30D25926A09A4686EB528F9AD19017C3761FB40F84B549839DF5E1B7B0CF3DECA6D310
                                                      Function 00007FFE01409460 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                      • String ID:
                                                      • API String ID: 1326169664-0
                                                      • Opcode ID: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                      • Instruction ID: 15e3bb1d1e740cde8be907a6ea62339ac50dc69c79779b2982dc86070a051ca5
                                                      • Opcode Fuzzy Hash: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                      • Instruction Fuzzy Hash: CFE15B22B19B5686EB11DFA6D4401AC73B2FB48B98B514136DE4D2BBB9DF3CD54AC300
                                                      Function 00007FFE01408FB0 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                      • String ID:
                                                      • API String ID: 1326169664-0
                                                      • Opcode ID: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                      • Instruction ID: 3c6fbb5760a0435cd1b2de23b39ed78b4ee84ecf8d135b80596b324515fa34f0
                                                      • Opcode Fuzzy Hash: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                      • Instruction Fuzzy Hash: 7DE15C22B09B5686FB11DBA6D4401AC7372FB48B98B51413ADE4D1BBB9DF3CD84AC300
                                                      Function 00007FFE013FE8B0 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 634COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$memchr
                                                      • String ID: 0123456789ABCDEFabcdef-+Xx
                                                      • API String ID: 2740501399-2799312399
                                                      • Opcode ID: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
                                                      • Instruction ID: fdf844f9999b0aa64c981cf4e1719c09e3a2cc4450d4874ea3da9a76e1629970
                                                      • Opcode Fuzzy Hash: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
                                                      • Instruction Fuzzy Hash: C052AF22B09AC68AFB519F29D05027C37A1BB05B84B568439DE5D2F7B5CF3DE866D300
                                                      Function 00007FFE01415470 Relevance: 5.3, APIs: 3, Instructions: 815COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FFE01427600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE013F3887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0142760F
                                                        • Part of subcall function 00007FFE013FF6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FFE01424C66,?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE66), ref: 00007FFE013FF6FC
                                                      • _W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE77), ref: 00007FFE01415F35
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE77), ref: 00007FFE01415F4A
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE77), ref: 00007FFE01415F58
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$Gettnames_lock_localesrealloc
                                                      • String ID:
                                                      • API String ID: 3705959680-0
                                                      • Opcode ID: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
                                                      • Instruction ID: 911489c45996b86c180fcf0db2ace2aa41c70c0d3ebd91cae5acb811dd4c36aa
                                                      • Opcode Fuzzy Hash: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
                                                      • Instruction Fuzzy Hash: 6E821762E09B4285FB56DF25E8402B937A1FF95B84F844135EA0E5E3B6EF3CE4818744
                                                      Function 00007FFE01414780 Relevance: 5.3, APIs: 3, Instructions: 815COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FFE01427600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE013F3887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0142760F
                                                        • Part of subcall function 00007FFE013FF6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FFE01424C66,?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE66), ref: 00007FFE013FF6FC
                                                      • _W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE88), ref: 00007FFE01415245
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE88), ref: 00007FFE0141525A
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE88), ref: 00007FFE01415268
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$Gettnames_lock_localesrealloc
                                                      • String ID:
                                                      • API String ID: 3705959680-0
                                                      • Opcode ID: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
                                                      • Instruction ID: b126b822032464e2610a96b727943718053427825fae5298d6aa3abb964c4528
                                                      • Opcode Fuzzy Hash: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
                                                      • Instruction Fuzzy Hash: 75821961E09B4285FB52DF25D8502B937A6BF94B84F894135EA0E5F3B6EF3CE4818740
                                                      Function 0000000140010BE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ErrorFormatLastMessage
                                                      • String ID: GetLastError() = 0x%X
                                                      • API String ID: 3479602957-3384952017
                                                      • Opcode ID: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                      • Instruction ID: 03957f339625c86e619908699dc07c15f857aa178ffe48bb474e222578fe156c
                                                      • Opcode Fuzzy Hash: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                      • Instruction Fuzzy Hash: 63219032A18BC083E7118B2AE400399B7A4F7D97A4F159315EBE8036E9EB78C545CB40
                                                      Function 00007FFE014244E0 Relevance: 5.0, APIs: 3, Instructions: 509COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FFE01421E70: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01421F72
                                                        • Part of subcall function 00007FFE01427600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE013F3887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0142760F
                                                      • _Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE66,?,?,?,?,?,?,?,00007FFE013FF7E7), ref: 00007FFE01424BCF
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE66,?,?,?,?,?,?,?,00007FFE013FF7E7), ref: 00007FFE01424BE4
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE013FFE66,?,?,?,?,?,?,?,00007FFE013FF7E7), ref: 00007FFE01424BF3
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$Gettnames_invalid_parameter_noinfo_noreturn_lock_locales
                                                      • String ID:
                                                      • API String ID: 962949324-0
                                                      • Opcode ID: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
                                                      • Instruction ID: 7136e14f5a15320971dc6b792c29ca5615029707810a2edc5c2ddf5da90167c7
                                                      • Opcode Fuzzy Hash: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
                                                      • Instruction Fuzzy Hash: E9325925A09B0285FB51DF25E8441B937A6FFA4B84B894035EA0E4F7B6EF3CE4818341
                                                      Function 00007FFE01414340 Relevance: 3.3, APIs: 2, Instructions: 297COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014146ED
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0141473B
                                                        • Part of subcall function 00007FFE0141EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0140923E), ref: 00007FFE0141EC08
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                      • String ID:
                                                      • API String ID: 15630516-0
                                                      • Opcode ID: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
                                                      • Instruction ID: a5d8537b2bb3b91d4c92feec80caa1742e4585bd9571a2363e8f82915d766a40
                                                      • Opcode Fuzzy Hash: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
                                                      • Instruction Fuzzy Hash: 6DD14B22B09B9686FB10CFA5D5402AC6372EB48B98F454532DE5D2BBB9DF3CE459C340
                                                      Function 00007FFE01413F00 Relevance: 3.3, APIs: 2, Instructions: 297COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014142AD
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE014142FB
                                                        • Part of subcall function 00007FFE0141EBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE0140923E), ref: 00007FFE0141EC08
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                      • String ID:
                                                      • API String ID: 15630516-0
                                                      • Opcode ID: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
                                                      • Instruction ID: 72bb24b7e968e5676f360831866536c7f7df2e16f6271fb8285e948d4939a777
                                                      • Opcode Fuzzy Hash: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
                                                      • Instruction Fuzzy Hash: 22D14A22B09B5686FB10CFA5D5542AC63B2EB48B98F454132DE4D2BBB9DF3CE449C340
                                                      Function 00007FFE014060D0 Relevance: 3.3, APIs: 2, Instructions: 251COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                      • String ID:
                                                      • API String ID: 1654775311-0
                                                      • Opcode ID: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
                                                      • Instruction ID: 1fb699311109f47b8383a1e2d679b76a42f723b0c56a2d3a631fb20cf7476a43
                                                      • Opcode Fuzzy Hash: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
                                                      • Instruction Fuzzy Hash: 79A1C462F096A285FB119BA6D4506BC37A1BB45B98F564039DE4E1FBB5CF3CD861C300
                                                      Function 00007FFE01406440 Relevance: 3.3, APIs: 2, Instructions: 251COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                      • String ID:
                                                      • API String ID: 1654775311-0
                                                      • Opcode ID: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
                                                      • Instruction ID: c313af9479ceafabf99280874f5f5ea31e3857a27d0d06bb6360d12ce506ed01
                                                      • Opcode Fuzzy Hash: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
                                                      • Instruction Fuzzy Hash: 68A19362F096A286FB118BA6E4506BC37A1BB55B98F554039DE4E1FBB4DF3C9851C300
                                                      Function 00007FFE013FA7B0 Relevance: 3.1, APIs: 2, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: DiskFreeSpace_invalid_parameter_noinfo_noreturnmemcpymemmove
                                                      • String ID:
                                                      • API String ID: 1762017149-0
                                                      • Opcode ID: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                      • Instruction ID: 61629fd60b6159e3f4045915ccedf8196e816c7c6fcc868f0c3eeb29ab77bbe3
                                                      • Opcode Fuzzy Hash: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                      • Instruction Fuzzy Hash: F4416D22B14B8598FB00DFA1D8406AC3BB5FB48BA8F555629DE5D27BA8DF7CD085C340
                                                      Function 00007FFE0141EFC0 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: InfoLocale___lc_locale_name_func
                                                      • String ID:
                                                      • API String ID: 3366915261-0
                                                      • Opcode ID: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                      • Instruction ID: dcd277f1727c33cf4c0dcbf07359ee9b4be2fd4d0c3c0a78fc2d22a5e00c5508
                                                      • Opcode Fuzzy Hash: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                      • Instruction Fuzzy Hash: 81F039B6E2C14283E7A85B28E4697392B60FB4474AF400136E90F4E6B4CF6DE94ED741
                                                      Function 00007FFE01410710 Relevance: .4, Instructions: 410COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
                                                      • Instruction ID: 2bbc3db8710b2d842226b35d564bc0757b78124e8338025138170a4776a47086
                                                      • Opcode Fuzzy Hash: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
                                                      • Instruction Fuzzy Hash: 01020326A19A468AEB618F29D45037D33A1FB54F88F549032EA4E1F7B5CF3DD886C350
                                                      Function 00007FFE01422880 Relevance: .4, Instructions: 391COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
                                                      • Instruction ID: 65f20101e7501427282c299a2831c4a9abc4750940e4f43d0da71b9a0aa784c0
                                                      • Opcode Fuzzy Hash: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
                                                      • Instruction Fuzzy Hash: E8026E22A09A4689EB518F2AD45077C37A1FB64F98F949131CA4E4F7B5CFBDD882C311
                                                      Function 00007FFE013FF9B0 Relevance: .3, Instructions: 331COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _lock_locales
                                                      • String ID:
                                                      • API String ID: 3756862740-0
                                                      • Opcode ID: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
                                                      • Instruction ID: 3b7e7ffa4f940b4d69a81e245852395385cf6753d50ee24bad1702c89a7960d6
                                                      • Opcode Fuzzy Hash: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
                                                      • Instruction Fuzzy Hash: 4DE15C22E09B8285FB56AF25A8401B933A5EF54BD0F454139ED4E5F7B6DF3CE4428740
                                                      Function 0000000140004730 Relevance: 67.0, APIs: 5, Strings: 33, Instructions: 470COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memset.VCRUNTIME140 ref: 000000014000475B
                                                        • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                        • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                        • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                      • ?RationalApproximation@utility@dvacore@@YA?AV?$rational@H@boost@@N@Z.DVACORE ref: 0000000140004866
                                                        • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140004A15
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$memcmp$Approximation@utility@dvacore@@H@boost@@RationalV?$rational@memset
                                                      • String ID: brightness$camera_firmware_version$camera_id$channel_mask$clip_id$contrast$digital_gain_blue$digital_gain_green$digital_gain_red$exposure_compensation$exposure_time$framerate_denominator$framerate_numerator$genlock_setting$gmt_date$gmt_time$iso$jamsync_setting$local_date$local_time$pixel_aspect_ratio$reel_id_full$sample_size$samplerate$saturation$sensor_id$sensor_name$shutter_degrees$shutter_fractions$shutter_phase_offset$user_timecode_preference$white_balance_kelvin$white_balance_tint
                                                      • API String ID: 2423274481-1946953090
                                                      • Opcode ID: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                      • Instruction ID: 3df9d643723a61ec3293b9608ef6f05312d7ec0c5a500361e19cd6c4bd00b042
                                                      • Opcode Fuzzy Hash: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                      • Instruction Fuzzy Hash: 2C32FAB1204A4091EB07EF27E5913EA2762AB8EBD8F444522FB5D4F7B7EE39C5458340
                                                      Function 00007FFE1A538C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
                                                      • API String ID: 2943138195-1388207849
                                                      • Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                      • Instruction ID: a74bfa1425be8e96dd24e5497d60fb17a66e5bb6bc34b32ef3846cb1a1208c0c
                                                      • Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                      • Instruction Fuzzy Hash: 59F16EB2F1CE1294F7198B66D8542BC26B0BF82B64F4045FBCA1D56AB8DF3DA644C740
                                                      Function 00007FFE1A53C3C8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID: `anonymous namespace'
                                                      • API String ID: 2943138195-3062148218
                                                      • Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                      • Instruction ID: 5d80b17ffae3e599e4e4ee055236bd712223455a7a67871aac9c12fc7558e52c
                                                      • Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                      • Instruction Fuzzy Hash: 24E12972A0CF8695EB10CF26E4802BD77A0FB86B54F4480B6EA4D57B65EF38E554C700
                                                      Function 0000000140002630 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 290COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400026F4
                                                      • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002732
                                                      • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 000000014000274E
                                                      • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002782
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00000001400027D4
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400028A8
                                                      • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00000001400028DE
                                                      • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 00000001400028FA
                                                      • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 000000014000292E
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z.MSVCP140 ref: 000000014000295A
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002A28
                                                      • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A68
                                                      • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A72
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: U?$char_traits@$D@std@@@std@@$_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??6?$basic_ostream@D@std@@@1@@V01@V?$basic_streambuf@$??1?$basic_ios@??1?$basic_iostream@
                                                      • String ID: (
                                                      • API String ID: 703713002-3887548279
                                                      • Opcode ID: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                      • Instruction ID: baf078011914228b1285121be46ed74d2e86fc5146668a69ad3868f5cbe279a1
                                                      • Opcode Fuzzy Hash: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                      • Instruction Fuzzy Hash: 38D18DB2214B8495EB11CF6AE4903EE7761F789BD4F509206EB8E57BA9DF39C085C700
                                                      Function 00000001400107F0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 268libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn$Library$ByteCharErrorLastLoadMultiWide$AddressFreeProc
                                                      • String ID: [NOT FOUND ] %s
                                                      • API String ID: 2350601386-3340296899
                                                      • Opcode ID: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                      • Instruction ID: 89755aee4be5230680617513bdac96f2938001ccf8c1f4c7198f5862e1eb9078
                                                      • Opcode Fuzzy Hash: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                      • Instruction Fuzzy Hash: 84B1BE32605B9481FB169B26E54039D6761F788BE4F048615FBE90BBE6DFBAC5D0C340
                                                      Function 00007FFE1A53A83C Relevance: 22.9, APIs: 15, Instructions: 358COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID:
                                                      • API String ID: 2943138195-0
                                                      • Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                      • Instruction ID: accf7b66260b36f056dd3b3a3c587051a8ac1890e43df09590fc01197bf6995f
                                                      • Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                      • Instruction Fuzzy Hash: FCF17B72F0CA829AE711DF66D4901FC37B0AB86B58F4440F6EB4D67AA9DE38D519C340
                                                      Function 000000014001189C Relevance: 22.6, APIs: 15, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__p___argc__p___argv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                      • String ID:
                                                      • API String ID: 1818695170-0
                                                      • Opcode ID: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                      • Instruction ID: 023b0e87761b9852ca56ff973ea6cc8ec164607202ff5c8f9f76f90c0a7f0558
                                                      • Opcode Fuzzy Hash: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                      • Instruction Fuzzy Hash: BA315E3120520192FA5BEB67E5223E927A1AB9D7C4F444025BB994F2F7DE7FC805C351
                                                      Function 00007FFE1A53D20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
                                                      • API String ID: 2943138195-2309034085
                                                      • Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                      • Instruction ID: abdef68fee57e12a9e820628bd85960d1f71e23e4ef79095c2ffd812cbc038f9
                                                      • Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                      • Instruction Fuzzy Hash: 4AE18C63F0CE5294FB159B6699541FC27B0AF92F64F4409F7DA0E17AB9DE3CA9088340
                                                      Function 0000000140003320 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 422COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memcmp$_invalid_parameter_noinfo_noreturn$clockmemcpymemset
                                                      • String ID: B8RB$MRDH$SideCarLut$flip_horizontal$flip_vertical
                                                      • API String ID: 140832405-680935841
                                                      • Opcode ID: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                      • Instruction ID: 18037ac5236aebefbc83965bda8a7e26ab6d0ca403e2fb1aff30bf3622b6eda0
                                                      • Opcode Fuzzy Hash: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                      • Instruction Fuzzy Hash: BD2270B2605BC485EB22DF2AE8413E93364F799798F449215EB9C5B7A6EF35C285C300
                                                      Function 00007FFE1A532CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                      • String ID: csm$csm$csm
                                                      • API String ID: 3436797354-393685449
                                                      • Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                      • Instruction ID: cfcbaf154ffb819716330ac0142327a91cc2e5afd221a82b6249c5b13df94228
                                                      • Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                      • Instruction Fuzzy Hash: DCD15E76B0CB4186EB109B66D4412BD77A4FF96BA8F0001B6DE8D57B66CF38E494C700
                                                      Function 00007FFE013F26E0 Relevance: 18.2, APIs: 12, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$__strncntfreemalloc$CompareInfoString
                                                      • String ID:
                                                      • API String ID: 3420081407-0
                                                      • Opcode ID: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                      • Instruction ID: f4588367c80a70311fb496792d0b497f31fbce1798604a99e838af66e09d7a63
                                                      • Opcode Fuzzy Hash: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                      • Instruction Fuzzy Hash: D4A1B162A086C2C6FF31AF2094107BB6692EF04BA4F454639DE5D2E7E5DF7CE8488340
                                                      Function 00007FFE0140692C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FFE0142B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                        • Part of subcall function 00007FFE0142B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                        • Part of subcall function 00007FFE0142B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                        • Part of subcall function 00007FFE0142B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0140A87E), ref: 00007FFE01406971
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0140A87E), ref: 00007FFE0140698E
                                                      • _Maklocstr.LIBCPMT ref: 00007FFE014069AA
                                                      • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0140A87E), ref: 00007FFE014069B3
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0140A87E), ref: 00007FFE014069D0
                                                      • _Maklocstr.LIBCPMT ref: 00007FFE014069EC
                                                      • _Maklocstr.LIBCPMT ref: 00007FFE01406A01
                                                        • Part of subcall function 00007FFE013F4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D72
                                                        • Part of subcall function 00007FFE013F4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D98
                                                        • Part of subcall function 00007FFE013F4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4DB0
                                                      Strings
                                                      • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE01406999
                                                      • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE014069DB
                                                      • :AM:am:PM:pm, xrefs: 00007FFE014069FA
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Maklocstrfree$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                      • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                      • API String ID: 2460671452-35662545
                                                      • Opcode ID: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                      • Instruction ID: 6fc0ecaf11e29c266c4eb9242793c18c24ef1462f9275c2fa64a8a7e0099d474
                                                      • Opcode Fuzzy Hash: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                      • Instruction Fuzzy Hash: 85213C72A08F4182EB01DF25E4502A973A2FB98F84F458235DA4D4B776EF3CE595C380
                                                      Function 00007FFE013F2B20 Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiStringWide$freemalloc$__strncnt
                                                      • String ID:
                                                      • API String ID: 1733283546-0
                                                      • Opcode ID: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                      • Instruction ID: f3720c1b52b1a7f1b507ef972acd566c79e7636e4666c2bc111df6e799b42706
                                                      • Opcode Fuzzy Hash: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                      • Instruction Fuzzy Hash: 30919032A08B82C7EB249F51D44077A67A1FB44BA4F554239EA5D6FBE8DF7CE4458300
                                                      Function 00007FFE01429350 Relevance: 16.7, APIs: 11, Instructions: 168COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Xp_setw$Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                      • String ID:
                                                      • API String ID: 3166507417-0
                                                      • Opcode ID: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                      • Instruction ID: b3e2560a6667ff7b24a38bdf76836af04701b456d5d14642d5bb4b5760f7902a
                                                      • Opcode Fuzzy Hash: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                      • Instruction Fuzzy Hash: F5618322F086529AFB10DFA2D4801FD2761AB6874CF904536DE0D6BAB5DE3CE58EC701
                                                      Function 00000001400071E0 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetDllDirectoryW.KERNEL32 ref: 000000014000721A
                                                      • ?AppDir@Dir@filesupport@dvacore@@SA?AV123@XZ.DVACORE ref: 0000000140007225
                                                      • ?FullPath@Dir@filesupport@dvacore@@QEBA?AV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@std@@XZ.DVACORE ref: 0000000140007236
                                                      • ?UTF16to8@string@dvacore@@YA?AV?$basic_string@EU?$char_traits@E@std@@U?$SBAAllocator@E@allocator@dvacore@@@std@@AEBV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@4@@Z.DVACORE ref: 0000000140007245
                                                      • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140007275
                                                      • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 00000001400072A6
                                                      • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400072B6
                                                      • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007362
                                                      • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007372
                                                      • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 000000014000738A
                                                        • Part of subcall function 0000000140008300: WaitForMultipleObjects.KERNEL32 ref: 0000000140008346
                                                        • Part of subcall function 0000000140008300: ResetEvent.KERNEL32 ref: 0000000140008355
                                                        • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007859
                                                        • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007866
                                                        • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007873
                                                        • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007880
                                                        • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000788D
                                                        • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000789A
                                                      • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400073F6
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Dir@filesupport@dvacore@@$CloseHandle$Allocator@_Allocator@allocator@dvacore@@BlockDispose@FileSmallU?$char_traits@_UnmapV?$basic_string@_ViewW@std@@atoi$Allocator@Dir@DirectoryE@allocator@dvacore@@@std@@E@std@@EventF16to8@string@dvacore@@FullMultipleObjectsPath@ResetU?$char_traits@V123@V?$basic_string@W@allocator@dvacore@@@4@@W@allocator@dvacore@@@std@@Wait
                                                      • String ID:
                                                      • API String ID: 2702579277-0
                                                      • Opcode ID: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                      • Instruction ID: 4e02132fa2518a481f17a5c3ad5963577c23686a774b89ce01035fe16d76d46e
                                                      • Opcode Fuzzy Hash: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                      • Instruction Fuzzy Hash: 09618EB2608A4082FB12CB26F8947EA67A2F78EBD0F505121FB9D476B5DF3DC5498700
                                                      Function 00007FFE01439BC0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 229COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 2003779279-1866435925
                                                      • Opcode ID: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                      • Instruction ID: d5f32a1580af344c128eb07461130b0a780cb29a97cd89ada5afa2f6e8f6ecc6
                                                      • Opcode Fuzzy Hash: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                      • Instruction Fuzzy Hash: 2F91A022A18A4A82EF64DF19E4913B97761FB80F88F548036CA4E4B7B5DF7DD446C300
                                                      Function 00007FFE1A53E350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                      • API String ID: 0-3207858774
                                                      • Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                      • Instruction ID: 8f065517ab70d0ae427be357836a4a98134a18e91ecd485643e0fb1f1122e358
                                                      • Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                      • Instruction Fuzzy Hash: E2913962B0CE8699EB118B22E4502BC37E1AF96FA4B4840F6DE4D037A5EF3CE505D750
                                                      Function 00007FFE1A53A13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+$Name::operator+=
                                                      • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                      • API String ID: 179159573-1464470183
                                                      • Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                      • Instruction ID: 6a2766d51977583a39626436be29324422dba0c85a325b472a095d8587eff7ad
                                                      • Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                      • Instruction Fuzzy Hash: 97513A31F1CE6699FB14CB66E8405BC37B0BF46BA4F5041BAEA0D57A68EF2AD541C700
                                                      Function 00007FFE0142B440 Relevance: 15.2, APIs: 10, Instructions: 167COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Xp_setw$Xp_setn$Xp_addx$iswspaceiswxdigit
                                                      • String ID:
                                                      • API String ID: 3781602613-0
                                                      • Opcode ID: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                      • Instruction ID: 1d3eafeb9c56c4d7017c071ec4c2bbd9ff6b52b09cff560f3f9c7092ce2512f9
                                                      • Opcode Fuzzy Hash: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                      • Instruction Fuzzy Hash: 62615122F085429AF721DFA2D4812FD2761EB64748F904536DE0D6BAB5DE3CE58EC701
                                                      Function 00007FFE1A5388E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID:
                                                      • API String ID: 2943138195-0
                                                      • Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                      • Instruction ID: 629e02eea09fd4d18619713f9e6fc1c533e88526bd0e2091754f5c20e8f3d606
                                                      • Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                      • Instruction Fuzzy Hash: C3615062F08F5698F701DBA2D8801FC27B1BF85BA8B4044B6EE4D6BA69DF78D545C340
                                                      Function 00007FFE1A5331A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                      • String ID: csm$csm$csm
                                                      • API String ID: 211107550-393685449
                                                      • Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                      • Instruction ID: c3993220d239acd2e0d04f3a0dc45fd37d4f02613580c51f2be66476aaeff4e1
                                                      • Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                      • Instruction Fuzzy Hash: C6E17372B0CA818AE7109F66D4802BD7BA1FF86F68F1441B6DA9D47766DF38E485C700
                                                      Function 00007FFE0142A080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memchrtolower$_errnoisspace
                                                      • String ID: 0$0123456789abcdefghijklmnopqrstuvwxyz
                                                      • API String ID: 3508154992-2692187688
                                                      • Opcode ID: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                      • Instruction ID: ea714a6a99bd1aefc24bf811c340c45e514dab14f22a4f16681f19b7f96581aa
                                                      • Opcode Fuzzy Hash: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                      • Instruction Fuzzy Hash: 1751FA12A0D7D246FB618F2499143BD6691BB55BE4FB84030CE9D4FBB5DE3CA882C712
                                                      Function 00007FFE1A53BE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                      • API String ID: 2943138195-2239912363
                                                      • Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                      • Instruction ID: 5ca46681bb3f7eb7439df5bacf718e3a570f5ee832898dc38f2dfaa22618fc2a
                                                      • Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                      • Instruction Fuzzy Hash: 2A514962F1CF9598FB118B62D8412BC77B0BF8AB64F4540FACA4D12AA5EF3C9144C710
                                                      Function 00000001400078C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                      • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                      • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                        • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                        • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                        • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                        • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                        • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                        • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                        • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                      • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                      • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                      • String ID: ImptRED_CEvent_
                                                      • API String ID: 2242036409-942587184
                                                      • Opcode ID: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                      • Instruction ID: 9b405900c275d478bf9193c59fc3990d56eeb31e22b03c6e117ca8d8066cf312
                                                      • Opcode Fuzzy Hash: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                      • Instruction Fuzzy Hash: 1D519AB2204B8096EB11CB6AE89079E7B70F389B98F504111EF8D57BA9DF3DC549CB00
                                                      Function 0000000140007E00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E41
                                                      • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007E60
                                                      • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E94
                                                        • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                        • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                        • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                        • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007ECB
                                                        • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                        • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                        • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007EE5
                                                      • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F92
                                                      • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F9C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                      • String ID: ImptRED_SEvent_
                                                      • API String ID: 2242036409-1609572862
                                                      • Opcode ID: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                      • Instruction ID: 8a97eb910a4fcdb6b4de6865597d3f36b8df7ed7ebbeccb018c797ebbaee1b0b
                                                      • Opcode Fuzzy Hash: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                      • Instruction Fuzzy Hash: 15519A72204B8096EB11CB6AE8907AE7B70F389B98F504111EF8D17BA8DF3DC549CB40
                                                      Function 0000000140007A80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                      • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                      • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                        • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                        • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                        • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                        • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                        • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                        • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                        • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                      • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                      • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                      • String ID: ImptRED_CmdMap_
                                                      • API String ID: 2242036409-3276274529
                                                      • Opcode ID: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                      • Instruction ID: 80f30c22282736ca9dbe0986c54b36137faedd7c3a9fa85d2e807ed86ae44cad
                                                      • Opcode Fuzzy Hash: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                      • Instruction Fuzzy Hash: BC518972204B8096EB11CB6AE8907DE7B70F389B98F504111EF8D17BA8DF79C449CB00
                                                      Function 0000000140007C40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007C81
                                                      • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007CA0
                                                      • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007CD4
                                                        • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                        • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                        • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                        • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D0B
                                                        • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                        • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                        • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D25
                                                      • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DD2
                                                      • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DDC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                      • String ID: ImptRED_DMap_
                                                      • API String ID: 2242036409-2879874026
                                                      • Opcode ID: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                      • Instruction ID: 0bc148500ed73b7892a49071eae52613f37d732fbc5d9ce32192ec441dd01905
                                                      • Opcode Fuzzy Hash: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                      • Instruction Fuzzy Hash: F9518BB2204B4096EB11CB56E8807AE7B70F789B98F504116EF8D17BA8DF7DC549CB00
                                                      Function 00007FFE013F6C20 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 1099746521-1866435925
                                                      • Opcode ID: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                      • Instruction ID: 906b499b5c6fd16a29edcf86ca7eb8a1217bf44ff731c96d7a8a3406cc29dcbb
                                                      • Opcode Fuzzy Hash: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                      • Instruction Fuzzy Hash: 4A21F5A1E1958A96FF54EB10E8837F92322EF50740F98443AD58E1E5B6EF2DE54AC340
                                                      Function 0000000140004FF0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 275stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                        • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                        • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                      • strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00000001400050DF
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140005233
                                                        • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                      • memcmp.VCRUNTIME140 ref: 00000001400052B4
                                                      • memcmp.VCRUNTIME140 ref: 0000000140005325
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400053DA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnmemcmp$strcmp
                                                      • String ID: MRDH$SideCarLut
                                                      • API String ID: 916663099-3852011117
                                                      • Opcode ID: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                      • Instruction ID: 38950fd8b35224f21f2e144008351fd49fe11793fcade85143d264d05d5c62af
                                                      • Opcode Fuzzy Hash: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                      • Instruction Fuzzy Hash: 4DD192B2204A8496EB62DF26E8843DE2761F74A7D5F841212FB5D4BAF6EF74C645C300
                                                      Function 00007FFE01439940 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 2003779279-1866435925
                                                      • Opcode ID: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                      • Instruction ID: 4ba8893faf807f1f1ad577847dbc6b5fdd41119bc0d3ced61992d9ad6cc883b5
                                                      • Opcode Fuzzy Hash: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                      • Instruction Fuzzy Hash: 78619D22A08A8686EF64DF19E4913B96761FF80F89F548136CA4E4B7B5DF7DD446C300
                                                      Function 00007FFE014043F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrowfputwcfwritestd::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 1428583292-1866435925
                                                      • Opcode ID: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                      • Instruction ID: 0e771680fa94b85d8f644288c44d8d82c871c1432b329babdd3ad2b5524fb7bc
                                                      • Opcode Fuzzy Hash: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                      • Instruction Fuzzy Hash: 10717D72619A82D6EB51CF66E4802A933A0FB44B88F894036EB4D4BBB5DF3DD955C300
                                                      Function 00007FFE1A535F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
                                                      • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                      • API String ID: 1852475696-928371585
                                                      • Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                      • Instruction ID: 013cd142a6995ac864fa583159ae1beaf80749e4ddf302ae3493ce6572dbce35
                                                      • Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                      • Instruction Fuzzy Hash: 9551AE62B1CE4696DA20CB26E4912BA6360FF85FA8F0054F6DA4E07A75EF3CE105C300
                                                      Function 00007FFE014396E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 160COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::ios_base::failure::failure.LIBCPMT ref: 00007FFE014398D3
                                                      • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE0142C678), ref: 00007FFE014398E4
                                                      • std::ios_base::failure::failure.LIBCPMT ref: 00007FFE01439927
                                                      • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE0142C678), ref: 00007FFE01439938
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 2003779279-1866435925
                                                      • Opcode ID: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                      • Instruction ID: b1959b1d913e132410ef4697aa88504056e5d74880b6ae8d49394b8075051df3
                                                      • Opcode Fuzzy Hash: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                      • Instruction Fuzzy Hash: B9617B22A18A46C2EB68CF19E4913B96760FF80F98F458036CA4E4B3B5DFADD446C300
                                                      Function 00007FFE01429E70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memchrtolower$_errnoisspace
                                                      • String ID: 0123456789abcdefghijklmnopqrstuvwxyz
                                                      • API String ID: 3508154992-4256519037
                                                      • Opcode ID: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                      • Instruction ID: 6c23253563a7be9212e220d0779ed1e82e2213a77c069c1800a2b0f6d9e8d94e
                                                      • Opcode Fuzzy Hash: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                      • Instruction Fuzzy Hash: C6512822A0D69646FB618E20E42077D7691BF65B98F994034DD8D8B7B4DF3CE882C712
                                                      Function 00007FFE013FB280 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 2003779279-1866435925
                                                      • Opcode ID: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                      • Instruction ID: 787fe88f534caeddeb85b322243a91f45219a100c4cb62fb1db474d0fe8ef787
                                                      • Opcode Fuzzy Hash: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                      • Instruction Fuzzy Hash: C75180A2A08A8982EF50EF19D4C02B9A361FF44F98F554536DA5D9B7B9DF3CD846C300
                                                      Function 00007FFE1A53E148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+$Name::operator+=
                                                      • String ID: {for
                                                      • API String ID: 179159573-864106941
                                                      • Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                      • Instruction ID: 2f68bad466aacad969667c7b83dca1f850f10dba4ab56afa6acb3d17ffcba425
                                                      • Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                      • Instruction Fuzzy Hash: 24513972B0CA85A9E7119F26D4413FC63A1EB86B68F4480F6EA4C47BA5EF7CE554C310
                                                      Function 00007FFE1A5368AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A536931
                                                      • GetLastError.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A53693F
                                                      • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A536958
                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A53696A
                                                      • FreeLibrary.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A5369B0
                                                      • GetProcAddress.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A5369BC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                      • String ID: api-ms-
                                                      • API String ID: 916704608-2084034818
                                                      • Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                      • Instruction ID: 6bee55ca76f33367972f73decf52de0ff214f3acd376dc3f719c00d5ae84bead
                                                      • Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                      • Instruction Fuzzy Hash: 66319222B1EF4295EE159B0398001B662A4BF86FB0F5945FADD1E077A4EF3CE144C320
                                                      Function 00007FFE014212C4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FFE0142B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                        • Part of subcall function 00007FFE0142B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                        • Part of subcall function 00007FFE0142B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                        • Part of subcall function 00007FFE0142B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE01421309
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE01421326
                                                      • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE0142134B
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE01421368
                                                        • Part of subcall function 00007FFE013F4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D72
                                                        • Part of subcall function 00007FFE013F4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D98
                                                        • Part of subcall function 00007FFE013F4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4DB0
                                                      Strings
                                                      • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE01421331
                                                      • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE01421373
                                                      • :AM:am:PM:pm, xrefs: 00007FFE01421392
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                      • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                      • API String ID: 1539549574-35662545
                                                      • Opcode ID: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                      • Instruction ID: 3db0a7b9ad755819336767602133b0c53061a66b95ffb94ddd5373a997c9c6b9
                                                      • Opcode Fuzzy Hash: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                      • Instruction Fuzzy Hash: F2213E76A04B8582EB10DF21E4402A973A2FB98F94F498635DA4D5B776EF3CE585C380
                                                      Function 00007FFE01406A20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FFE0142B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                        • Part of subcall function 00007FFE0142B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                        • Part of subcall function 00007FFE0142B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                        • Part of subcall function 00007FFE0142B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE01406A5E
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE01406A7B
                                                      • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE01406A9B
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE01406AB8
                                                        • Part of subcall function 00007FFE013F4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01406AB5,?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE013F4DF9
                                                        • Part of subcall function 00007FFE013F4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01406AB5,?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE013F4E28
                                                        • Part of subcall function 00007FFE013F4DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FFE01406AB5,?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE013F4E3F
                                                      Strings
                                                      • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE01406AC3
                                                      • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE01406A86
                                                      • :AM:am:PM:pm, xrefs: 00007FFE01406AD4
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                      • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                      • API String ID: 1539549574-3743323925
                                                      • Opcode ID: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                      • Instruction ID: dd3629450851faaafa474d19ec1713f4e9ec68baf489643368e3c8f767a6cab0
                                                      • Opcode Fuzzy Hash: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                      • Instruction Fuzzy Hash: F2214A22A08B4682EB20DF21F454269B3B1FB99B94F414234DA4E4B7B6EF7CE484C740
                                                      Function 00007FFE1A5325E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abort$AdjustPointer
                                                      • String ID:
                                                      • API String ID: 1501936508-0
                                                      • Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                      • Instruction ID: b8b84502707dbb4a39dd8ddb30bd53527bc5a15179d70697402766f6ae676e2b
                                                      • Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                      • Instruction Fuzzy Hash: B9515AA2B0EE4281EA659B17954463C6394BFA6FE4B1584FBDA4E067A5DE3CE441C300
                                                      Function 00007FFE1A5327CC Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abort$AdjustPointer
                                                      • String ID:
                                                      • API String ID: 1501936508-0
                                                      • Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                      • Instruction ID: 4c12f51f128d9c81e1833d6a26f9b931d0a21b71dd5c548733415ccb8a2fd3ae
                                                      • Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                      • Instruction Fuzzy Hash: DA519062F0DF4291EA658B17944463CA394AFA6FE0F0984FBDA4E067A5DF7CE481C310
                                                      Function 00007FFE01429950 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                      • String ID:
                                                      • API String ID: 578106097-0
                                                      • Opcode ID: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                      • Instruction ID: 6a947751c457a589d1951ce27fa929038d86b3a9fcbb4a6c0a43430abe1945da
                                                      • Opcode Fuzzy Hash: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                      • Instruction Fuzzy Hash: 2961E622F1C65286EB11DF61E4805BE6720FBA4748F904132EE4E5B7B5DE3CD58AC701
                                                      Function 00007FFE014290D0 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                      • String ID:
                                                      • API String ID: 578106097-0
                                                      • Opcode ID: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                      • Instruction ID: 953b296227c860e83b26a9282d5c13a3550bc1d568f9eac4751fa27584986e61
                                                      • Opcode Fuzzy Hash: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                      • Instruction Fuzzy Hash: 5161E222B1CA5282E711DF61E4806FE6760FFA5348F900536EE4E1B6B5DE3CE58AC701
                                                      Function 000000014000C2E0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 164COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                        • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                        • Part of subcall function 000000014000C8A0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000014000C98E
                                                      • memmove.VCRUNTIME140 ref: 000000014000C3C8
                                                      • memmove.VCRUNTIME140 ref: 000000014000C427
                                                        • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0B6
                                                        • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0C4
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000C52F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memcpy$memmove$__acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturn
                                                      • String ID: REDR3D-x64.dll$[LOAD PATH ] %s$[TEST TEST] IGNORING REDIRECT %s
                                                      • API String ID: 1084872782-103080910
                                                      • Opcode ID: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                      • Instruction ID: cfd617ef930489ab8aca6008b2e9167fc097850ba9bca21f1b358ae0caa8a91c
                                                      • Opcode Fuzzy Hash: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                      • Instruction Fuzzy Hash: 8E719AB2721A4086EB12CF66E8443DD37B1F749BD8F484622EF195BBA9DB38C181C340
                                                      Function 00007FFE1A535520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: FileHeader_local_unwind
                                                      • String ID: MOC$RCC$csm$csm
                                                      • API String ID: 2627209546-1441736206
                                                      • Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                      • Instruction ID: 98af42da1edb0a369400b7acc8aacb75340877a401e8efc4a43537c8acc532d0
                                                      • Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                      • Instruction Fuzzy Hash: B5515F72B0DA118AEA609F37904137D66A0FFC6FA8F5420F7EA4D467A5DE3CE4418A01
                                                      Function 00000001400074F0 Relevance: 10.6, APIs: 7, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                      • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                      • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                      • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                      • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                      • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                                      • String ID:
                                                      • API String ID: 1492985063-0
                                                      • Opcode ID: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                      • Instruction ID: c8404d0b7dac135a461826d57f818375c200501a51cfbfcecc82e8383ca51cf8
                                                      • Opcode Fuzzy Hash: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                      • Instruction Fuzzy Hash: 11515F72600A4082EB62CF1BE5947A9A7A0F789FE5F15C611EF9E477F1CB7AC5468300
                                                      Function 00007FFE013FBA68 Relevance: 10.6, APIs: 7, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBB38
                                                      • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBB48
                                                      • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBB5D
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBB91
                                                      • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBB9B
                                                      • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBBAB
                                                      • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBBBB
                                                        • Part of subcall function 00007FFE014425AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5AF8), ref: 00007FFE014425C6
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memcpy$memset$_invalid_parameter_noinfo_noreturnmalloc
                                                      • String ID:
                                                      • API String ID: 2538139528-0
                                                      • Opcode ID: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                      • Instruction ID: f074bb4193fc39d2620981d47998d6c81fb9090b2953e7f5c51e2fe46d0b0cd0
                                                      • Opcode Fuzzy Hash: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                      • Instruction Fuzzy Hash: 6C41D2A2B08AC592EF14AB16E4042A9A322FB44BC4F954536EF1D1FBBECE7CD041C340
                                                      Function 00007FFE014058B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrowsetvbufstd::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 2924853686-1866435925
                                                      • Opcode ID: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                      • Instruction ID: 4e12194930b967f0ac57799e8d505d97b1f28549d3a13319e7fea3cbc80c31a5
                                                      • Opcode Fuzzy Hash: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                      • Instruction Fuzzy Hash: F141AD72A14B8686EB55CF65E4403B933A0FB14B98F444139DA4C4F6B5DF3CE9A5CB40
                                                      Function 00007FFE01402FAC Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: CurrentThread$xtime_get
                                                      • String ID:
                                                      • API String ID: 1104475336-0
                                                      • Opcode ID: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                      • Instruction ID: 9423321279c73148f66975f8e9a9b928b5b3cbed908596dee2130ce962642f6d
                                                      • Opcode Fuzzy Hash: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                      • Instruction Fuzzy Hash: 9E413B72A09646CBEB61CF56E44427977A1FB44B44F10803ADB8E4A6B4DF3EEC85C701
                                                      Function 00007FFE01413B28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE01413B56
                                                        • Part of subcall function 00007FFE0142B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                        • Part of subcall function 00007FFE0142B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                        • Part of subcall function 00007FFE0142B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                        • Part of subcall function 00007FFE0142B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      • _Maklocstr.LIBCPMT ref: 00007FFE01413BCF
                                                      • _Maklocstr.LIBCPMT ref: 00007FFE01413BE5
                                                      • _Getvals.LIBCPMT ref: 00007FFE01413C8A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Maklocstr$Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                      • String ID: false$true
                                                      • API String ID: 2626534690-2658103896
                                                      • Opcode ID: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                      • Instruction ID: bf1b83a154f8da1d80604fc93e994b4571834da301881aac0453ec4881b43f5b
                                                      • Opcode Fuzzy Hash: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                      • Instruction Fuzzy Hash: 5E415D26B08B919AF711CF74E4401ED33B1FB9874CB405226EE4D2BA69EF38D596C340
                                                      Function 00007FFE1A53D740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: NameName::atol
                                                      • String ID: `template-parameter$void
                                                      • API String ID: 2130343216-4057429177
                                                      • Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                      • Instruction ID: 8f50cac90c26c8a1d22a0b8bc4d53e193e35bae95b6bd2238095fd8f5ccf0a26
                                                      • Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                      • Instruction Fuzzy Hash: AF414922F0CF5688FB009BA2D8512BC2371BF4ABA4F5454BACE0D17A65EF78A509C350
                                                      Function 00007FFE1A538624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                      • API String ID: 2943138195-2211150622
                                                      • Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                      • Instruction ID: dfee26fb4fea986748f878a99bbc57f1da13dbde16fa75e52a9c869253554502
                                                      • Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                      • Instruction Fuzzy Hash: 25413772B1CF8688FB168B66E8402BC37A0BF4AB58F4441BADA4D53764EF3CA545C750
                                                      Function 00007FFE1A53A31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID: char $int $long $short $unsigned
                                                      • API String ID: 2943138195-3894466517
                                                      • Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                      • Instruction ID: 8db53833b7a01839e029b66513b7da1be11942a1800b005db6759b0eca91be54
                                                      • Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                      • Instruction Fuzzy Hash: 65414932F1CA6689F7158B6AE8441BC37B1BF8AB64F4481F6CA0C56B68DF3D9544C710
                                                      Function 00007FFE013FC0A0 Relevance: 9.3, APIs: 6, Instructions: 318stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnmemsetstrcspn$localeconvmemmove
                                                      • String ID:
                                                      • API String ID: 3009415009-0
                                                      • Opcode ID: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                      • Instruction ID: ad9a90c1e3a3380d0b6206613b4248cf835436d0d7b25cea1cd62c2a64b9bc85
                                                      • Opcode Fuzzy Hash: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                      • Instruction Fuzzy Hash: 82E16D22B09B8685FB11DBB5D4406AC6372FB49B88F515136DE5D2BBA9DF3CD44AC300
                                                      Function 00007FFE014200EC Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Dunscale$_errno
                                                      • String ID:
                                                      • API String ID: 2900277114-0
                                                      • Opcode ID: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                      • Instruction ID: bb7532c0a8596e09fdc1c3c2389b0a704279868e42300d3676fbc183d0d34c49
                                                      • Opcode Fuzzy Hash: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                      • Instruction Fuzzy Hash: 2FA1D332E086469AEB10DF2685800BD73A1FF66758F948231F7091B5BADF3CB4DA9741
                                                      Function 00007FFE014286F0 Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Dunscale$_errno
                                                      • String ID:
                                                      • API String ID: 2900277114-0
                                                      • Opcode ID: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                      • Instruction ID: 18cbd59db16a610c9fc145de933dab68b049303adc370ec840564dacd9673993
                                                      • Opcode Fuzzy Hash: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                      • Instruction Fuzzy Hash: 75A1A227E18E8B86E711DE3484401BD63A2FF667D4F904235EA4E2E5B5EF3CA0D68301
                                                      Function 000000014000AF60 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 192COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memmove$memcpy$_invalid_parameter_noinfo_noreturn
                                                      • String ID: R3DAPI 7.3.1-44A14 (20200513 W64S)
                                                      • API String ID: 100741404-1215215629
                                                      • Opcode ID: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                      • Instruction ID: 1f94f83d43c849715069b53280c3cf1e8531b19b99bc01c412034d7b6d4e24df
                                                      • Opcode Fuzzy Hash: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                      • Instruction Fuzzy Hash: B19122B1211A8499EB22DF27F8503DA7361F74ABD4F884222EB490B7B9DB7EC141C701
                                                      Function 00007FFE013F8F20 Relevance: 9.2, APIs: 6, Instructions: 185COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: fgetc
                                                      • String ID:
                                                      • API String ID: 2807381905-0
                                                      • Opcode ID: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                      • Instruction ID: 3a39e832a27d8c715d5483f927ea6d3cd0c002d628e50e107b0945c909dfe99e
                                                      • Opcode Fuzzy Hash: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                      • Instruction Fuzzy Hash: 40914C73605A8189EB10DF25D4943AC33A1FB48B9CF56123AEA4E5BBA9DF3DD458C300
                                                      Function 00007FFE0142B960 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                      • String ID:
                                                      • API String ID: 3490103321-0
                                                      • Opcode ID: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                      • Instruction ID: 73e2f588164fb4c27e4c4e52aa6855933ec2bb15b470adf1cc409a9b0304e28f
                                                      • Opcode Fuzzy Hash: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                      • Instruction Fuzzy Hash: E661D522F1CA4286E721DF61E4805BE7760FBA4744F904532EE4E5BAB9DE3CD589CB01
                                                      Function 00007FFE0142B1C0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                      • String ID:
                                                      • API String ID: 3490103321-0
                                                      • Opcode ID: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                      • Instruction ID: 2512b7ca6506b6210c0d7812f60297bfb5b4235a7a053c411df193c4ee8a2679
                                                      • Opcode Fuzzy Hash: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                      • Instruction Fuzzy Hash: 5361C422B1CA4282E711DF61E4805FE6760FFA5744F900532EE4E5BAB5DF7CE58A8B01
                                                      Function 00007FFE013F9A58 Relevance: 9.1, APIs: 6, Instructions: 112COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                      • String ID:
                                                      • API String ID: 1775671525-0
                                                      • Opcode ID: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                      • Instruction ID: f0df9d4c83997f2469ca076860e1cd9aeef013c4e6a6dd2ab8e2acc452abb021
                                                      • Opcode Fuzzy Hash: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                      • Instruction Fuzzy Hash: D041F36171868592EF14AB26E4043A96352FB04BE4F95463AEF6D0FBF5DE7CE041C300
                                                      Function 00007FFE013FA000 Relevance: 9.1, APIs: 6, Instructions: 93fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: FileHandle$CloseCreateInformation
                                                      • String ID:
                                                      • API String ID: 1240749428-0
                                                      • Opcode ID: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                      • Instruction ID: cf5c1c18fe3158371b2d1895e8bea3838e92857c37708694deefb48bbe4f4a4f
                                                      • Opcode Fuzzy Hash: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                      • Instruction Fuzzy Hash: BB41AE22F086818BF760CF70A8507AA33A1EB487A8F025735EE1C1BAA4DE3CD5958740
                                                      Function 00007FFE1A5362D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                      • String ID:
                                                      • API String ID: 3741236498-0
                                                      • Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                      • Instruction ID: 441f241423cfb34a15b79d0cf8f282f0e25f341d526130a1db0268484af0c1fc
                                                      • Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                      • Instruction Fuzzy Hash: AC31B221B1DB9590EA118B27A80457A73A0FF8AFE4B5555FADE2D037A0EE3DD442C310
                                                      Function 00000001400117B8 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_configthreadlocale_initialize_narrow_environment_initialize_onexit_table_onexit
                                                      • String ID:
                                                      • API String ID: 2153537742-0
                                                      • Opcode ID: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                      • Instruction ID: 534899ad21150968aac174715d7514135b35f9473fc5e80356d1b8ef46292b69
                                                      • Opcode Fuzzy Hash: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                      • Instruction Fuzzy Hash: 95115E38A0024155FA5FB7F398173EC11969FAC3C4F454524BB498F2F3EE7B88658662
                                                      Function 00007FFE013F2F50 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE013F5F96), ref: 00007FFE013F2F59
                                                      • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5F96), ref: 00007FFE013F2F6B
                                                      • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE013F5F96), ref: 00007FFE013F2F7A
                                                      • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE013F5F96), ref: 00007FFE013F2FE0
                                                      • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE013F5F96), ref: 00007FFE013F2FEE
                                                      • _wcsdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE013F5F96), ref: 00007FFE013F3001
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: __pctype_func$___lc_codepage_func___lc_locale_name_func_wcsdupcalloc
                                                      • String ID:
                                                      • API String ID: 490008815-0
                                                      • Opcode ID: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                      • Instruction ID: 637e7d555ecbf406e8f121ff53b179020048fbe42432aecbc7da7bfb835811be
                                                      • Opcode Fuzzy Hash: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                      • Instruction Fuzzy Hash: 5C210E62D18F8583EB019F38D5052787760FBA9B49F15A224CE8D1A232EF7DE5E9C340
                                                      Function 0000000140007850 Relevance: 9.0, APIs: 6, Instructions: 21fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle$FileUnmapView
                                                      • String ID:
                                                      • API String ID: 260491571-0
                                                      • Opcode ID: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                      • Instruction ID: e4157fc547da492297a5d265050bc8fab675aa544c6886f43f24823cbbcadd6d
                                                      • Opcode Fuzzy Hash: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                      • Instruction Fuzzy Hash: 1DF01438616E00D5FA07DB63ECA83A427A1BB8DBD9F440211EB4E4B331DE3F85998300
                                                      Function 00007FFE1A5338A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abort$CallEncodePointerTranslator
                                                      • String ID: MOC$RCC
                                                      • API String ID: 2889003569-2084237596
                                                      • Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                      • Instruction ID: 55dbf0f9a6f14d12056fcb565902045fecf3254740b3f942bf11110ca60b9df2
                                                      • Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                      • Instruction Fuzzy Hash: C6916373B08B858AE710CB66E4402BD7BA0FB45BA8F1441AAEE8D57765DF38D195C700
                                                      Function 00007FFE1A53BB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                      • API String ID: 2943138195-757766384
                                                      • Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                      • Instruction ID: 9f74497f2fc56d1a7475553cacc5e65d7be2e0b4612b24877036a67dda4f10f9
                                                      • Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                      • Instruction Fuzzy Hash: AE716C71B0CE8684EB248F26D9552BC66A0BF46BA4F4445FBDA4D07AB9DF3CA250C310
                                                      Function 000000014000ABD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memcmp.VCRUNTIME140 ref: 000000014000AD12
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000ADD5
                                                        • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                        • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: __acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnmemcmp
                                                      • String ID: @$[FAIL INT. ] path '%s' already exists at index %u$[FAIL INT. ] too many paths
                                                      • API String ID: 3207467095-2931640462
                                                      • Opcode ID: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                      • Instruction ID: 2da19ac7c4dfbac8c42f28ebd32a6b72bd3b2cb838895640dc67fbc0c8e08b7c
                                                      • Opcode Fuzzy Hash: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                      • Instruction Fuzzy Hash: DC5169B2B10A5489EB11CF6AE8407DD37B1F709BA8F504216EF2A67BE9DB74C581C740
                                                      Function 00007FFE1A533690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abort$CallEncodePointerTranslator
                                                      • String ID: MOC$RCC
                                                      • API String ID: 2889003569-2084237596
                                                      • Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                      • Instruction ID: 1a411bf3eebd0cf35ff1481b0f3d1a66eb583ef3b722ff249820aa8b9cc95aa6
                                                      • Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                      • Instruction Fuzzy Hash: C7617976B09B858AE714CF66D0803BD77A0FB85BA8F0442A6EE4D17B69CF78E155C700
                                                      Function 00007FFE0142BBD8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0142B212), ref: 00007FFE0142BBFE
                                                      • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0142B212), ref: 00007FFE0142BC0F
                                                      • iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0142B212), ref: 00007FFE0142BC76
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: iswspace$iswxdigit
                                                      • String ID: (
                                                      • API String ID: 3812816871-3887548279
                                                      • Opcode ID: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                      • Instruction ID: 1c7ae0158b43efd192da6c7e812c72156f48e98d6351cb2013be3a352825956e
                                                      • Opcode Fuzzy Hash: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                      • Instruction Fuzzy Hash: 8B518066E1855382EB249B6295102FD73A1EF30B84FC88035DE894F4B4EF7DE8C2D212
                                                      Function 00007FFE01429CD4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01429122), ref: 00007FFE01429CFA
                                                      • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01429122), ref: 00007FFE01429D0B
                                                      • isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01429122), ref: 00007FFE01429D64
                                                      • isalnum.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01429122), ref: 00007FFE01429E14
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: isspace$isalnumisxdigit
                                                      • String ID: (
                                                      • API String ID: 3355161242-3887548279
                                                      • Opcode ID: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                      • Instruction ID: 83a4e2c7d54558f7b0d06d4698eb8b8a5777983769addb14e8694fdb7b3073af
                                                      • Opcode Fuzzy Hash: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                      • Instruction Fuzzy Hash: C941D867D0C1A256FB244F31E5103FDAB929F31B98F889030CA9C0F5B6DE1DE8469712
                                                      Function 00007FFE014139E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FFE0142B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                        • Part of subcall function 00007FFE0142B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                        • Part of subcall function 00007FFE0142B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                        • Part of subcall function 00007FFE0142B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFE0140A22C), ref: 00007FFE01413A25
                                                        • Part of subcall function 00007FFE013FB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01421347,?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE013FB7BF
                                                        • Part of subcall function 00007FFE013FB794: memcpy.VCRUNTIME140(?,?,00000000,00007FFE01421347,?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE013FB7DB
                                                      • _Getvals.LIBCPMT ref: 00007FFE01413A61
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                      • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                      • API String ID: 3848194746-3573081731
                                                      • Opcode ID: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                      • Instruction ID: 5c33ae5afdf8b2978652ab46a17444d90df35d4ebb0cd60fe6c2269545fad598
                                                      • Opcode Fuzzy Hash: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                      • Instruction Fuzzy Hash: 94418872A08B8197E725CF22958056E7BA0FB89B91B054235DB8957E31DB7CE5A2CB00
                                                      Function 00007FFE01413CB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE01413CE2
                                                        • Part of subcall function 00007FFE0142B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                        • Part of subcall function 00007FFE0142B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                        • Part of subcall function 00007FFE0142B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                        • Part of subcall function 00007FFE0142B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      • _Maklocstr.LIBCPMT ref: 00007FFE01413D5B
                                                      • _Maklocstr.LIBCPMT ref: 00007FFE01413D71
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                      • String ID: false$true
                                                      • API String ID: 309754672-2658103896
                                                      • Opcode ID: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                      • Instruction ID: 8adda36a2d89f28cc6e5ad51ccf6fe92fa7758cbe8b7cc91af3c1ddf14bffe05
                                                      • Opcode Fuzzy Hash: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                      • Instruction Fuzzy Hash: DF417A27B18B559AE710CFB0E4401ED33B1FB98748B404126EE4E2BB29EF38D5A5C394
                                                      Function 00007FFE013F83E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 2003779279-1866435925
                                                      • Opcode ID: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                      • Instruction ID: b9890c101a35b7b58f5107871a2cff9d34121f459024380be74a25441252afd5
                                                      • Opcode Fuzzy Hash: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                      • Instruction Fuzzy Hash: 6B21BE62A0868692EB18EB15E6413B96361FF50784F844039E74D6FAB5DF3DE1A5C300
                                                      Function 00007FFE013F8D10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 2003779279-1866435925
                                                      • Opcode ID: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                      • Instruction ID: fff578b84668e00ba50e20a90453103c768a8deb9d009469e2048435f4a5e02f
                                                      • Opcode Fuzzy Hash: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                      • Instruction Fuzzy Hash: 58F0D161A1864AD6EF58EB00E8826F92322FF50744FA44839E24D0E5B5EF3DE14BC340
                                                      Function 0000000140006B70 Relevance: 7.8, APIs: 5, Instructions: 255COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ?Recycle@MemoryRecycler@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140006CC6
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140006CF5
                                                      • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006D52
                                                      • memcpy.VCRUNTIME140 ref: 0000000140006DD5
                                                      • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006E6E
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: D@std@@@std@@Pninc@?$basic_streambuf@U?$char_traits@$MemoryRecycle@Recycler@allocator@dvacore@@_invalid_parameter_noinfo_noreturnmemcpy
                                                      • String ID:
                                                      • API String ID: 3275830057-0
                                                      • Opcode ID: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                      • Instruction ID: 3173563bc62d35887f7c9779bdd612006aafe20ffacca945d5b8f48763ffbb63
                                                      • Opcode Fuzzy Hash: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                      • Instruction Fuzzy Hash: 5CA16BB2704B8485EB16CF2AE5443A977A2F389FE8F584516EF8D177A4DB38C895C340
                                                      Function 00007FFE01404A60 Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: fgetwc
                                                      • String ID:
                                                      • API String ID: 2948136663-0
                                                      • Opcode ID: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                      • Instruction ID: 3db00aabf613547c8474c57bb9a1feddc54593c2d823dc3a1ceb4c6e0e05bdeb
                                                      • Opcode Fuzzy Hash: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                      • Instruction Fuzzy Hash: 45815D72609A41C9DB21CFA6C0903AC33A1FB48B88F55153AEB4E4BBA9DF3DD854C300
                                                      Function 0000000140009FD0 Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                                      • String ID:
                                                      • API String ID: 2665656946-0
                                                      • Opcode ID: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                      • Instruction ID: 6f8685d0ee64a854513a2710a76b76ebba126a19a16799565d604b2c87d49ee9
                                                      • Opcode Fuzzy Hash: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                      • Instruction Fuzzy Hash: 884191B2304B8495EE16DB27B9043D9A395A74EBE0F440625BF6D0B7E5DE7CC081C304
                                                      Function 00007FFE013FB90C Relevance: 7.6, APIs: 5, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FB9D3
                                                      • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FB9E1
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBA1A
                                                      • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBA24
                                                      • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01421347), ref: 00007FFE013FBA32
                                                        • Part of subcall function 00007FFE014425AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5AF8), ref: 00007FFE014425C6
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memcpymemset$_invalid_parameter_noinfo_noreturnmalloc
                                                      • String ID:
                                                      • API String ID: 3375828981-0
                                                      • Opcode ID: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                      • Instruction ID: 829428d7647aba1e5c6e6fc20a8d14b9ed1971c285d01d35c2154ca3f64ab818
                                                      • Opcode Fuzzy Hash: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                      • Instruction Fuzzy Hash: FA318061B086C291EF14AA16E5043AAA352FB04BD0F594535EF5D1FBAADE7CE0819300
                                                      Function 00007FFE1A539FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: NameName::$Name::operator+
                                                      • String ID:
                                                      • API String ID: 826178784-0
                                                      • Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                      • Instruction ID: 609a5f5545df136b8435a2d2338e33e32412857adb40e1dcaf06d2dd9b2951fc
                                                      • Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                      • Instruction Fuzzy Hash: FC412722F0DE9688EB10CB22D8801B837A4BF96FA0B5440F7DA5D537A5EF39E955C300
                                                      Function 00007FFE013F4C30 Relevance: 7.5, APIs: 6, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FFE01402160: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FFE013F4C3E,?,?,00000000,00007FFE013F5B5B), ref: 00007FFE0140216F
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5B5B), ref: 00007FFE013F4C47
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5B5B), ref: 00007FFE013F4C5B
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5B5B), ref: 00007FFE013F4C6F
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5B5B), ref: 00007FFE013F4C83
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5B5B), ref: 00007FFE013F4C97
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5B5B), ref: 00007FFE013F4CAB
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$setlocale
                                                      • String ID:
                                                      • API String ID: 294139027-0
                                                      • Opcode ID: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                      • Instruction ID: 9ee17a2731a19423157ecdd698ce1aac234f08a141f5ac1fcab50ef2dc036d7f
                                                      • Opcode Fuzzy Hash: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                      • Instruction Fuzzy Hash: C1112D22A06A4582FF199FA1D0F573923A2EF48F08F181138CA0E1D178CF6DD894D380
                                                      Function 00007FFE01403380 Relevance: 7.5, APIs: 5, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: __acrt_iob_func$abortfputcfputs
                                                      • String ID:
                                                      • API String ID: 2697642930-0
                                                      • Opcode ID: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                      • Instruction ID: c812be0518abd22c97cf41dbc87e1815a2fe471880552ae143fd062ee4b239a8
                                                      • Opcode Fuzzy Hash: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                      • Instruction Fuzzy Hash: 8AE0ECA4E0864687FF086B61EC193346327DF48B92F240438C90F8E378CE3C54984251
                                                      Function 00007FFE0141C480 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                      • String ID: %.0Lf$0123456789-
                                                      • API String ID: 4032823789-3094241602
                                                      • Opcode ID: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                      • Instruction ID: a964b73d0cbec54b1a4f4afe06c40b517a8807e07745aed6fd0454e2555fe60f
                                                      • Opcode Fuzzy Hash: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                      • Instruction Fuzzy Hash: 37714B72B59B6589EB00CFA5E8942AC2371EB48B98F404136DE4D5BBB8DE3CD44AC344
                                                      Function 00007FFE01426E40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnmemchrmemmove
                                                      • String ID: 0123456789-
                                                      • API String ID: 2457263114-3850129594
                                                      • Opcode ID: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                      • Instruction ID: c70cd1d4156369aee48da3db435fe46094c77924ccb580820d6bf0b1f3f1f557
                                                      • Opcode Fuzzy Hash: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                      • Instruction Fuzzy Hash: A4716B32B09B9589FB11CBA5E4502AC7771EB59B98F850135DE4D2BBB9CE3CD49AC300
                                                      Function 000000014000CA70 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 174COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CB86
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CCD1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                      • String ID: gfffffff$gfffffff
                                                      • API String ID: 3668304517-161084747
                                                      • Opcode ID: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                      • Instruction ID: 0937b4d6cc115db4af66b3ecbb46b401b0ea56f4de858bbb036e92e46f157e0a
                                                      • Opcode Fuzzy Hash: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                      • Instruction Fuzzy Hash: D151B5B2311B8942EE25CB17F945799B355E748BE4F048226AFAD8B7E4DF38D081C301
                                                      Function 00007FFE014270C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memset$_invalid_parameter_noinfo_noreturnswprintf_s
                                                      • String ID: %.0Lf
                                                      • API String ID: 1248405305-1402515088
                                                      • Opcode ID: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                      • Instruction ID: de6a35ca3b20a25bf45af280d3e488a0cf826fb2575ca4c34eac229d13082a2d
                                                      • Opcode Fuzzy Hash: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                      • Instruction Fuzzy Hash: 35619222B08B8586EB01DBB5E8502AD7762FF69B98F544135EE4D2BB79DE3CD045C300
                                                      Function 00007FFE1A534044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FFE1A536710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A53239E), ref: 00007FFE1A53671E
                                                      • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A5341C3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abort
                                                      • String ID: $csm$csm
                                                      • API String ID: 4206212132-1512788406
                                                      • Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                      • Instruction ID: f94bd2f6ee013b0f5ef064bd4bf5aa4cd285101840c6bae28b81c84547c3d211
                                                      • Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                      • Instruction Fuzzy Hash: AD71923A70CA8186D7648B1694507797FA0FF86FA6F0481B6EF8D47AA6CE3CD451C740
                                                      Function 00007FFE1A533E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FFE1A536710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A53239E), ref: 00007FFE1A53671E
                                                      • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A533F13
                                                      • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE1A533F23
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Frameabort$EmptyHandler3::StateUnwind
                                                      • String ID: csm$csm
                                                      • API String ID: 4108983575-3733052814
                                                      • Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                      • Instruction ID: d97c5460246ee17a826f15377bd7d26be3eb26be9688e44686fc9df53f140255
                                                      • Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                      • Instruction Fuzzy Hash: E4512C32B0CA8286EA648B16944427976A0FF96FB5F5441B7DA8D47BA6CF3CE451CB00
                                                      Function 00007FFE013F2500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Exception$RaiseThrowabort
                                                      • String ID: csm
                                                      • API String ID: 3758033050-1018135373
                                                      • Opcode ID: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                      • Instruction ID: 1124a6f1e9041ffac7163f3f78dae90175e2735aa95a7e86d5ff78f36b3869ff
                                                      • Opcode Fuzzy Hash: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                      • Instruction Fuzzy Hash: D3515C22904BC5C6EB21DF28D4502A833A0FB58B98F159326DA5D1B7B6DF7DE5D5C300
                                                      Function 00007FFE013FF950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE013FF8D4
                                                      • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE013FF8E6
                                                      • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE013FF96B
                                                        • Part of subcall function 00007FFE013F4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D72
                                                        • Part of subcall function 00007FFE013F4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D98
                                                        • Part of subcall function 00007FFE013F4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4DB0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: setlocale$freemallocmemcpy
                                                      • String ID: bad locale name
                                                      • API String ID: 1663771476-1405518554
                                                      • Opcode ID: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                      • Instruction ID: 656f286bb1330242dd1c7557d4b69de0e7e77b7496311e961e70b80a697777f2
                                                      • Opcode Fuzzy Hash: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                      • Instruction Fuzzy Hash: 1B31B423F086D242FF55AB15E44417A6696EF84BC0F598039DE5D5F7B5DE3CE8818340
                                                      Function 00007FFE014138A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FFE0142B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                        • Part of subcall function 00007FFE0142B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                        • Part of subcall function 00007FFE0142B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                        • Part of subcall function 00007FFE0142B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFE0140A07C), ref: 00007FFE014138E1
                                                        • Part of subcall function 00007FFE013FB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01421347,?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE013FB7BF
                                                        • Part of subcall function 00007FFE013FB794: memcpy.VCRUNTIME140(?,?,00000000,00007FFE01421347,?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE013FB7DB
                                                        • Part of subcall function 00007FFE014067B0: _Maklocstr.LIBCPMT ref: 00007FFE014067E0
                                                        • Part of subcall function 00007FFE014067B0: _Maklocstr.LIBCPMT ref: 00007FFE014067FF
                                                        • Part of subcall function 00007FFE014067B0: _Maklocstr.LIBCPMT ref: 00007FFE0140681E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                      • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                      • API String ID: 2904694926-3573081731
                                                      • Opcode ID: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                      • Instruction ID: 5688e7ba9f6f8f7f3f74af9f1a39f5a683b41b2321e59823f8547b0338cb4516
                                                      • Opcode Fuzzy Hash: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                      • Instruction Fuzzy Hash: 6841CC72A18B8297E720CF21D18056EBBA2FB84B91B054235CB8947A21DF7CF566CB00
                                                      Function 00007FFE0142430C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FFE0142B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                        • Part of subcall function 00007FFE0142B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                        • Part of subcall function 00007FFE0142B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                        • Part of subcall function 00007FFE0142B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,0000003F,?,00000001,00007FFE01422278), ref: 00007FFE0142434D
                                                        • Part of subcall function 00007FFE013FB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01421347,?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE013FB7BF
                                                        • Part of subcall function 00007FFE013FB794: memcpy.VCRUNTIME140(?,?,00000000,00007FFE01421347,?,?,?,?,?,?,?,?,?,00007FFE0142243E), ref: 00007FFE013FB7DB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                      • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                      • API String ID: 3376215315-3573081731
                                                      • Opcode ID: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                      • Instruction ID: 3f3427ecad3a27603c0f519c9f87131ed97cfec1e8203630c5c6f20e41b695e0
                                                      • Opcode Fuzzy Hash: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                      • Instruction Fuzzy Hash: BA41DE72A08B8297E724CF25D58056E7BA0FB94B81B494235DB8947E31DF3CF5A2CB00
                                                      Function 00007FFE1A53A714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: NameName::
                                                      • String ID: %lf
                                                      • API String ID: 1333004437-2891890143
                                                      • Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                      • Instruction ID: d1cb95642941fd45f01bff71cc34e70669a6f8dbc50eb8b6b98e7dac3ba66477
                                                      • Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                      • Instruction Fuzzy Hash: AF318022B0CE8585EA20CB26A85027A6360FF86F94F4481F7EA9E47665DF3CE5428740
                                                      Function 00007FFE013FA4C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: FileFindNext$wcscpy_s
                                                      • String ID: .
                                                      • API String ID: 544952861-248832578
                                                      • Opcode ID: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                      • Instruction ID: 0be135281fad1251dffd2e4b31b6bc67bc504d546eabed2e532c314807ce7a19
                                                      • Opcode Fuzzy Hash: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                      • Instruction Fuzzy Hash: DF216366A0C6C186FB70AF25E8483B973A0EB48B94F454135EA8D5B6B4DF7CD4458B40
                                                      Function 00007FFE013F6C00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                      • String ID: ios_base::badbit set
                                                      • API String ID: 1099746521-3882152299
                                                      • Opcode ID: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                      • Instruction ID: b896e3e4b4444bac8cd1c314fa0d1e2bea792da65e0179d3c55c599e6006891b
                                                      • Opcode Fuzzy Hash: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                      • Instruction Fuzzy Hash: 4C01F991F2C68B92FF18E725D842BBD1312EF90744F55853ED58E2EAB6DE3DE5068200
                                                      Function 00007FFE1A532400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FFE1A536710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A53239E), ref: 00007FFE1A53671E
                                                      • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A53243E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abortterminate
                                                      • String ID: MOC$RCC$csm
                                                      • API String ID: 661698970-2671469338
                                                      • Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                      • Instruction ID: 71b0fc6e5e28853ddfe2614336c8319ef393e8049bc7849868c0392f889cfc5a
                                                      • Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                      • Instruction Fuzzy Hash: 4CF08C36A0CE4681EB505F23A18007D3261FF99FA0F0850F7D74802262CF3CD4A0C611
                                                      Function 00007FFE1A53E9E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __C_specific_handler.LIBVCRUNTIME ref: 00007FFE1A53E9F0
                                                        • Part of subcall function 00007FFE1A53EC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1A53ECF0
                                                        • Part of subcall function 00007FFE1A53EC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1A53E9F5), ref: 00007FFE1A53ED3F
                                                        • Part of subcall function 00007FFE1A536710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A53239E), ref: 00007FFE1A53671E
                                                      • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A53EA1A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
                                                      • String ID: csm$f
                                                      • API String ID: 2451123448-629598281
                                                      • Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                      • Instruction ID: fe0d4b3af82a2f3562fd1e2f783c302dc6d51a382ce8b4787ba6c53bdc702396
                                                      • Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                      • Instruction Fuzzy Hash: E3E06575F1CB4681E7206BA3B18513D26E5BF96F74F1480FADE4807666CE3CE8D09601
                                                      Function 00007FFE1A539CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID:
                                                      • API String ID: 2943138195-0
                                                      • Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                      • Instruction ID: de3f9428d105a4ed303fede87917347479305529f309faa4fec75df94d2a6e69
                                                      • Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                      • Instruction Fuzzy Hash: D8917CA2F0CE96C9F7118B62D8503BC27B0BF82B68F5440F6DA4D576A5DF78A845C340
                                                      Function 00007FFE1A53A44C Relevance: 6.1, APIs: 4, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+$NameName::
                                                      • String ID:
                                                      • API String ID: 168861036-0
                                                      • Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                      • Instruction ID: a639e284ee3b93c8ada01ab0927e6416d7c231f45bed8e4c2a68f0a66268a526
                                                      • Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                      • Instruction Fuzzy Hash: BB513972F1DA9688EB11CF62E8403BC37A0BB96B64F5440B6DA0E47BA5DF3AD441C750
                                                      Function 0000000140001ED0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memset$_invalid_parameter_noinfo_noreturnmemmove
                                                      • String ID:
                                                      • API String ID: 48703092-0
                                                      • Opcode ID: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                      • Instruction ID: 948ad675966271c9991ceaad39470193d7d81f5c1b48440d7dc352eab6ab828f
                                                      • Opcode Fuzzy Hash: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                      • Instruction Fuzzy Hash: B431B4B2711A9451EA06DF66F5443EDA291A788BE0F548635AF6C077E5EF38C4E2C300
                                                      Function 00007FFE01406DC8 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memcpy.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE014067E5), ref: 00007FFE01406EA1
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE014067E5), ref: 00007FFE01406EF2
                                                      • memcpy.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE014067E5), ref: 00007FFE01406EFC
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE01406F3D
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                      • String ID:
                                                      • API String ID: 1775671525-0
                                                      • Opcode ID: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                      • Instruction ID: 46494802ce9cdec9117d15989d16a464cd0736bb0a7e64eb03552749f494c34b
                                                      • Opcode Fuzzy Hash: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                      • Instruction Fuzzy Hash: 6D410262B0874692EF15DB92E1041796255EB48BE4F560639EF6E0FBF8EE3CE851C340
                                                      Function 00007FFE013F9BE8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                      • String ID:
                                                      • API String ID: 1775671525-0
                                                      • Opcode ID: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                      • Instruction ID: e9e7ed693c8be91739b6f03b50c4821f4bf959aea9c8a58af5babbd23f5e9e29
                                                      • Opcode Fuzzy Hash: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                      • Instruction Fuzzy Hash: 2F31C361B0868686EF14AB16A544369A355EF44BE8F654239EE7D0FBF5DE7CE041C300
                                                      Function 00007FFE0141FD50 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Xp_movx$Xp_setw_errnoldexpmemcpy
                                                      • String ID:
                                                      • API String ID: 2233944734-0
                                                      • Opcode ID: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                      • Instruction ID: 7cd0abc317083f681f9741cbb355a9762aec2747b76391d30ff3148505578365
                                                      • Opcode Fuzzy Hash: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                      • Instruction Fuzzy Hash: C341D422A1CB4687F7519B2590412BE63A0FF98B54F948231EE4D1B7B6DF3CE94F8640
                                                      Function 00007FFE013F3160 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcislower
                                                      • String ID:
                                                      • API String ID: 2234106055-0
                                                      • Opcode ID: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                      • Instruction ID: b06568875f6ef40e142a00a3c2dbeba458978eb38326e6ba0621880d135bfe28
                                                      • Opcode Fuzzy Hash: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                      • Instruction Fuzzy Hash: AA31D826A0C7C182FB21AB16E45437D6AA1FB90B91F194039DE8E5F7B9DE3CE485C710
                                                      Function 00007FFE013F3020 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcisupper
                                                      • String ID:
                                                      • API String ID: 3857474680-0
                                                      • Opcode ID: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                      • Instruction ID: d656499cf1c2af985915777661a374fdfa4497d75f154cb4d599cac53e9c5df5
                                                      • Opcode Fuzzy Hash: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                      • Instruction Fuzzy Hash: 1E31D462A0C7C282FB15AB15A45437D6AA1FB90B95F19403ADA8E1F7A9DE2CE484C710
                                                      Function 00007FFE1A53C87C Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID:
                                                      • API String ID: 2943138195-0
                                                      • Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                      • Instruction ID: 66b11d71bcb604f444492588a7f3d036d757cea31ad410e0699a2a9156765480
                                                      • Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                      • Instruction Fuzzy Hash: 44416773A08B9589E701CF66E8413BC37A0FB86B68F5480A6DA4E57769DF78A445C310
                                                      Function 00007FFE0142AF70 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,00000000,?,?,?,00007FFE0141E921), ref: 00007FFE0142AFB7
                                                      • memcpy.VCRUNTIME140(?,00000000,?,?,?,00007FFE0141E921), ref: 00007FFE0142AFDB
                                                      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE0141E921), ref: 00007FFE0142AFE8
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE0141E921), ref: 00007FFE0142B05B
                                                        • Part of subcall function 00007FFE013F2E30: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE013F2E5A
                                                        • Part of subcall function 00007FFE013F2E30: LCMapStringEx.KERNEL32 ref: 00007FFE013F2E9E
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: String___lc_locale_name_funcfreemallocmemcpywcsnlen
                                                      • String ID:
                                                      • API String ID: 2888714520-0
                                                      • Opcode ID: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                      • Instruction ID: f06b74c7550a14bd34ba3eeb74f6bb8add422246858c16040b5bee2f3922d97c
                                                      • Opcode Fuzzy Hash: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                      • Instruction Fuzzy Hash: BA21D961B08BD186D7219F12A40096A9B94FB55BD4F984235DE6D1FBF5DE3CD4418304
                                                      Function 00007FFE013FABB4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _wfsopen$fclosefseek
                                                      • String ID:
                                                      • API String ID: 1261181034-0
                                                      • Opcode ID: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                      • Instruction ID: 39664d18979d145c00ef3af706406949871bdcd4de5c859d1a01ecc4c798d231
                                                      • Opcode Fuzzy Hash: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                      • Instruction Fuzzy Hash: 97319321B1978543EF69DB16A4947767391EF84F84F4A4538CE0E9BBB4DE3CE8418740
                                                      Function 00007FFE013FAAA0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _fsopen$fclosefseek
                                                      • String ID:
                                                      • API String ID: 410343947-0
                                                      • Opcode ID: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                      • Instruction ID: 50fa546092234f24c44faa102d3f5fbd2bded8e646fdc7ccd14c70a9b9a5ed5e
                                                      • Opcode Fuzzy Hash: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                      • Instruction Fuzzy Hash: 46310621B2878A42FB68DB16A4446757793EF84F85F494938CE0E9B7B4DE3CEC418340
                                                      Function 0000000140010660 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$FormatFreeLibraryMessage
                                                      • String ID:
                                                      • API String ID: 4174221723-0
                                                      • Opcode ID: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                      • Instruction ID: 329cc6dd5267e1a20a6fc7da630ad77381380cdf8f0f417e816be49fa379c834
                                                      • Opcode Fuzzy Hash: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                      • Instruction Fuzzy Hash: F4315072A18B8441EB128B26E4453AE6751E79DBF4F249301F7FD0B6F9DBB9D5C08600
                                                      Function 00007FFE0142A5D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFE0142576B), ref: 00007FFE0142A604
                                                      • ___lc_collate_cp_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFE0142576B), ref: 00007FFE0142A60E
                                                        • Part of subcall function 00007FFE013F26E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE013F2728
                                                        • Part of subcall function 00007FFE013F26E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE013F274E
                                                        • Part of subcall function 00007FFE013F26E0: GetCPInfo.KERNEL32 ref: 00007FFE013F2792
                                                      • memcmp.VCRUNTIME140(?,?,?,?,?,?,?,00007FFE0142576B), ref: 00007FFE0142A631
                                                      • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FFE0142576B), ref: 00007FFE0142A66F
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: __strncnt$Info___lc_collate_cp_func___lc_locale_name_func_errnomemcmp
                                                      • String ID:
                                                      • API String ID: 3421985146-0
                                                      • Opcode ID: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                      • Instruction ID: fe80bd2ae46c2ec51856c3c9d5f0629ae21f3a89cb63f5a1046941e78d0240ab
                                                      • Opcode Fuzzy Hash: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                      • Instruction Fuzzy Hash: F5216F72B087828AEB208F26954012DB7A6FBD4FD4B954235DE9D5BBB4CF3CE8458701
                                                      Function 000000014000FAA0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                        • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                        • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: __acrt_iob_func__stdio_common_vfprintfmemset
                                                      • String ID: [FINALIZE ] %08X %s$[UNLOAD LIB]$[UNLOAD LIB] %08X %s
                                                      • API String ID: 1351999747-1487749591
                                                      • Opcode ID: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                      • Instruction ID: 71482a23b425682d2a021b79c21f529c824127a60a25d7ce3ea3483a94a8a675
                                                      • Opcode Fuzzy Hash: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                      • Instruction Fuzzy Hash: 42213972215B8485E352DF22E5503DE37A4F74CF88F588129EB890BB69CF39C662D750
                                                      Function 00007FFE0142B090 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                      • ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                      • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                      • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_func
                                                      • String ID:
                                                      • API String ID: 3203701943-0
                                                      • Opcode ID: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                      • Instruction ID: 4aaa9055f457773a3941b5a5a8dce706b35ab72d69fce494c4f36289ac21efab
                                                      • Opcode Fuzzy Hash: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                      • Instruction Fuzzy Hash: 0101A5A2E15B5187DF058F799804178B7A0FB58B84B549235DA4E8F734DA7CD0C18700
                                                      Function 00007FFE01428620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: memmove$FormatFreeLocalMessage
                                                      • String ID: unknown error
                                                      • API String ID: 725469203-3078798498
                                                      • Opcode ID: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                      • Instruction ID: 0180ce94398c27a42c0a7b52e09b7ab3a8f6bcea21f99e41dfdd7a583b5940e4
                                                      • Opcode Fuzzy Hash: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                      • Instruction Fuzzy Hash: EA11582260978682E7219F25E14036DB7A1FB99BCCF488235EA8D0F7BACF7CD5508741
                                                      Function 00007FFE013F2468 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: malloc
                                                      • String ID: MOC$RCC$csm
                                                      • API String ID: 2803490479-2671469338
                                                      • Opcode ID: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                      • Instruction ID: 4cbbb1d556229ea38626a6243ef7f532f862973eaa76563ac78ee8d084a25611
                                                      • Opcode Fuzzy Hash: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                      • Instruction Fuzzy Hash: BC018422E08582C6EF64AF15955417E22B1EF48B84F594039DA1D2FBA5CE6CE881C602
                                                      Function 00007FFE0141C9A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                      • String ID: 0123456789-
                                                      • API String ID: 4032823789-3850129594
                                                      • Opcode ID: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                      • Instruction ID: 8aca4833dd0765712702b93e65cc0c92ac213c1685a50989791b092a9040a51b
                                                      • Opcode Fuzzy Hash: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                      • Instruction Fuzzy Hash: 4F715A72B49B5589EB01CFA5E8902AC2371FB48B98F404136EE4D5BBB8DE3CD44AC344
                                                      Function 00007FFE0141CC30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                      • String ID: %.0Lf
                                                      • API String ID: 296878162-1402515088
                                                      • Opcode ID: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                      • Instruction ID: dc0b4b18a6933a4e6920fb7d219d6e3ec69581a4627b7253be32515637c9a3f5
                                                      • Opcode Fuzzy Hash: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                      • Instruction Fuzzy Hash: 7C716032B48B9586EB11CBA5E8402AD7372EB94B98F504136EE4D2BB79EF3CD455C340
                                                      Function 00007FFE0141C710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                      • String ID: %.0Lf
                                                      • API String ID: 296878162-1402515088
                                                      • Opcode ID: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                      • Instruction ID: 1441afd0019c2530502a472fb9ba3fd323cdb9979b417486f0ef8682d68d3cfa
                                                      • Opcode Fuzzy Hash: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                      • Instruction Fuzzy Hash: AF716132B08B9586EB11CB66E8802AD6372EF94B98F104136EE5D6BB79DF3CD445C340
                                                      Function 00007FFE01428F00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: rand_s
                                                      • String ID: invalid random_device value
                                                      • API String ID: 863162693-3926945683
                                                      • Opcode ID: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                      • Instruction ID: 4c5a42236438f87ac391a5266e83f9d91cc94ad74a838270408e4b9521b230fb
                                                      • Opcode Fuzzy Hash: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                      • Instruction Fuzzy Hash: F6510162C18A8A86F3528B34C4511BE6364FF363C8F908732E61E3E5B5DF2DA4C28201
                                                      Function 00007FFE1A534710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: abort$CreateFrameInfo
                                                      • String ID: csm
                                                      • API String ID: 2697087660-1018135373
                                                      • Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                      • Instruction ID: f7f131ed5dccea3007f1aa77877381869e52ecf36d6b516042412206feaeb24a
                                                      • Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                      • Instruction Fuzzy Hash: E9512B7671CB8186D620AB17A04127E77B5FB8ABA1F1405B6DB8D07B66CF38E461CB00
                                                      Function 00007FFE01427330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Strftime_invalid_parameter_noinfo_noreturn
                                                      • String ID: !%x
                                                      • API String ID: 1195835417-1893981228
                                                      • Opcode ID: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                      • Instruction ID: 0fdd913203488520331c75a2670ccc75526431eb8f5f2791cb195ac45e000b71
                                                      • Opcode Fuzzy Hash: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                      • Instruction Fuzzy Hash: 8C417C62F18A9199FB00CBA5D8417EC3B71BB68798F844535EE5D2BBA9DF3C9185C300
                                                      Function 00007FFE013F32D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE013F3305
                                                        • Part of subcall function 00007FFE014425AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE013F5AF8), ref: 00007FFE014425C6
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE013F57FA,?,?,?,00007FFE013F4438), ref: 00007FFE013F32FE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                      • String ID: ios_base::failbit set
                                                      • API String ID: 1934640635-3924258884
                                                      • Opcode ID: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                      • Instruction ID: 5dbaf2c5d475c3da415fae4e4029ca3b99c2d37f896bf6cb34a9175ca87f81c3
                                                      • Opcode Fuzzy Hash: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                      • Instruction Fuzzy Hash: 6621E921B09BC195DB60DB11E4402AAB3A4FF48BE0F544635EE9C5BBA8EF3CC545C700
                                                      Function 00007FFE1A539BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: Name::operator+
                                                      • String ID: void$void
                                                      • API String ID: 2943138195-3746155364
                                                      • Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                      • Instruction ID: 6d1d44f62ee5a8f2598de29236c61aeedd567e38c12f4c28790ba6cc887ffc0a
                                                      • Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                      • Instruction Fuzzy Hash: A7312762F1CE5988FB10CB62E8510FC37B0BB89B58B4405BADE4E53B69EF389144C750
                                                      Function 000000014000E370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 000000014000FAA0: memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000E441
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                      • String ID: [FAIL LOAD ] %s$[LOAD LIB ] %s
                                                      • API String ID: 1654775311-1428855073
                                                      • Opcode ID: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                      • Instruction ID: e1e0474e3a99f30cd742c56738cdfbd4506b2c38850e860c1e011aff6007d584
                                                      • Opcode Fuzzy Hash: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                      • Instruction Fuzzy Hash: EC218EB2714B8481FA16CB1AF44439A6362E78DBE4F544321BBA94BAF9DF38C181C740
                                                      Function 00007FFE013FF1B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFE013FC744), ref: 00007FFE013FF1D4
                                                        • Part of subcall function 00007FFE0142B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B0
                                                        • Part of subcall function 00007FFE0142B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0B8
                                                        • Part of subcall function 00007FFE0142B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0C1
                                                        • Part of subcall function 00007FFE0142B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE013F6093), ref: 00007FFE0142B0DD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                      • String ID: false$true
                                                      • API String ID: 2502581279-2658103896
                                                      • Opcode ID: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                      • Instruction ID: ef303df0a96c51800ef0a53ac4ed34e3f2e037f9cbc78bcc3fda6101160338d2
                                                      • Opcode Fuzzy Hash: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                      • Instruction Fuzzy Hash: 36217F6B608B8592E720DF21E4403A977A1FB98BA8F454536DA8C0B779DF3CD195C780
                                                      Function 00007FFE1A53604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: FileHeader$ExceptionRaise
                                                      • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                      • API String ID: 3685223789-3176238549
                                                      • Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                      • Instruction ID: 2e7033c215fcb6bc7fb7089690df9eaf4ea99f5ff855eece9ab13efdae4accf1
                                                      • Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                      • Instruction Fuzzy Hash: 3701B161B2DE4692EE009B16E4511B96320FFD1FA4F4060F7E60E07ABAEF6CD404C710
                                                      Function 00007FFE1A5363F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFileHeaderRaise
                                                      • String ID: csm
                                                      • API String ID: 2573137834-1018135373
                                                      • Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                      • Instruction ID: c4682dba150fd1e7b3611c8f821ee4c8cf76714fe250407acccca985c27949dd
                                                      • Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                      • Instruction Fuzzy Hash: 57112E32A1CB4182EB518F16E44026A7BA5FB85F94F1841B5DE8D07B64EF3DD5518700
                                                      Function 00007FFE013F6A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE013F6A3D
                                                        • Part of subcall function 00007FFE013F4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01406AB5,?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE013F4DF9
                                                        • Part of subcall function 00007FFE013F4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01406AB5,?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE013F4E28
                                                        • Part of subcall function 00007FFE013F4DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FFE01406AB5,?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE013F4E3F
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE013F6A5A
                                                      Strings
                                                      • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE013F6A65
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$Getmonthsmallocmemcpy
                                                      • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece
                                                      • API String ID: 1628830074-2030377133
                                                      • Opcode ID: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                      • Instruction ID: 7d6d26b7f3a5e2e6e0cfad2596e7b2514a7ee297a45acaecea40b3c57f5f3ea7
                                                      • Opcode Fuzzy Hash: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                      • Instruction Fuzzy Hash: 54E0ED21A15B4693EF409B12F5843696361FF48B94F845034DA0E0BB75DF7CE4B4C300
                                                      Function 00007FFE013F69E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE013F69ED
                                                        • Part of subcall function 00007FFE013F4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01406AB5,?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE013F4DF9
                                                        • Part of subcall function 00007FFE013F4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01406AB5,?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE013F4E28
                                                        • Part of subcall function 00007FFE013F4DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FFE01406AB5,?,?,?,?,?,?,?,?,?,00007FFE0140A96E), ref: 00007FFE013F4E3F
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE013F6A0A
                                                      Strings
                                                      • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE013F6A15
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$Getdaysmallocmemcpy
                                                      • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                      • API String ID: 1347072587-3283725177
                                                      • Opcode ID: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                      • Instruction ID: 426af90f47b4440abe5a6aee2f7be28b32de540249def8ac5e4e84cb0604dd72
                                                      • Opcode Fuzzy Hash: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                      • Instruction Fuzzy Hash: 64E0ED21A15B4293EF109B12F58436973A1EF48B94F544534DA0D0BB75DF3CE4A4C700
                                                      Function 00007FFE013F6330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE013F633D
                                                        • Part of subcall function 00007FFE013F4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D72
                                                        • Part of subcall function 00007FFE013F4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D98
                                                        • Part of subcall function 00007FFE013F4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4DB0
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE013F635A
                                                      Strings
                                                      • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE013F6365
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$Getmonthsmallocmemcpy
                                                      • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
                                                      • API String ID: 1628830074-4232081075
                                                      • Opcode ID: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                      • Instruction ID: f8497dfe8c3507925476a2b0f2a297c35951d559fa87f8e566cf4f06e797f33d
                                                      • Opcode Fuzzy Hash: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                      • Instruction Fuzzy Hash: 6AE0C921A15B4292EF009B12F58526963A1EB58B90F484035DA1D0A775DF3CE4E4C740
                                                      Function 00007FFE013F62C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE013F62CD
                                                        • Part of subcall function 00007FFE013F4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D72
                                                        • Part of subcall function 00007FFE013F4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4D98
                                                        • Part of subcall function 00007FFE013F4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE01402124,?,?,?,00007FFE013F43DB,?,?,?,00007FFE013F5B31), ref: 00007FFE013F4DB0
                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE013F62EA
                                                      Strings
                                                      • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE013F62F5
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free$Getdaysmallocmemcpy
                                                      • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                      • API String ID: 1347072587-3283725177
                                                      • Opcode ID: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                      • Instruction ID: f6e2270fb9ea1b7cc111f1aa08b9d7a535b5494aed83a2b29bb6d18f04c7b32b
                                                      • Opcode Fuzzy Hash: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                      • Instruction Fuzzy Hash: E4E0ED21B15B8293EF049B12F594369A365FF48B80F848434DA1D0B775EF3CE4A4C700
                                                      Function 0000000140012990 Relevance: 5.1, APIs: 4, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrow
                                                      • String ID:
                                                      • API String ID: 432778473-0
                                                      • Opcode ID: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                      • Instruction ID: 3f6ef9a8942bd25f1c030384d86529519749b139d31aef7b6ed3ba5bf9942206
                                                      • Opcode Fuzzy Hash: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                      • Instruction Fuzzy Hash: 582153B6610A8489E729EE37E8523E92311F78C7D8F149426BF4D4FBAECE31C4518340
                                                      Function 00000001400124D0 Relevance: 5.1, APIs: 4, Instructions: 77COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1829598063.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                      • Associated: 0000000A.00000002.1829580996.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829616636.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829632486.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829649034.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1829666766.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_140000000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ExceptionThrow$_invalid_parameter_noinfo_noreturn
                                                      • String ID:
                                                      • API String ID: 2822070131-0
                                                      • Opcode ID: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                      • Instruction ID: fb8aed582c15149af4c4f009e579fb1eee3dc1aedb4e9a74b926e9b9865ab3f7
                                                      • Opcode Fuzzy Hash: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                      • Instruction Fuzzy Hash: 331151B5710A40C9E71DEB73A8423EA1211EB887C4F149536BF480BA6ECE76C4518740
                                                      Function 00007FFE1A53672C Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,?,00007FFE1A5365B9,?,?,?,?,00007FFE1A53FB22,?,?,?,?,?), ref: 00007FFE1A53674B
                                                      • SetLastError.KERNEL32(?,?,?,00007FFE1A5365B9,?,?,?,?,00007FFE1A53FB22,?,?,?,?,?), ref: 00007FFE1A5367D4
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830413560.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830397022.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830433204.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830454035.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830472521.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830516286.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe1a530000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast
                                                      • String ID:
                                                      • API String ID: 1452528299-0
                                                      • Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                      • Instruction ID: 0ee3973e0b358cfa8cd0812017aa008c343511199b665b3dec7f189b38af078c
                                                      • Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                      • Instruction Fuzzy Hash: FE113324F0DE5282FA549723A8141362691AF86FB0F5446FED96E07BF5EE2CA8418720
                                                      Function 00007FFE01421DB0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free
                                                      • String ID:
                                                      • API String ID: 1294909896-0
                                                      • Opcode ID: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                      • Instruction ID: 0b161cbe35abb025478f37a365ca848c148f8ac6404ff633db6df27426626ba9
                                                      • Opcode Fuzzy Hash: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                      • Instruction Fuzzy Hash: CBF0CF32A19B4293EB449B16EAA416873A6FB88F91F544031DA4E4BB70DF6DE4A5C300
                                                      Function 00007FFE01408C60 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free
                                                      • String ID:
                                                      • API String ID: 1294909896-0
                                                      • Opcode ID: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                      • Instruction ID: 06503603013d92481f311f95c867eab23c70ac2541a2a6c18463cd258dccbfbd
                                                      • Opcode Fuzzy Hash: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                      • Instruction Fuzzy Hash: F8F0E732A19B4297EB449B16EAA41787362FF88B90F144031DA4E4BB70DF7DE4A5C300
                                                      Function 00007FFE01408CD0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free
                                                      • String ID:
                                                      • API String ID: 1294909896-0
                                                      • Opcode ID: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                      • Instruction ID: 58c93d1b5776f3a24b80f1950f7b380fcd2f98012b1323db5bcdec5318b7bdf8
                                                      • Opcode Fuzzy Hash: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                      • Instruction Fuzzy Hash: 7FF0E732A19B4293EB449B16EAA417873A2FF88B90F144031DA4D4BB70DF7DE4A5C300
                                                      Function 00007FFE01408A08 Relevance: 5.0, APIs: 4, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1830244772.00007FFE013F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013F0000, based on PE: true
                                                      • Associated: 0000000A.00000002.1830225770.00007FFE013F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830283982.00007FFE01445000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830300978.00007FFE01446000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830328564.00007FFE01473000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830353434.00007FFE01474000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000000A.00000002.1830373221.00007FFE01477000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_7ffe013f0000_ImporterREDServer.jbxd
                                                      Similarity
                                                      • API ID: free
                                                      • String ID:
                                                      • API String ID: 1294909896-0
                                                      • Opcode ID: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                      • Instruction ID: 111f7ae8152226d857051dd424f58d31100f2e509658485dd0251826edf07c38
                                                      • Opcode Fuzzy Hash: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                      • Instruction Fuzzy Hash: 59E00276E15A0183FF159F62D8A40286375FF98F59B181032CE1E4E274DE6CD895C700